The FHA Directed Exchange Workgroup provides updates on efforts to increase the adoption of Direct for health information exchange between federal agencies and non-federal entities. They are educating federal partners on Direct technology and policies, developing common understanding of use cases and security requirements, and identifying baseline documents and FAQs. Establishing a common federal Direct policy would greatly increase its adoption for information exchange. Focused workgroups address Directed exchange, security, and interoperability issues. Risks to Directed exchange between agencies are being identified and recommendations will be provided to ONC.

1. FHA Directed Exchange
Workgroup Update
August 13, 2013

2. Problem Statement
Problem:
• Federal agencies (CMS, DoD, VA, IHS, SSA) have an interest or
requirement to utilize Direct for the exchange of PHI, but operate under
stringent privacy and security policies that must be met by any parties
with which they exchange information
Approach:
• Educate the federal partners on Direct technology, policies and
guidelines
• Develop a common understanding of the agency use cases and security
requirements
• Identify/Develop and maintain a set a baseline authoritative documents
& FAQs
• Publish common federal agency policy and supporting implementation
guidance
Benefit of a Common Policy:
• Will greatly increase adoption of Direct in the exchange of health
information between federal agencies and non-federal entities/individuals
• Provides common federal Direct policy for use by non-federal entities
2

3. Focused Workgroups
• Directed Exchange Workgroup
(Glen Crandall, IPO VLER Health)
– The overarching goal of the FHA Directed Exchange
Workgroup is to support implementation of directed
exchange by federal partner
• Directed Exchange Security SubWG
(Mike Davis, VHA)
– Define standards and gaps among agency security
polices pertaining to Directed Exchange that may
inhibit full participation in Direct by Federal Agencies by:
– Defining gaps between federal policy and current
direct policy
– Conducting a Risk assessment to document gaps
– Defining common policy and mitigation strategies
– Providing recommendations to ONC as needed
3

4. Focused Workgroups Cont.
• Directed Exchange
Interoperability SubWG
(Bob Dieterle, CMS esMD)
– Review of technology and
implementation issues
– Provide recommendations on technical
solutions, consistent with Applicability
Statement, to implement policy
requirements
– Example of topics presented by expert
authorities in these areas: Automated
Blue Button, Mod Spec Provider
Directory efforts, DirectTrust.org, Trust
Bundles, Delivery Notification,
Reference Implementation Changes,
Author of Record and Federal PKI
4

5. Authoritative Documents
• There are four Directed Exchange core
documents designated as authoritative
– Applicability Statement for Secure Health
Transport Version 1.1, 10 July 2012
– Implementation Guide for Delivery Notification
– Implementation Guide for Direct Project Trust
Bundle Distribution, Version 1.0, 14 March 2013
– Direct: Implementation Guidelines to Assure
Security and Interoperability (ONC)
• In addition, Federal agencies deploying Direct
will also need to include relevant Federal law,
regulations, NIST FIPS/Special Publications,
FISMA, OMB directives, FPKI policy,
Presidential Directives (i.e. HSPD-12) etc.
5

6. Methodology Characteristics
• Our Process:
– Determine Use Cases
– Identify Risks/Concerns using outreach sessions with Agency
Stakeholders.
– Categorize/Group similar risks and validate risks are in scope for
the assessment.
– Determine potential outcomes of risk
– Determine Impact of each risk based on Risk Evaluation Criteria
– Develop a Level of Assurance Document
– Developed an Issues paper for Federal Bridge PKI discussion
– Prioritize risks and make recommendations
– Document results and provide risk assessment report to WG

7. Identified Risks
90 Risks/Concerns identified in the following categories:
Multi-Tiered Direct System Certificate Authorities
Patient Use of Federal Direct Policy Guidance
Self-signed Certificates
(not Trust Anchor certs)
Portfolio Risk
Endpoint (Sender/Receiver)
Authentication
Overall trust of Domain and HISP
STA/HISP Operating Policies and Trust Identify Management
Legal Safeguards/
BAAs and MOU
Key Management

8. Sender Receiver
Sender’s HISP to
Receiver’s HISP
Define Federal Trust Environment
8
Sender
Pre-Cursor Federal Policy Conditions
to Establish Mutual Trust
Receiver
Bind Sender’s
Direct Address
to Trust Policy
Bind Receiver’s
Direct Address
to Trust Policy
Directed Exchange Specifications
Sender to
Sender’s HISP
Receiver’s HISP
to Receiver
Sender/Receiver Specific Conditions
Routing
Information
Directory
Push the
Message
Verify
Receiver
Verify
Sender
Sender’s
HISP
Push the
Message
Receiver’s
HISP
Get the
Message
Locate Receiver’s
HISP Address

9. Centers for Medicare & Medicaid Services
9

10. Electronic Submission of Medical Documentation (esMD)
 Medicare receives 4.8 M claims per day.
 CMS’ Office of Financial Management estimates that each year
• the Medicare FFS program issues more than $28.8 B in improper
payments (error rate 2011: 8.6%).
• the Medicaid FFS program issues more than $21.9 B in improper
payments (3-year rolling error rate: 8.1%).
www.paymentaccuracy.gov
 Claim review contractors issue over 1.5 million requests for medical
documentation each year.
 Current prior authorization pilot requires exchange of over 1.2 million
requests/responses per year
 Registration for esMD services is required to receive documentation
requests – utilizes Provider Directories to establish and maintain ESI

