centers for disease control and prevention office of the associate director for communication...
Post on 20-Dec-2015
218 views
TRANSCRIPT
Centers for Disease Control and Prevention
Office of the Associate Director for Communication
Electronic Health Records/Meaningful Useand
Public Health Message Transport
The “PHINMS vs Direct problem”
Robb ChapmanPresentation to PHIN Partner Call
April 20, 2011
Background - Summary Public health needs to change how it
transmits and receives electronic messages EHR/Meaningful Use changes the picture Office of National Coordinator (ONC) is
emphasizing “Direct” Direct targeted primarily at clinicians, poses
some challenges for adoption across public health
Agenda Tell you what we know Find out what you know Propose some next actions
Electronic Health Records/Meaningful Use (EHR/MU)
Primary incentive: individual health records drives integration of clinical systems drives technical standards for data
interchange 3 public health use cases in Stage 1
Electronic Health Records/Meaningful Use (EHR/MU)
Assumption: EHR/MU data will be important to future public health surveillance, situational awareness
Monetary incentives to clinical organizations for using accredited systems Must demonstrate at least 1 of 3 public health use cases If public health agency not ready, clinical org gets “free
pass” to claim success
Public health has a window of opportunity to leverage EHR/MU
EHR/MU and Message Transport
Message Transport = the technology and method used to transmit a message between partners
EHR/MU regulation contains no requirement as to message transport
“Trading partners” must use same message transport
Much of public health is invested in PHIN Messaging Service (PHIN MS)
Office of National Coordinator (ONC) is pushing Direct
What is required to deliver a message securely and reliably from point A to
point B
Trust in the identity of the trading partners Authentication of sender and recipient Assurance that sending message to
recipient is appropriate Correct address of recipient system is
known Message encryption Assurance that
Only the sender can have sent/encrypted message Only the receiver can receive/decrypt message
Delivery of message from A to B Assurance of delivery
Acknowledgement Retry
What is required to deliver a message securely and reliably from point A to
point B
Trust in the identity of the trading partners Authentication of sender and recipient Assurance that sending message to
recipient is appropriate Correct address of recipient system is
known Message encryption Assurance that
Only the sender can have sent/encrypted message Only the receiver can receive/decrypt message
Delivery of message from A to B Assurance of delivery
Acknowledgement Retry
Certificate Authority (“Trust Anchor”)• trusted entity• vouches for identity of organizations• provides digital certificate, encryption
keys Directory• registry of trading partners• address of their systems• location of their public keys
Software• look up partners’ addresses &
keys• encrypt and send• receive and decrypt • ack, retry
Policy and process
Agreed-upon transport protocol
Can we use PHIN MS for EHR/MU?
Yes – where we already have PHIN MS interchanges with labs, hospitals…
But generally, No PHIN MS requires software installation at every
sender and receiver site CDC cannot scale PHIN MS tech support to
10,000s of hospitals, physicians offices Small clinical organizations need something
lightweight
Direct
Office of National Coordinator (ONC) initiative for EHR/MU Phase 1
Lightweight Supports small physician practices Supports interaction of physicians and patients
SMTP with S/MIME i.e. “secure email”
ONC and CDC have established a target of 30 state health departments receiving clinical data for EHR/MU Stage 1 use cases via Direct by October
Direct
Secure email is a built-in capability of most email systems but: Is not usually enabled Is non-trivial to configure, operate, manage
Direct points to use of existing standards and recommendations for securing interchanges
Direct is a set of specifications - not a solution
ONC’s model: Communities of interest will form and work things out The market will deliver solutions
Is PHIN MS compatible with Direct?
No Different transport protocols Apples and oranges:
PHIN MS = comprehensive transport solution Direct = technical specifications, policy and
practice recommendationsIf secure email is non-trivial, how are 1000’s of physician’s offices going to
implement it?
EHR systems with secure email capabilityHISPs
Health Information Service Providers (HISPs)
HISP = a function role HISP = An entity that handles technical
parts of secure message transport
HISPs are standing up to provide Direct services
Trust in the identity of the trading partnersAuthentication of sender and recipientAssurance that sending message to recipient iCorrect address of recipient system is knownMessage encryptionAssurance that
Only the sender can have sent/encrypteOnly the receiver can receive/decrypt mDelivery of message from A to BAssurance of deliveryAcknowledgementRetry
Allows subscriber to obtain and publish a Direct address
Provides credentials Provides secure messaging
capabilities May hide transport complexity –
e.g. by providing friendly web interface
Subscriber still responsible for policy and process
Is Direct the final solution for transport of health messages?
Probably not…
Direct’s primary target = small physician practices Direct not well suited to query and response
Likely to occur in Stage 2 and 3 use cases CDC Immunization Program expert panel
State IIS systems, vendors, physicians Reviewed immunization use cases Selected SOAP web services instead of Direct
Evidence that commercial software vendors generally prefer web services
ONC acknowledges that a mix of transports is likely in the future
So what should we do?
Public Health must endeavor to employ Direct near term Most software and service providers for clinical health will
be implementing Direct CDC/ONC target for October
Establish the long term message transport strategy that best meets our needs Support both EHR/MU and “internal” public health needs Approach: Standards and Interoperability (S&I) framework
• Endorsed by ONC• Articulate business level needs analysis tech
requirements solutions
How can public health employ Direct?
We need to know from you: Have you had requests from clinical organizations to
receive data using Direct? Are you working toward employing Direct?
Working with a HISP or HIE that will provide Direct capability? Standing up your own Direct capability?
Are there resources? In some states, HIE planning to function as HISP ARRA funded 10 states to connect public health labs ARRA funded 20 states to connect IIS Match program that state Medicaid office can use ELC Cooperative Agreement for states to build capacity
Does CDC need to help?How?
Some ideas:
Provide a comprehensive “PHIN MS-like” solution that utilizes Direct
Can’t do this
Act as a HISP, provide Direct capability
Can’t do this
Establish a competitively-priced contract vehicle for HISP services
May be able to do this
Does CDC need to help?How?
Some assertions:Regardless of the message transport: We need one CA solution for public health
One trustworthy entity for clinical world to interact with Vouch for identity and credentials of public health organizations Endorsed/certified by HHS
Every public health agency needs a directory Registry of trading partners Reference to their public keys An evolution of PHINDIR
CDC can spearhead these
To do:
Help CDC determine level of need across states/locals Determine how many clinical organizations are planning to
send you data this year Determine your capability to support Direct this year Determine whether a contract vehicle for HISP services
would be useful Participate in collaboration on long term
message transport strategy Tell us what you think or know: