July 24, 2013

Department of Veterans Affairs Direct and My HealtheVet Blue Button Glen Crandall VA Direct Program Manager

1

What is VLER?

On April 9, 2009, President Obama directed the Department of Defense (DoD) and the Department of Veterans Affairs (VA) to create the Virtual Lifetime Electronic Record, which:

“… will ultimately contain administrative and medical information from the day an individual enters military service throughout their military career and after they leave the military.” - President Barack Obama

2

VLER Health Transport Mechanisms: Exchange vs. Direct



eHealth Exchange

– Trusted network – Query and retrieve methodology (“Pull”) – Standards-based exchange of relevant clinical information 

Direct Secure Messaging

– Trusted network – Point-to Point “Push” of clinical information using secure email – Standard or non-structured notes and reports 3

Why is Direct Needed?

“…VA was transmitting

sensitive data

, including PII and internal network routing information, over an

unencrypted

telecommunications carrier network .” “

Without controls to encrypt the sensitive VA data

transmitted, veterans’ information may be

vulnerable to interception

and misuse by

malicious users

as it traverses unencrypted telecommunications carrier networks.” OIG Report:

Review of Alleged Transmission of Sensitive VA Data Over Internet Connections -

March 6, 2013 4

What is Direct Secure Messaging?



Direct:

Internet.

specifies a simple, secure, scalable, standards-based

transportation mechanism

that enables participants to send encrypted health information directly to known, trusted recipients over the  Simply put, it is

secure email

.

 For more detail on Direct from the Office of the National Coordinator (ONC), go to the following links: – The Direct Project Overview – pdf from Oct. 2010 – The Direct Project Wiki – The Direct Project Website 6

Direct: Secure Directed Exchange via the Internet

The Direct Project specifies a simple, secure, scalable, standards-based transportation mechanism that enables participants to send encrypted health information directly to known, trusted recipients over the Internet.



Simple.

Connects healthcare stakeholders through universal addressing using simple push of information.



Secure.

Users can easily verify messages are complete and not tampered with en route.



Scalable.

Enables Internet scale with no need for central network authority that must provide sophisticated services such as EMPI, distributed query/retrieve, or data storage.



Standards-based.

Built on well established Internet standards, commonly used for secure email communication; i.e.,. SMTP for transport, S/MIME & X.509 certificates for encryption and integrity protection.

7

VA Direct Implementation

 In 2011-2012, VA developed our own Direct software. It did not meet the use cases and development was stopped in October 2012.

 Prior to stopping development, VA was working with partners in many communities to establish pilots.  Now partnering with DoD to use its Direct software. The initial installation is scheduled for February 2014.

– Direct software includes: •

Security/Trust Agent (STA) software

– responsible for securing, routing, and processing Direct messages •

Web Portal software

–to send/receive Direct messages (similar to Gmail) 8

VA Direct Use Cases



Initial High-Level VA Use Cases: (February 2014)

–

Provider-to-Provider Messaging

• Referral authorization and results reporting (e.g. mammograms) • Secure clinician-to-clinician messaging –

Patient Mediated Messaging

• Veteran sending own Continuity of Care Document (CCD)  Through My HealtheVet/Blue Button, a Veteran can send personal Continuity of Care (CCD) document to non-VA Direct addresses (e.g. non-VA providers, PHR, etc.) 

Future Provider-to-Provider Use Cases:

– Creating, sending, receiving, and viewing Consolidated CDA (C-CDA) documents – – – Rural health use cases Mental Health information exchange Women’s Health – Maternity 9

VLER Health Support of Certification/Meaningful Use (C/MU)

2014 Certification Requirements Support by VLER Health: Care Coordination – Provider to Provider

– 170.314(b)(1) - Transitions of Care - Receive, Display, and Incorporate Transition of Care/Referral Summaries – 170.314(b)(2) - Transitions of Care - Create and Transmit Transition of Care/Referral Summaries

Patient Mediated – Blue Button Direct

– 170.314(e)(1) - View, Download, & Transmit Care/Referral Summaries to 3 rd Party The required payload for the content is the Consolidated-CDA Document currently under development (analysis phase).

