Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

What Does Direct Messaging Look Like for MU2?

Posted on June 11, 2014 I Written By

Julie Maas is Founder and CEO of EMR Direct, a HISP (Health Information Service Provider) whose mission is to simplify interoperability in healthcare through the use of Direct messaging EHR integration and other applications. EMR Direct works with a large developer community to enable Direct for MU2 and other workflows using a custom, rapid-integration API that's part of the phiMail Direct Messaging platform. Julie is passionate about improving quality of care and software user experience, and manages ongoing interoperability testing within DirectTrust. Find Julie on Twitter @JulieWMaas.

I’m often asked what EHR integrations of Direct are supposed to look like.  In the simplest sense, I liken it to a Share button and suggest that such a button—typically labeled “Transmit”—be placed in context near the CCDA that’s the target of the transmit action, or in a workflow-friendly spot on a patient record screen.

Send a CCD Using Direct Messaging

Send CCD using Direct in OpenEMR

The receive side is similarly intuitive: the practice classifies how their incoming records are managed today and we map that process to one or more Direct addresses.  If we get stuck, I ask, “What is the workflow for faxes today–how many fax numbers are there, and how are they allocated?”  This usually helps clear things up:  as a starting point, a Direct address can be assigned to replace each fax endpoint.

The address structure raises an important question, because it is tightly tied to the Direct messaging user interface.  Should there be a Direct address for every EHR user?  Provider?  Department? Organization?  A separate address for the patient portal?  A patient portal that spans multiple provider organizations? One for every patient?

The rules around counting Direct messages for Transitions of Care (ToC) attestation do not require each provider to have their own Direct address, as long as the EHR can count transactions correctly for attestation.  As far as meaningful use is concerned, any reasonable address assignment method should be acceptable in ToC use cases (check the rules themselves, for full details).  Here are some examples. is clearly an address that could be shared by multiple users, though it could be used by just one person, and might be used for both transitions of care and patient portal transmit. could also be dual-purpose.  Jane might be the only authorized user of this address, or this address may be managed by a group of people at her practice that does not necessarily even include Jane.  Alternatively, this address could be used for Jane’s ToC transactions, while a address could be used for patient portal transmit.

So, any of the options proposed above are possible conventions for assigning Direct addresses.  Also, a patient does not need their own Direct address to Transmit from as part of the View, Download, Transmit measure (170.314(e)(1)), but might have their own address to transmit to.  Note that adding a little extra data can elevate a View, Download, Transmit implementation to BlueButton+ status.

It makes sense for patients and providers to have their own Direct addresses if they are using Direct for Secure Messaging – 170.314(e)(3) – for which Direct is an optional solution.  Or, if patients have their own Personal Health Record (PHR) and Direct address, Direct is a great way to deliver data to the PHR.  Incidentally, there are free services such as Microsoft HealthVault and many others that issue patient Direct addresses.

Direct addresses are nearly indistinguishable from regular email addresses, but a word of caution: Direct is incompatible with regular email, and has additional requirements beyond traditional S/MIME.  Although it’s not a requirement, you’ll often find the word “direct” somewhere in the domain part of a Direct address, to help distinguish a regular email address from a Direct address.

Now that you know what Direct is, and what Direct Messaging and Direct addresses look like, I’m sure you’ll start noticing Direct popping up in more and more places.  So, be a not-so-early adopter and go get yourself a Direct address!

Texas Law Amps Up HIPAA Penalties

Posted on September 10, 2012 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

Providers in every state must meet HIPAA standards, but alas, that may not be all in some states, which are permitted to institute stiffer requirements than the feds.  Such is the case in Texas, where a new state privacy law has gone into effect which asks a lot more of physicians and some other providers.

Texas has toughened up requirements in several areas, including the following:

* Covered entities:  HIPAA offers a fairly specific definition of covered entities, but the Texas law takes things much further, extending the rule to cover a wide range of people who handle PHI. This may include business associates, healthcare payers, government units, schools, facilities, providers, researchers and physicians, reports John Wisniewski, CEO of the Bexar County Medical Society.

* EMR data requests:  Requests for electronic medical records by Texans must be fulfilled within 15 days of a written query. This new rule, which brings EMR requests  up to the existing level for paper records, is tougher than HIPAA’s 30 day requirement.

* Stricter training:  The new law imposes tougher training requirements regarding privacy issues — including customized training regarding maintenance and protection of electronic PHI — and penalties for violations are ramped up under the new law. Covered entities must set deadlines for the completion of such training, and maintain records of completing such training, which is required every two years.

* Any PHI breach must be reported:  Any entity which experiences a breach in PHI must report it to individuals, including any business handling such information, not just covered entities as defined by the new statute.

I understand that providers must find it frustrating to have addition requirements slapped on them.  However, none of these strike me as insane, though the broadening of covered entities to include such a large group could lead to trouble, perhaps. What do you think?