1

Department of Veterans Affairs Direct and My HealtheVet Blue Button

Glen CrandallVA Direct Program Manager

July 24, 2013

2

What is VLER?

On April 9, 2009, President Obama directed the Department of Defense (DoD) and the Department of Veterans Affairs (VA) to create the Virtual Lifetime Electronic Record, which:

“… will ultimately contain administrative and medical information from the day an individual enters military service throughout their military career and after they leave the military.”

- President Barack Obama

3

VLER Health Transport Mechanisms: Exchange vs. Direct

eHealth Exchange– Trusted network– Query and retrieve methodology (“Pull”)– Standards-based exchange of relevant clinical information

Direct Secure Messaging – Trusted network– Point-to-Point “Push” of clinical information using secure email– Standard or non-structured notes and reports

4

“…VA was transmitting sensitive data, including PII and internal network routing information, over an unencrypted telecommunications carrier network.”

“Without controls to encrypt the sensitive VA data transmitted, veterans’ information may be vulnerable to interception and misuse by malicious users as it traverses unencrypted telecommunications carrier networks.”

OIG Report: Review of Alleged Transmission of Sensitive VA Data Over Internet Connections - March 6, 2013

Why is Direct Needed?

6

What is Direct Secure Messaging?

Direct: specifies a simple, secure, scalable, standards-based transportation mechanism that enables participants to send encrypted health information directly to known, trusted recipients over the Internet.

Simply put, it is secure email.

For more detail on Direct from the Office of the National Coordinator (ONC), go to the following links:– The Direct Project Overview – pdf from Oct. 2010– The Direct Project Wiki– The Direct Project Website

7

Direct: Secure Directed Exchange via the Internet

The Direct Project specifies a simple, secure, scalable, standards-based transportation mechanism that enables participants to send encrypted health information directly to known, trusted recipients over the Internet. Simple. Connects healthcare stakeholders through universal

addressing using simple push of information. Secure. Users can easily verify messages are complete and not

tampered with en route. Scalable. Enables Internet scale with no need for central network

authority that must provide sophisticated services such as EMPI, distributed query/retrieve, or data storage.

Standards-based. Built on well established Internet standards, commonly used for secure email communication; i.e.,. SMTP for transport, S/MIME & X.509 certificates for encryption and integrity protection.

8

VA Direct Implementation

In 2011-2012, VA developed our own Direct software. It did not meet the use cases and development was stopped in October 2012.

Prior to stopping development, VA was working with partners in many communities to establish pilots.

Now partnering with DoD to use its Direct software. The initial installation is scheduled for February 2014.– Direct software includes:

•Security/Trust Agent (STA) software – responsible for securing, routing, and processing Direct messages

•Web Portal software –to send/receive Direct messages (similar to Gmail)

9

VA Direct Use Cases

Initial High-Level VA Use Cases: (February 2014)– Provider-to-Provider Messaging

•Referral authorization and results reporting (e.g. mammograms)•Secure clinician-to-clinician messaging

– Patient Mediated Messaging•Veteran sending own Continuity of Care Document (CCD)

Through My HealtheVet/Blue Button, a Veteran can send personal Continuity of Care (CCD) document to non-VA Direct addresses (e.g. non-VA providers, PHR, etc.)

Future Provider-to-Provider Use Cases:– Creating, sending, receiving, and viewing Consolidated CDA (C-CDA) documents– Rural health use cases– Mental Health information exchange– Women’s Health – Maternity

10

VLER Health Support of Certification/Meaningful Use (C/MU)

2014 Certification Requirements Support by VLER Health:Care Coordination – Provider to Provider– 170.314(b)(1) - Transitions of Care - Receive, Display, and Incorporate Transition of

Care/Referral Summaries

– 170.314(b)(2) - Transitions of Care - Create and Transmit Transition of Care/Referral Summaries

Patient Mediated – Blue Button Direct– 170.314(e)(1) - View, Download, & Transmit Care/Referral Summaries to 3rd Party

The required payload for the content is the Consolidated-CDA Document currently under development (analysis phase).