11. Electronic Submission of Medical Documentation (esMD)
Supporting Multiple Transport Standards and Provider Directory
ECM
ZPICs PERM MACs
Content Transport Services
RACs CERT
Baltimore Data Center
Medicare Private Network
Internal
PD
EHR /
HISP
Direct
Enabled
Direct
EDI
Translator
HIH
CONNECT
Compatible
Practice
Management
Systems and Claims
Clearinghouse
EDI – X12
Compatible
Federated
External
PD

12. 12
Department of Defense

13. 13
DoD VLER Health Direct Project

14. This document contains Booz Allen Hamilton Inc. proprietary and
confidential information and is intended solely for internal use.
This document contains Booz Allen Hamilton Inc. proprietary and
confidential information and is intended solely for internal use.
DoD VLER Health Direct Stage 1 Pilot – Hill AFB,
Utah
14
McKay-Dee Hospital
Ogden, UT
• Schedule
Appointment
1
• Patient Record
is Flagged
2
• Result is viewed w/
VLER Direct
4 5
• Result is manually
uploaded to AHLTA
Patient Scheduler
• Patient is seen
• Result sent via Direct
Radiology Clinic
3
Hill Air Force Base
Ogden, UT
Referral Management Center
75th Medical Group
Mammography
Results
Go Live occurred July 18, 2013
– Hill AFB RMC Staff successfully processed four (4) Direct messages (17 as of 8/8/13)
– These exchanges were the first live use of Direct at DoD
The pilot showed that Direct Messaging can be successful at DoD
– Uses national standards for secure Health Information Exchange (HIE)
– Aligns to Meaningful Use objectives and the national agenda for HIE
– DPII can be used to replace the functionality of the fax machine and in so doing also
eliminates the inherent security-related problems associated with faxing CLR to MTFs
– Conforms to DoD security and privacy policies while not impacting workflow
Direct Message
Existing Workflow
Key

15. Indian Health Service
15

16. IHS and DIRECT- Current Status
• IHS Pursuing DIRECT to Meet Meaningful Use Stage II Secure Messaging
Requirements
– Integrate with PHR to provide secure messaging transport means for patient-provider
messaging
– Provide mechanism for Transition of Care delivery for external referrals
• Implemented DIRECT Prototype Environment
– Successfully installed, configured DIRECT reference implementation v 3.0.1 for secure
message exchange as proof of concept
– Tested the implementation for content validation with NIST and CERNER
– Implemented webmail client to provide user interface for patients and provider. This
provides ability compose messages, view message inbox, and provide message management
– Partial integration of webmail client with PHR-user can view and compose messages from
within PHR
– Successfully analyzed and implemented separate message store server, provides ability to
manage accounts, configure email functions, capture performance metrics, and auditing

17. IHS and DIRECT- Continuing Work
• Remaining Tasks to be Completed
– Implementing and testing certificate discovery
– Analysis and design related to implementation of Direct Trust
– Complete integration of webmail client with PHR- single sign on etc.
– Implementing receipt of messages to Patient
– Analysis and design of implementing domains and email address for different tribal
communities
• Issues/Concerns
– Federal Standards
– Establishing policy and guidelines for use cases
– Related Risks/policy concerns

18. Social Security Administration
18

19. Authorized Release of Information to a Trusted Entity
 Annual SSA Disability Statistics
• ~3.5 million initial disability applications per year
• ~1 million additional medical disability decisions
• ~15 million requests for medical evidence each year (3-4 per case)
• 500,000+ sources: doctors, hospitals
• $500 million in payment for evidence
• Over 11.7 million adults and children are receiving benefits based on their disabilities
• Over $11 billion paid each month to these individuals
Claimant SSA/DDS Providers
File Disability Claim Request Evidence
Claim Determination Medical Evidence
What is collected during case intake?
Demographics
Allegation
List of Treating Sources
Medications
List of Labs/Procedure
Vocational Background
Educational Background
Work Experience
Patient Authorization
How can you apply
for disability?
Field Office
800 Service
Web Site
How does SSA interact with
healthcare organizations & providers today?
Mail
Fax
ERE Web Site
ERE Web Services
Secure File Transfer
eHealth Exchange

20. Department of Veterans Affairs
20

21. Overview of Department of Veterans
Affairs (VA) Direct Activities
Melissa Sands
Analyst, VA Direct
Virtual Lifetime Electronic Record (VLER) Health
Department of Defense (DoD)/VA Interagency Program Office (IPO)

22. 22
Initial High-level VA Use Cases:
Provider-to-Provider Messaging (Feb. 2014)
Referral authorization and results reporting (e.g.,
mammograms)
Patient-Mediated Messaging (Feb. 2014)
Veteran sends their Continuity of Care Document
(CCD) through Blue Button in My HealtheVet
Future Work:
– Consolidated-Clinical Document Architecture (C-CDA) – Meet 2014 Certification
(Sep. 2014)
– Considering sharing other provider-to-provider personal health information (e.g.,
rural health, mental health, home health, etc.) – starting in June 2014
VA Direct Use Cases

23. 23
VA Direct Implementation
 VA partnering with DoD to use its Direct software. The initial production
installation of the Direct web portal and transport services is scheduled for
Feb. 2014.
 Initial pilot – Mammography Referrals/Reports
– Between Salt Lake City VA Medical Center and Utah Health Information Network
(UHIN)/Intermountain Health who provide mammograms to both VA and DoD. DoD
has also started a mammography pilot with UHIN/Intermountain Health in July
2013.
 Expanded pilots in 2014 after initial pilot implementing multiple use cases.