10

How Can Direct Be Accessed?

 Through a

Direct Web Portal

– Provides basic email functionality – Requires going to separate application – Not part of workflow – May require separate login  Using

Direct as a Service (DaaS)

– Can be built into any application – Part of workflow – Uses login from primary application 11

DoD/VA Direct Web Portal

The Direct software’s basic functionality is similar to many webmail portals.

12

VA Use of Direct Secure Messaging for Referrals

13

DoD/VA Direct as a Service (DaaS) Vision

Users Service Members and Beneficiaries AHLTA HAIMS DoD Systems TRICARE Online Secure Messaging Referral Management System DoD VLER Exchange MTF Staff VAMC Staff Veterans iEHR

Web Services Platform IPO Direct HISP

Vista Fee Basis Application VA VLER Exchange MyHealtheVet Secure Messaging VA Systems 14 Partners Purchased Care Public Health Patients Federal Partners 14

Direct Implementation Challenges and Opportunities

Blue Button Software

 Initial Direct Software for Patient Mediated Messaging (Blue Button): – UI used by Veteran is created by My HealtheVet /Blue Button team —the Veteran will not use the portal or have a VA supplied Direct address.

– The Veteran will only enter Direct address (destination) and approve sending his/her CCD (can preview before sending).

• No free text will be entered by the Veteran.

• CCD cannot be modified. No additional attachments can be added.

• One-way only —message will indicate “No Reply” – Once the message is created in Blue Button, it is sent to Direct for transport.



Risks for Blue Button Software

– – No Provider Directory —Veteran must know Direct address (Directory planned) Few people to send Direct message to until VA increases trusted partners and more people using Direct.

18

Security/Certificates

 Key to Direct —establishing trust with non-VA partner organizations – Once VA exchanges trust certificates with non-VA organization, all users from both organizations can exchange Direct messages.



Risks/Issues for Security/Certificates

– Security level for Direct certificates still not established • Working with Federal partners on recommendation • It will be higher level than what is currently being used (HIEs, states, etc.) –

Risk:

If level is too high (expensive), potential partners may not want to do Direct messaging with Federal partners.

–

Issue:

what level of certificate is needed for patient mediated messaging?

• ONC interprets HIPAA to say that if a patient request data sent, it must be sent and can even be sent unencrypted. VA has higher requirements.

• Discussion continue within VA to answer this question.

19

Privacy



For Patient Mediated Messaging (Blue Button):

– VA Direct system will send on behalf of Veteran —same as if Veteran was sending from personal system.

– – No Accounting of Disclosure required.

Need to ensure Veteran can preview data being sent and that actual message contains same data as what was previewed.

20

Non-VA Partners Policies and Procedures

 Need to insure partners have proper policies and procedures in place.

– – Partner end users need to be properly authenticated HISP needs to ensure end users will follow privacy/security rules 

Issue:

How do we ensure that non-VA partners have needed privacy/security policies in place?

– – ONC says no DURSA-like agreement needed VA (like many others) are looking to put agreements in place 21

Non-VA Partners Technical Readiness

 Many organizations (e.g. HIEs) that are now doing Direct are only sharing within their HISP —not across organizations.

 Exchanging between organizations opens up challenges organizations may not have dealt with including Federal rules for privacy, security, and trust.

 Testing/Validation between VA and Partners will be necessary. Still working to determine what that will be. 

Risks for Adding Non-VA Partners:

– Potential partners may not technically be able to become a trusted Direct partner with VA.

– Finding partners whose users are ready may be difficult. Many organizations “using” Direct have low usage—it’s not part of the end user’s workflow yet.

• Everyone wants to do Direct…a few say they are doing it…not many are actually using it significantly.

22

Questions?

Glen Crandall, VA Direct Program Manager [email protected]

23