4 Take-Aways about Direct Secure Messaging for Health IT Developers from ONC-CMS Proposed Rulemaking

The following is a guest blog post by Hugh Gilenson from DataMotion and Kyle Meadors from Chart Lux Consulting.

New rules recently proposed by the US Department of Health and Human Services (HHS) through the Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare and Medicaid Services (CMS) are the most comprehensive and consequential for the future direction of Health IT since the HITECH Act set the basic table stakes of health information technology in 2009.  A growing consensus among industry pundits suggests that the proposed rules will define health information exchange and the Health IT space for the next 5-10 years.

By the second half of 2019 many of the proposed regulations, along with related incentives and penalties, could become legislation under the 21st Century Cures Act.  Given the potentially significant business implications, the rules, as outlined in separate proposals by ONC and CMS,  demand the immediate attention of key stakeholders including providers, payers, and health IT developers.

For health IT developers that have deployed Direct Secure Messaging or are contemplating implementation, the critical rules to focus on generally fall under three categories:

  1. ONC’s Health IT Certification Program,
  2. definitions of information blocking as mandated by the 21st Century Cures Act, and
  3. directives aimed at health IT users (e.g.: providers and payers) to share data across technical and organizational boundaries.

More than 1,000 pages of proposed rulemaking are chock-full of important details.  For the time-challenged, this summary captures the key take-aways related to Direct Secure Messaging:

  1. Direct Secure Messaging Retains Critical Interoperability Role as FHIR Spreads

APIs take center stage in both the ONC and CMS proposals but that shouldn’t be interpreted as undermining Direct Secure Messaging’s role in achieving interoperability and access to data.  In fact, the need for both FHIR APIs and Direct Messaging in today’s health IT space is proven by industry consensus and is reinforced by the proposed rules.

  1. Direct Secure Messaging Remains Integral to Base EHR Definition Certification

While the ONC proposal adds a few new certification criteria, it retains, largely intact, the current version of 2015 Edition Certification, including Direct Messaging criterion 170.315(h)(1).  Criterion 170.315(h)(2) continues to link to transitions of care 170.315(b)(1) and Direct Secure Messaging remains a preferred option for (e)(1).  Further, DirectTrust is called-out as a recommended framework for real-world testing required for Certification purposes

  1. Direct Secure Messaging is Required “Insurance” against Information Blocking

Information blocking is a key driver and principal focal point of the proposed rules and restrictions around this practice are ample.  Multiple examples of information blocking by inhibiting or interfering with Direct Secure Messaging are referenced throughout the proposed rules.  Exceptions to information blocking rules introduce some ambiguity about enforcement but what’s clear is that health IT developers and their users that enable Direct Messaging for transitions of care and other exchange involving patient health information demonstrate a commitment to data sharing that minimizes the potential for information blocking.

  1. Increased Demand for Direct Secure Messaging is Indicated by Multiple Rules
    1. CMS’s MIPS and Promoting Interoperability Programs
      CMS’s primary incentive payment programs stipulate 2015 Edition Certification, including Direct Secure Messaging, for EHRs and health IT solutions in 2019 and beyond.  To participate in these programs, Eligible Providers must implement one of the Direct message criteria to meet the ONC and CMS requirements.
    2. Obligatory listing of Providers’ Direct Secure Messaging Addresses Direct Secure Messaging is a likely beneficiary of CMS’s mandate, under the 21st Century Cures Act, to create a centralized directory of provider electronic addresses for data exchange published to the National Plan and Provider Enumeration System (NPPES). While the digital contact information required by the mandate doesn’t explicitly reference Direct Secure Messaging, Direct Addresses conform to the pre-requisites for the targeted solution.
    3. Expanded utilization of Direct Secure Messaging by health plans and CMS payers
      Under CMS proposed rules, payers would be required to support care transitions and participate in trusted exchange networks. Direct Secure Messaging can support both requirements
    4. Direct messaging used to communicate the ADT messages.
      Also proposed by CMS is that certain medical groups and hospitals will be required to share patient admission, discharge, and transfer (ADT) messages with other providers.  There are many ways to get ADT messages delivered, but Direct is, according to ONC, likely to be a preferred method.

    Health IT developers can weigh-in on the proposed rules by submitting comments via the ONC website and the Federal Register by June 3, 2019.  For those that want to be pro-active, there are immediate actions that can be taken to get ahead of the coming legislation and to get a leg-up on the competition:

    1. Architect Direct Secure Messaging for maximum accessibility and usability. In the past, the minimum functionality needed to earn Certification was sufficient for many end-users.  With new scrutiny by regulators and new revenue opportunities associated with value-based reimbursement incentives, end-user requirements are more stringent than ever.
    2. Partner-up with an experienced Health Information Service Provider (HISP) accredited by DirectTrust and certified by ONC. With almost 2 million end-points, only the DirectTrust Network offers the coast-to-coast interoperability end-users need.  HISPs not only provide an on-ramp to the Network, they also issue and publish Direct Addresses to the most comprehensive healthcare provider directory (HPD).
    3. Seek guidance from an expert with deep ONC Certification experience and a track record of success. With the total cost of certifying a Health IT product reaching in excess of a million dollars, there’s a compelling ROI associated with investing in advice that avoids costly pitfalls and assures Certification success on the first try.

About Hugh Gilenson
Hugh Gilenson is senior director, healthcare at DataMotion where he is responsible for DataMotion’s healthcare business, building pathways to customer success by guiding healthcare industry stakeholders to the secure data exchange solutions that best align with their compliance requirements, interoperability needs, and business objectives. DataMotion secure data exchange technology enables organizations of all sizes to reduce the cost and complexity of delivering electronic information to employees, customers and partners in a secure and compliant way. DataMotion is an accredited HISP, and through its DataMotion Direct service enables efficient interoperability and sharing of a person’s medical data across the continuum of care and their broader lives.   DataMotion is a proud sponsor of Healthcare Scene.

About Kyle Meadors
Kyle Meadors is founder and principal consultant at Chart Lux Consulting where he supports developers and health IT organizations in navigating the regulatory requirements of the ONC and CMS. Chart Lux Consulting provides expert analysis and insight into the regulations and standards which impact healthcare professionals and health IT developers. Chart Lux assist developers, health care providers and other organizations in implementing health IT standards and aligning with government certification and submission requirements