How Trust Communities Enable Direct Networks

Posted on June 13, 2014 I Written By

Julie Maas is Founder and CEO of EMR Direct, a HISP (Health Information Service Provider) whose mission is to simplify interoperability in healthcare through the use of Direct messaging EHR integration and other applications. EMR Direct works with a large developer community to enable Direct for MU2 and other workflows using a custom, rapid-integration API that's part of the phiMail Direct Messaging platform. Julie is passionate about improving quality of care and software user experience, and manages ongoing interoperability testing within DirectTrust. Find Julie on Twitter @JulieWMaas.

Have you noticed the DTAAP-Accredited logos on your Direct provider’s web site?  These indicate the vendor has successfully completed the related audits stipulating a high bar of security and privacy practices established by DirectTrust.  DirectTrust was spawned from a Direct Project workgroup, and is a non-profit trade organization which establishes best practices and oversees accreditation programs for the businesses providing Direct-related services, in association with EHNAC.  In addition to HISPs, the DTAAP program also accredits Certification Authorities (CAs) and Registration Authorities (RAs). The HISP, CA and RA roles can be performed by the same organization. Most Direct Messaging CAs operate in only in the Direct space, but a few also issue certificates in the general public internet space, as well.

Direct Certificates are issued by CAs who follow a regular procedure to put their stamp of approval on a digital identity and its corresponding cryptographic key used for securing Direct messages.  This process is complemented by that of a Registration Authority, who performs the actual vetting of individuals and often the archival of related documentation as well.  Level of Assurance (LoA) is another term used a lot in the Direct space. Depending on the degree to which an individual’s identity has been vetted, and how certificates are managed and accessed by users, a Direct Exchange transaction can be assigned a Level of Assurance. When exchanging health information between providers, for example, you want a high Level of Assurance that the party you’re exchanging with is, in fact, the same party whose name is listed on the corresponding digital certificate.

HISPs who are either accredited or are at least part-way down that path may seek inclusion of the corresponding CA’s trust anchor in DirectTrust’s anchor bundle, a collection of trust anchors for Direct communication published and regularly updated by DirectTrust.  Since Direct messaging is based on bidirectional trust, the Participating HISPs can rely on the Transitional Trust Bundle to provide their customers with a uniform and up-to-date network of interconnected senders and receivers. The DirectTrust bundle consists of trust anchors representing a large portion of the EHR community.

These HISPs make up the DirectTrust Network, a so-called “trust community”. There are other trust communities such as those managed by the Automate the BlueButton Initiative (ABBI), with corresponding Provider- and Patient-centered bundles.  Trust communities and their corresponding trust bundles serve an important purpose, because Direct messages are only exchanged successfully between trusted Direct Exchange partners. Remember that if one party does not trust the other, the messages are dropped silently, and automating loading and maintenance of trust anchors for a community using a trust bundle sure beats manual loading and unloading of each of these anchors by each of the members, or other old-style one-off interfaces between systems.

So, to get the most out of Direct, climb out of your silo and go join a trust community today!