11

How Can Direct Be Accessed?

Through a Direct Web Portal– Provides basic email functionality– Requires going to separate application– Not part of workflow– May require separate login

Using Direct as a Service (DaaS)– Can be built into any application– Part of workflow– Uses login from primary application

12

DoD/VA Direct Web Portal

The Direct software’s basic functionality is similar to many

webmail portals.

13

VA Use of Direct Secure Messaging for Referrals

1414

DoD/VA Direct as a Service (DaaS) Vision

VAMC Staff

MTF Staff

Veterans

Service Members and Beneficiaries

Public Health

Patients

Referral Management System

Purchased Care

Federal Partners

HAIMS

iEHR

MyHealtheVet

Vista Fee BasisApplication

DoD VLER Exchange

VAVLER Exchange

AHLTA

Secure Messaging

TRICARE Online

Secure Messaging

Users PartnersDoD Systems

VA Systems

IPO Direct HISP

Web Services Platform

Direct Implementation

Challenges and Opportunities

18

Blue Button Software

Initial Direct Software for Patient Mediated Messaging (Blue Button):– UI used by Veteran is created by My HealtheVet /Blue Button team—the Veteran

will not use the portal or have a VA supplied Direct address.– The Veteran will only enter Direct address (destination) and approve sending

his/her CCD (can preview before sending).•No free text will be entered by the Veteran.•CCD cannot be modified. No additional attachments can be added.•One-way only—message will indicate “No Reply”

– Once the message is created in Blue Button, it is sent to Direct for transport.

Risks for Blue Button Software– No Provider Directory—Veteran must know Direct address (Directory planned)– Few people to send Direct message to until VA increases trusted partners and more

people using Direct.

19

Security/Certificates

Key to Direct—establishing trust with non-VA partner organizations– Once VA exchanges trust certificates with non-VA organization, all users from both

organizations can exchange Direct messages.

Risks/Issues for Security/Certificates– Security level for Direct certificates still not established

•Working with Federal partners on recommendation•It will be higher level than what is currently being used (HIEs, states, etc.)

– Risk: If level is too high (expensive), potential partners may not want to do Direct messaging with Federal partners.

– Issue: what level of certificate is needed for patient mediated messaging?•ONC interprets HIPAA to say that if a patient request data sent, it must be sent and can

even be sent unencrypted. VA has higher requirements.•Discussion continue within VA to answer this question.

20

Privacy

For Patient Mediated Messaging (Blue Button):– VA Direct system will send on behalf of Veteran—same as if Veteran was sending

from personal system.– No Accounting of Disclosure required.– Need to ensure Veteran can preview data being sent and that actual message

contains same data as what was previewed.

21

Non-VA Partners Policies and Procedures

Need to insure partners have proper policies and procedures in place.– Partner end users need to be properly authenticated– HISP needs to ensure end users will follow privacy/security rules

Issue: How do we ensure that non-VA partners have needed privacy/security policies in place?– ONC says no DURSA-like agreement needed– VA (like many others) are looking to put agreements in place

22

Non-VA Partners Technical Readiness

Many organizations (e.g. HIEs) that are now doing Direct are only sharing within their HISP—not across organizations.

Exchanging between organizations opens up challenges organizations may not have dealt with including Federal rules for privacy, security, and trust.

Testing/Validation between VA and Partners will be necessary. Still working to determine what that will be.

Risks for Adding Non-VA Partners: – Potential partners may not technically be able to become a trusted Direct partner

with VA.– Finding partners whose users are ready may be difficult. Many organizations

“using” Direct have low usage—it’s not part of the end user’s workflow yet.•Everyone wants to do Direct…a few say they are doing it…not many are actually using it

significantly.

23

Questions?

Glen Crandall, VA Direct Program Manager - Glen.crandall@va.gov