And yet, the way Direct address are being allocated is very similar to the way doctors acquire the means to send e-prescriptions, counters Wes Rishel, an analyst at Gartner and longtime participant on ONC's HIT Standards Committee.
Gropper is also convinced that doctors should be able to self-certify their own security credentials in a way that deployment of Direct currently does not allow. "Direct is based on e-mail," Gropper tells me. "You don't need HISPs at all. You can run Direct using Mozilla Thunderbird on a $35 Raspberry Pi to do the encryption and decryption and white lists. The mail servers can be blind intermediaries with no filtering or encryption function if you want."
Yet, Rishel and I share concerns that such a scheme opens a massive hole for fraud. "If Sam's Endoscopy Club wants to self-certify, would you as the physician be happy to send your patient's data there?" Rishel asks. Conversely, he asks, "Would you as a physician only want to communicate with those physicians you know personally?"
Rishel and others say HISPs are necessary in order to scale secure messaging to the dimensions necessary to enable widespread trust even among providers who have never met and otherwise know nothing about each other.
Under Gropper's model, "The HISP would be instructed to keep track for each physician of who else the physician trusted," Rishel says. "For Massachusetts alone that would require keeping track of 319,600,000,000 trust relationships. While the database of [that many rows of information] for Massachusetts is feasible (although not cheap) with today's process, the administrative task of setting it up is imponderable."