Gropper's response: "Even if you do want to centralize things at the server, 10,000 physicians on a server would have 10,000 rows with only a few entries in each row. Even more, any reasonable institution would typically allow any physician to whitelist every physician in the other institution. This is how faxes and postal mail work."
Both Rishel and ONC Chief Scientist Doug Fridsma contend that Direct was never intended to treat individual physicians, or patients for that matter, as equals in the chain of trust, and always meant to rely upon HISPs as the keepers of whitelists and blacklists and all the other things that service providers do to create the chain of trust.
"Direct is an important way of exchanging information securely, but we should never let our technology and other things like that get in the way of patients having access to information that is rightfully theirs," Fridsma says. At the same time, ONC judged that providing individual certificates for providers and patients was "too onerous" and "very challenging to scale," he adds.
Fridsma and ONC seem open to tweaking health information exchanges to deal with the concerns of Gropper and others. Meanwhile, however, vendors have baked their own solutions into Meaningful Use Stage 2-compliant software, and states continue to build out their HIEs.
I have a feeling that very soon, we will see just how warranted the concerns of the Massachusetts Medical Society turn out to be.