- Healthcare organizations leveraging DirectTrust can also use the Fast Healthcare Interoperability Resources (FHIR) standard for more seamless and secure health data exchange, DirectTrust explained in a recent webinar.
FHIR defines a web application programming interface (API) and related specifications for health data exchange, and was developed by Health Level Seven International (HL7).
FHIR is a strategy for enabling integration and connectivity between different players, said HL7 Chair and Mayo Clinic Technical Specialist Calvin Beebe. Direct is an existing federal standard that is widely used across the US for healthcare data exchange.
“DirectTrust provides a scalable security and trust infrastructure through the Federated Service Agreement, formal policies, accreditation, and a PKI-based trust framework,” he stated. “It’s really a lot of technology and policy that work together to enable a trust system where almost any group can trust each other. Because they’re such an expenditure in the planning and setting up of such a network, there was really a strong incentive to see how could we leverage this learning, this capability that’s been used with Direct in the FHIR space.”
From there, the group explored a number of strategies to leverage the DirectTrust trust framework at the January 2018 HL7 FHIR Connectathon in New Orleans.
The webinar then reviewed different scenarios that had been reviewed in the Connectathon in which healthcare organizations may utilize FHIR.
For example, a healthcare organization can send FHIR resources within a Direct Message as an attachment through Context IG, the Direct secure transport layer. It can be sent as a payload from one Direct site to another receiver or an organization can send a query and retrieve an answer.
FHIR bundles as content can be loaded by receiving FHIR server and the standardized message structure triggers a FHIR query at the receiving end for a return result.
Beebe added that organizations can utilizing X.509 certificates with the FHIR RESTful API to enable trust relationships and scale through UDAP Profiles.
In that case, there is a mutual TLS client-server authentication/authorization and authentication and authorization JWTs for backend services.
DirectTrust Security and Trust Compliance Workgroup Chair Luis Maas, MD, PhD, CTO, explained that FHIR access is a binary decision, but that scopes do not need to be binary decisions.
“For example, the policy engine may have different decisions based on the types of data that’s requested and the location of the organization,” Maas said. “Is the data crossing state lines? Is the data staying within the community? Is the data going to an affiliated organization?”
The previously described scenario is something that could be simply called an authentication JWT, where its purpose is truly just to identify the requesting party, he continued. Other information can be included in the JWT to transform it essentially into an authorization JWT. That is where additional information could be included, such as stated purpose of use.
“The idea here is that the scoping is the responsibility of the operation server,” Maas explained. “If for example, it is a payer that is making the request and the payer has been identified as ABC Insurance, the authorization server could issue an access token that access is only granted to patients’ data where the biller of record is ABC Insurance.”
“All kinds of custom local policies are also possible,” he added. “The local authorization server still has to follow all the laws and regulations in place. It’s just that now they have more information to make those decisions, including information that has been validated by a third party about who they’re dealing with. This helps them with their responsibility to have an understanding of who they’re transacting with.”
DirectTrust has been seeing continued growth in health data exchange, reporting earlier this year that Q1 2018 had 47.8 million health data exchange transactions. Healthcare organizations served by DirectTrust health information service providers (HISPs) and engaging in Direct exchange also increased 19 percent.
The number of DirectTrust addresses that can share PHI also grew 17 percent to nearly 1.7 million, while patients/consumers with DirectTrust addresses grew about 45 percent to 225,000.
“Despite the tremendous amount of attention being given to FHIR and APIs, the growth here is solid and reflects the value of electronic ‘push’ technology to replace fax and paper,” DirectTrust President and CEO David C. Kibbe, MD, MBA said in a statement. “We are also noticing an uptick in patient/consumer involvement in Direct secure messaging, and improvements in EHR vendors’ software features and functions that make Direct more user-friendly for clinicians and their staffs.”