Communications in healthcare are complicated.  That is because providers and payers are forced to use a variety of communication mediums.  Cloud Fax, QHIN, Direct Secure, HIPAA compliant email, and carrier pigeon.  Just kidding, no birds were harmed in sending messages for healthcare.  But, honestly, sometimes the market feels THAT antiquated.

This guide gives some key answers to one of those communication mediums, Direct Secure Messaging.  A communication network, originally aimed at killing on premise fax, has become another way to send and receive PHI.   

What is Direct Secure Messaging?

Direct messaging, also known as Direct Exchange, is a secure method of transmitting health information online. This protocol allows for a, HIPAA-compliant, and encrypted transmission of Protected Health Information (PHI).  The simplest way to think about it is an independently verified email address that enables secure communication.  A Health Information Service Provider (HISP) maintains an SMTP server and executes encryption and decryption of the messages.   

This standards based communication was created out of the Direct Project in 2010.  The Direct Project was a really great demonstration of public, private and independent organizations working together to solve problems around interoperability.  Ultimately, Direct Messaging and DirectTrust (a non-profit) were founded as a result of the project.  

What is a HISP?

A Health Information Service Provider (HISP) is a network service operator that is accredited to enable the exchange of clinical data nationwide via Direct Secure Messaging.

Direct Secure messaging can be offered by either a Health Information Service Provider (HISP) or a non-HISP vendor. However, Direct Secure addresses must be managed by a HISP, regardless of whether they are purchased directly from a HISP or through a reseller.

What is the Difference between Direct Secure and HIPAA compliant email?

There are a number of HIPAA compliant email providers out in the market like Virtru and PauBox. However, it is important to know, they are not Direct Secure providers and their communications, while encrypted, cannot transit through the Direct Secure network.  That is because on the set up of any Direct Secure provider, both the individual submitting the request is identity verified AND the provider they work for is certified independently. 

With each Direct Secure address there is a private digital security key and a corresponding public key.  This enables the sender to transmit a message that ONLY the recipient can read.  The result is an air tight communication network.  This type of lock and key, verification and certification does not exist on any email network, regardless of encryption.    

What are the Benefits of Direct Secure Messaging?

One of the biggest limitations of the Direct Secure network is transitions from one provider to the next.  That is because if you transition Direct Secure providers, you need to recertify that address which takes time and money to do. This is because Direct Secure is a zero trust network and everything needs to be verified.

When you think about this on a practical level, if an oncology office wants to switch direct vendors they could lose all of the previous inbound messaging to that address.  

In the case of fax, while it is a legacy platform.  At the very least the FCC guarantees that a number stays with a consumer.  No such laws exist for Direct Secure.  

Who sells Direct Secure Messaging?

There are a variety of vendors to choose from when considering Direct Secure Messaging. There are typically two ways to get access, either through a wholesale distributor or through EHR vendors directly.  Those EHR vendors are either HISP themselves or use an underlying wholesale service. A few vendors are listed below:

Wholesale Distribution

• EMRDirect
• MaxMD
• Inprivia 

EHR Distribution

• Epic Systems
• Cerner Corporation
• Allscripts
• MEDITECH
• NextGen Healthcare

How much does Direct Secure Messaging Cost?

Some vendors list their pricing and for others it is confidential.  It is best to reach out directly to the vendor or the EHR directly to determine the price for you.  A good example of small provider public pricing is listed here. 

The major components that you can find of any publicly found pricing model consider identity verification, provider certification, ongoing records keeping for audit purposes and the actual technical management of the address.  

Pricing models range from usage based per message to address and provider based pricing.  Volume of messages, number of addresses and number of providers tend to be the determining factors of price.

Who is the accrediting body for HISPs and Direct Secure?   

The accrediting body for HISP (Health Information Service Provider) and Direct Secure Messaging is the DirectTrust Accreditation Program. DirectTrust is a non-profit organization that establishes and maintains the security and trust framework for the exchange of health information using Direct Secure Messaging protocols. Their accreditation program ensures compliance with standards and best practices in secure health information exchange.