Tuesday, September 24, 2013

Provider Directories at Direct Boot Camp 2.0

The ONC State HIE Program hosted a two-day workshop on NHIN Direct, the health information exchange protocol built on secure email (SMTP/S-MIME). There was quite a good turnout. I'm still fairly new to Direct, so readers will have to forgive (or correct) any innacuracies or misinterpretations on my part, as this is based on notes and conversations I had over the two days. The main areas of focus were scalable trust, security and interoperability, and provider directories. So without further ado, here's a brain dump of my two day dive into Direct.

The Big Question

The workshop opened with a question and crowdsourcing exercise. Everyone was given index cards upon which to write an answer. The cards were distributed and voted on, and the top five read aloud. The top answers were centered on education, outreach, and provider directories.

Provider Directories

This was the hot topic. There's a lot of interest in healthcare provider directories (HPD), trust, and bridging trust authorities. How does a HISP know which HPD to query for authoritative information, and whether the information returned is accurate, up to date, and trustworthy? Since the HPD is used primarily within Direct to look up addresses and certificates, this is a big issue.

At the HPD roundtable discussion a number of different views were brought together. A Federal Bridge was discussed, which using x.500 and x.509 to certify Certificate Authorities (CAs) and provide trust bundle functionality. This would be a distributed system of authoritative directories with the "source of truth" being at the edge of the directory tree, as close to the provider as possible, being that an organization with a direct relationship with the provider would be more trusted. However, how would x.500 deal with system which only use organization-level certificates, and not person-level certificates? What engagement model will motivate physicians to keep their information up to date?

A question was raised about the need for a standard response model supported across the country. It would be nice if states and the DEA supported certificates to verify doctor identities. Provider directories have strong verification and credentialing use cases. For example, in a federated model of authoritative sources, is there a potential for fraud or gaming the system? If a provider license is revoked in one state, what happens when the provider moves to a different state?

Another concern expressed was what information should be exposed publicly. There is a widespread perception that publicly available provider directories might open the door to spam, but the Direct protocol is very difficult to spam. HPD maintainers have a more legitimate concern: if they expose everything via web services, what's to stop a competitor from downloading the entire directory? This is the motivation for mutual authentication, to control who can access what. There needs to be agreement on what information to divulge and what to withhold. Western States Consortium has been studying this problem and is in the process of documenting their findings.

Mod Spec HPD

Mod Spec (MSPD) is trying to "future proof" the HPD specification and make it more modular. MSPD extended HPD for error handling, federation, and extensibility. The LDAP model is the same, but the WSDL and error handling have been updated. They are looking for pilot projects (contact Farrah Darbouze or Matthew Rahn for details).

No comments: