On Friday September 22, 2011, members of the Direct Project Rules of the Road workgroup reached consensus on a key component of the trust framework necessary to make Direct exchange expand nationally and be available to more users.

The Certificate Policy, which governs the use of X.509 digital certificates within the ecosystem of potential Direct providers and users who are covered entities, business associates, and others abiding by HIPAA security and privacy rules, is now available for industry guidance of Direct exchange implementations.

[Related commentary: John Loonsk on the meaningful use of health information exchange?]

The Direct Project is an ONC initiative formed in partnership with a diverse group of private sector stakeholders that included leading health IT companies, several Health Information Exchanges, the American Academy of Family Physicians, and many others. Over a year’s time, the Direct Project produced a set of protocols and specifications that creates a simple, scalable, standards-based way for participants to send authenticated, encrypted health information directly to known recipients over the Internet. Because Direct exchange uses technology that is open and well-tested, for example S/MIME over SMTP, it does not require implementers and users to deploy expensive new or proprietary software or hardware. And because Direct focuses entirely on the transport and security aspects of clinical messaging between participants, each of whom has his or her own unique Direct address, Direct is compatible with many different operating systems and applications such as EHRs and PHRs. Direct exchange is “universal” in the sense of being vendor- and application-neutral.

Direct exchange is intended to replace fax, courier, and mail transmission of clinical messages for referral and other purposes between providers, to permit secure e-mail-like communications between providers and their patients, and to support other simple exchange scenarios envisioned as part of Meaning Use.

A key feature of Direct exchange is the role played by a “health information service provider,” or HISP. Each HISP is responsible for providing its subscribers with services that are essential to the routing and security of a sender’s and receiver’s message, such as locating the identity of the receiver’s HISP, if this is different from the sender’s, and encrypting the messages of its subscribers.

Since a goal of Direct is to achieve universal information exchange and interoperability between provider organizations and individuals within those organizations, trust between HISPs servicing those organizations and individuals is essential. As real-world pilot implementations of Direct exchange have taken hold, a desire was expressed for additional clarity and agreement in areas that go beyond the general specifications mentioned above, in order to ensure that HISPs will be able to assess the trust-worthiness of other HISPs and their subscribers’ organizations. This was the impetus behind the formation of the Direct Rules of the Road workgroup which formed in late April, 2011, and the work done to date is inclusive of the Certificate Policy version 1.0 released today.

[Q&A: On the trials and tribulations of unlocking patient data for HIEs.]

In the domain of electronic communications, digital certificates act as surrogates for the individuals and organizations that deploy them. Therefore, identity verification and the level of assurance of identity verification are important aspects of the issuance of digital certificates used for authenticating or encrypting messages within Direct. The Certificate Policy crafted by the Direct Rules of the Road workgroup follows the structure of Internet Engineering Task Force (IETF) Internet X.509 Public Key Infrastructure (PKI) Certificate Policy and Certification Practices Framework (RFC 3647). It use language and the method of identity validation on the Certificate Policy of the Federal Bridge Certification Authority, which maps to NIST level two identity assurance as per NIST Special Publication number 800-63.

One important distinction between the Direct Ecosystem Community Certificate Policy and the Certificate Policy of the Federal Bridge, is that the latter is used to guide digital certificate issuance and use for individuals who seek personal identifying credentials in order to interact in cyberspace with multiple federal agencies. In contrast, the primary situation within the Direct Project calls for digital certificates to be issued to organizations, e.g. medical practices, hospitals, nursing homes, PHR vendors, etc.

David Kibbe, MD MBA, is a senior advisor to the American Academy of Family Physicians, chair of ASTM International E31 Technical Committee on Healthcare Informatics, and prinicpal, The Kibbe Group LLC.