Direct Protocol May Favor Large Providers and Vendors

A medical group's call for allowing licensed physicians, without vendor interference, to designate any recipients or senders of messages using the Direct protocol puts a spotlight on nagging EHR interoperability issues.

If 2013 has taught us anything, it's that eventually, every area of healthcare IT becomes enmeshed in politics sooner or later.

This week, speculation is bubbling that the low-cost interoperability promised by the Direct protocol is the latest vehicle for the continuation of expensive, business-as-usual interfaces between different healthcare IT vendors' systems.

Evidence of this rising concern surfaced on December 7, when the Massachusetts Medical Society House of Delegates' Committee on Information Technology passed a resolution calling for "a more open, affordable process to meet technology mandates imposed by regulations and mandates."

The resolution goes on to urge that "that all Direct secure e-mail systems, mandated by Meaningful Use Stage 2, including health information exchanges and electronic health record systems, allow a licensed physician to designate any specified Direct recipient or sender without interference from any institution, electronic health record vendor, or intermediary transport agent."

To try to find out what about Direct is rubbing physicians the wrong way in the Bay state, I spoke with Eugenia Marcus, MD, a pediatrician in private practice in Wellesley, MA and chair of the committee that adopted the resolution.

Although the Massachusetts state HIE has promised licensed doctors Direct access to the HIE for $5 per doctor per month, Marcus and her colleagues are troubled by chatter that vendors will continue to be able to charge for interfaces to immunization, disease and allergy registries on top of Direct. If true, that would thwart some early promises by Direct's advocates that the secure messaging protocol would put an end to usurious vendor interoperability fees.

So far, Marcus and her colleagues in private practice have not been issued Direct secure e-mail addresses by the state HIE, so they don't really know what to expect yet. They also worry that the ground rules for granting access to those addresses by those who assist physicians, such as nurse practitioners and other designated staff, could make the doctors possessing the Direct addresses a potential bottleneck of information flowing to and from the HIE. Those rules have yet to be communicated.

While large institutions in Massachusetts and elsewhere have already ironed out the logistics of transferring large amounts of information via Direct, a lot of the rules governing how things are going to make it out to small practices haven't been determined yet, and rumors are swirling, Marcus says.

"One of the things I have found out [is] that even though the federal government has provided funding to write the interfaces, most vendors have not taken advantage of that," Marcus says. "They're writing interfaces, but in their own shop[s], without taking advantage of the funding that is available to help support that."

Small practices—those defined by CMS as containing from one to nine physicians—are particularly challenged to implement a technology such as Direct because they lack the stable of information technology resources available at larger practices and hospitals. Since Direct is one of the requirements of the not-to-be-delayed-after-all Meaningful Use Stage 2, physicians such as Marcus who lack sufficient Medicaid patients, and thus cannot qualify for Meaningful Use payments, view Direct as yet another unfunded mandate from the federal government.

The basic aims of Direct are simple enough: to replace the fax machine with a HIPAA-compliant secure messaging protocol that expedites transfer of all or part of a patient's medical record with other providers. The challenge is to determine who holds the keys to encrypting and decrypting those secure messages.

By some measures, Direct is already a success. But to use the protocol, ONC has defined a chain of trust centered around designating health information service providers (HISPs) as holders of the right to issue Direct e-mail addresses and hold those encryption and decryption keys. It's this necessary chain of trust that has some critics concerned that Direct is a new way for large organizations and vendors to exert control over individual physicians and patients.

That's the concern of Adrian Gropper, MD, a Massachusetts physician (and chief technology officer of the nonprofit organization Patient Privacy Rights) who argues that Direct is merely "paving the cow path of our current system" as he put it in a comment to a story I wrote in April about ONC's grant of $280,000 to DirectTrust.org, and other $200,000 to the New York eHealth Collaborative, to act as HIE Governance Entities to support their HIE efforts and promulgate use of Direct nationwide.

Gropper says Massachusetts already is the most consolidated healthcare state in the nation, with 80 percent of care aggregated into three hospital systems and three insurers, when they should be giving more power to independent physicians to refer around high-cost providers.

Both Marcus and Gropper are concerned that the HIEs being deployed by states and by vendors won't give physicians discretion to send messages under the authority granted to them by their medical licenses, but instead rely solely upon the aegis of the HIE or vendor itself.

And yet, the way Direct address are being allocated is very similar to the way doctors acquire the means to send e-prescriptions, counters Wes Rishel, an analyst at Gartner and longtime participant on ONC's HIT Standards Committee.

Gropper is also convinced that doctors should be able to self-certify their own security credentials in a way that deployment of Direct currently does not allow. "Direct is based on e-mail," Gropper tells me. "You don't need HISPs at all. You can run Direct using Mozilla Thunderbird on a $35 Raspberry Pi to do the encryption and decryption and white lists. The mail servers can be blind intermediaries with no filtering or encryption function if you want."

Yet, Rishel and I share concerns that such a scheme opens a massive hole for fraud. "If Sam's Endoscopy Club wants to self-certify, would you as the physician be happy to send your patient's data there?" Rishel asks. Conversely, he asks, "Would you as a physician only want to communicate with those physicians you know personally?"

Rishel and others say HISPs are necessary in order to scale secure messaging to the dimensions necessary to enable widespread trust even among providers who have never met and otherwise know nothing about each other.

Under Gropper's model, "The HISP would be instructed to keep track for each physician of who else the physician trusted," Rishel says. "For Massachusetts alone that would require keeping track of 319,600,000,000 trust relationships. While the database of [that many rows of information] for Massachusetts is feasible (although not cheap) with today's process, the administrative task of setting it up is imponderable."

Gropper's response: "Even if you do want to centralize things at the server, 10,000 physicians on a server would have 10,000 rows with only a few entries in each row. Even more, any reasonable institution would typically allow any physician to whitelist every physician in the other institution. This is how faxes and postal mail work."

Both Rishel and ONC Chief Scientist Doug Fridsma contend that Direct was never intended to treat individual physicians, or patients for that matter, as equals in the chain of trust, and always meant to rely upon HISPs as the keepers of whitelists and blacklists and all the other things that service providers do to create the chain of trust.

"Direct is an important way of exchanging information securely, but we should never let our technology and other things like that get in the way of patients having access to information that is rightfully theirs," Fridsma says. At the same time, ONC judged that providing individual certificates for providers and patients was "too onerous" and "very challenging to scale," he adds.

Fridsma and ONC seem open to tweaking health information exchanges to deal with the concerns of Gropper and others. Meanwhile, however, vendors have baked their own solutions into Meaningful Use Stage 2-compliant software, and states continue to build out their HIEs.

I have a feeling that very soon, we will see just how warranted the concerns of the Massachusetts Medical Society turn out to be.