July 6, 2020

Staying HIPAA compliant with Direct Messaging

Previously, we discussed tools for staying HIPAA compliant when sharing electronic Protected Health Information (ePHI). Now let’s focus on Direct Messaging, also known as Secure Direct Messaging or merely Direct, because, unlike SFTP or VPNs, it is intended for the use by clinicians only.

Direct is a part of a federal project for medical information standardization, which started in 2010. Therefore, it is undoubtedly HIPAA compliant, which is crucial for practice. However, it is still in its development and has its pros and cons.

At first thought, Direct Messaging is quite similar to common email systems, but there are some key differences. First, it can be used only by its specific users. To connect with another Direct user, you must hold an address that looks like, for example, [username]@direct.[facility].com. Therefore, you will be unable to send a message from, say, (in this case you’ll get a notification). On the one hand, such “closeness” may seem inconvenient, because it considerably limits your ability to contact different users. On the other hand, this eliminates a lot of entry and delivery errors and ensures that the message will be sent to the intended user. Thus, Direct becomes a corporate network of healthcare specialists with trustful relationships.

This feature attracts criticism, because finding the needed contacts may turn out to be challenging. However, some vendors integrate a search option, which allows clinicians to find a user by name, address, facility or specialty. In this regard, Direct is now only in development; this function is far from perfection. But the number of users is growing and in the future Direct is likely to become a powerful tool for managing professional networks.

Besides a digital security certificate, Direct uses an encrypted connection, which significantly reduces unauthorized access. Moreover, Direct is provided by HISPs, specialized Health Information Service Providers. So, Direct appears to be more secure than common web messengers.

Another essential feature of Direct Messaging is its integration with EHRs. Patient records can be shared within your regular workflow. To get their license, all EHR vendors need to integrate their services with a Direct Messaging system, and this feature will likely promote Direct. However, it doesn’t mean that any EHR supports any Direct Messaging system. There are a lot of different EHR and Direct Messaging providers, and their applications do not always work together. As for the leading providers, they usually cooperate with each other, but anyway, it’s better to check if your EHR is integrated with the Direct Messaging system you are going to purchase (unlike many web-based email services, Direct Messaging systems are not free). Normally, you will need to pay $100–200 per year. Besides, some vendors offer extra features that are additionally charged, e.g. a C-CDA viewer or another special tool, which you might need, but is not everybody’s cup of tea.

Being a required element of EHRs, Direct itself is independent of the configuration or elements of your IT infrastructure. This means that it can be used without any additional software, directly from the web browser. However, some software providers manage to integrate Direct Messaging in their applications. Usually, they offer top-to-bottom solutions, covering all the processes of a diagnostic business. If you are using such an app, you can contact your provider and ask them about Direct Messaging capabilities.