The basic aims of Direct are simple enough: to replace the fax machine with a HIPAA-compliant secure messaging protocol that expedites transfer of all or part of a patient's medical record with other providers. The challenge is to determine who holds the keys to encrypting and decrypting those secure messages.
By some measures, Direct is already a success. But to use the protocol, ONC has defined a chain of trust centered around designating health information service providers (HISPs) as holders of the right to issue Direct e-mail addresses and hold those encryption and decryption keys. It's this necessary chain of trust that has some critics concerned that Direct is a new way for large organizations and vendors to exert control over individual physicians and patients.
That's the concern of Adrian Gropper, MD, a Massachusetts physician (and chief technology officer of the nonprofit organization Patient Privacy Rights) who argues that Direct is merely "paving the cow path of our current system" as he put it in a comment to a story I wrote in April about ONC's grant of $280,000 to DirectTrust.org, and other $200,000 to the New York eHealth Collaborative, to act as HIE Governance Entities to support their HIE efforts and promulgate use of Direct nationwide.
Gropper says Massachusetts already is the most consolidated healthcare state in the nation, with 80 percent of care aggregated into three hospital systems and three insurers, when they should be giving more power to independent physicians to refer around high-cost providers.
Both Marcus and Gropper are concerned that the HIEs being deployed by states and by vendors won't give physicians discretion to send messages under the authority granted to them by their medical licenses, but instead rely solely upon the aegis of the HIE or vendor itself.