The following letter was issued from DirectTrust to the VA in response to the “Improving VA and Select Community Care Health Information Exchanges”

DirectTrust Concerns with the Office of the Inspector General Report “Improving VA and Select Community Care Health Information Exchanges”

The Department of Veterans Affairs Office of the Inspector General published the “Improving VA and Select Community Care Health Information Exchanges” report on August 6, 2020.

DirectTrust was not aware of this report before publication, nor was offered an opportunity to verify information about our organization and the Direct Secure Messaging modality.  Unfortunately, this led to many incorrect statements or misrepresentations about DirectTrust and Direct being published in the report, as well as further reported through news outlets and social media.

While we were disappointed with our inaccurate representation in the report, we were pleased with the recommendations.  We look forward to a strong, continued partnership with the VA and the advancement of Direct Secure Messaging to help provide coordinated care for our veterans.

Please find a synopsis of the statements which DirectTrust takes issue with below.

Incorrect, Misleading, or Not Fully Informed Statements

  1. Page ii: “Facilities not utilizing VA Direct reported that they were not provided training facilitated by DirectTrust™ (DirectTrust)”
  • DirectTrust does not provide end-user training and was not responsible for the training of VA employees.
  • Unfortunately, this particular statement insinuates that a lack of training by DirectTrust led to facilities not utilizing VA Direct, which is categorically untrue.
  • DirectTrust had to engage our Public Relations team and engage in reputation management exercises to correct the record with media outlets who reported this untrue statement.
  1. Page ii: “DirectTrust is a secure exchange framework, like email, with the ability to connect with 1.8 million providers nationwide.”
    • We don’t understand the source of the information regarding 1.8 million providers, but we generally reference the number of Direct Addresses, rather than the number of providers in our metrics. We update this number quarterly, and the latest can be found on our website home page.
  1. Page 2: “VA Direct is a point-to-point exchange of health information between VA and community providers caring for veterans through a unique secure email portal.”
    • There is often confusion between secure email and Direct Secure Messaging, however Direct has different security features and functionality than secure email. Our brand standards and guidelines do not align with the reference of Direct Secure Messaging as secure email.
  1. Pages 2-3: “In order for VA to share information, the community provider must…be a member of…DirectTrust”

Page 6: “If the community partner is not a member of DirectTrust, information cannot be exchanged using VA Direct.”

  • Community providers do not need to be a member of DirectTrust for VA to share information with them via Direct Secure Messaging
  • DirectTrust is the custodian of the Direct Standard™, the foundation of Direct Secure Messaging. Any organization can use Direct Secure Messaging, regardless of membership within DirectTrust.
  • To participate in secure exchange with trusted, identity-verified endpoints within the DirectTrust Network, the services of an Accredited Health Information Service Provider (HISP) are required.
  • VA became an Accredited HISP in 2019 and retains Accredited status until 9/24/2021, providing VHA employees access to the DirectTrust Network
  • More than 251,000 organizations and 2.43 million addresses are served by a DirectTrust HISP and can take part in trusted exchange through the DirectTrust network.
  • Unfortunately, these statements caused confusion and indicated a non-existent barrier to participation in Direct Secure Messaging
  • DirectTrust had to engage our Public Relations team and engage in reputation management exercises to correct the record with media outlets who reported these untrue statements.
  1. Page 7: “Figure 1 shows members where DirectTrust is available in the US as of February 2020. The colored map circles represent the number of members in the area…”

Appendix F: DirectTrust Member Locations

  • These maps do not represent members of DirectTrust. Rather, they represent Direct Addresses within the DirectTrust Directory, which does not include all Direct Addresses.
  • As of August 2020, more than 900,000 addresses are published in the directory, versus the 2.4 million Direct Address endpoints. Therefore, the insinuation that this map illustrates the availability of Direct Addresses is untrue.  Addresses may not be public within the Directory, but they are still available for sending/receiving messages.
  1. Page 7: “VA reported that it has been a member of DirectTrust for the last five years as an associate member…”
    • There is no associate membership level of DirectTrust.
    • VA joined DirectTrust as a member in 2013.
    • VA was first accredited as a HISP in 2015, then reaccredited in 2017 and 2019. VA HISP Accreditation is currently valid until 9/24/2021.
    • VA HISP became part of the DirectTrust Accredited Trust Anchor Bundle in 2019, which avoids point to point agreements with other HISPs to facilitate Direct Secure Messaging, and allows exchange within the DirectTrust Network.
  1. Page 7: “Standard members of DirectTrust cannot exchange information but they are able to go through the accreditation process to become an active member”
  • This statement is false. It could be confusing and misleading to those who do not understand DirectTrust.
  • There is no standard membership level of DirectTrust, there are only members.
  • Membership in DirectTrust is not required for exchange. This portion of the statement perpetuates the incorrect statement that membership in DirectTrust is required to participate in Direct Secure Messaging.  Members of DirectTrust can utilize Direct Secure Messaging, regardless of membership status.
  • There is no accreditation process to become a member of DirectTrust. Rather, to be accredited as a known and trusted HISP, Certificate Authority, or Registration Authority, DirectTrust Accreditation is available.
  • This statement may have been meant to convey that there is the opportunity to pursue Accreditation to become an Accredited HISP.
  • Membership in DirectTrust is not required to become an Accredited organization.
  1. Page 7: “the reason for the delay in becoming active was because of a lengthy process to achieve active membership with the DirectTrust Agent Accreditation Program and to become a Health Information Service Provider.”
    • This statement regarding the length of the process could be perceived as negative towards DirectTrust. Many organizations pursue DirectTrust Accreditation and are able to meet the requirements and timeline.
  1. Page 8: “Accreditation fees of $10,000–$13,000 per year”
    • DirectTrust Accreditation lasts for two years, so organizations undergo the Accreditation process every other year. The statement that the fees for DirectTrust Accreditation are annual is untrue.  Accreditation does require a HIPAA Privacy and Security Assessment from either EHNAC or HITRUST, which may have an annual fee.
  1. Page 14: “Costs Associated with HIEs and DirectTrust”
    • As stated previously, DirectTrust membership is not required to participate in Direct Secure Messaging, an idea that is repeatedly and incorrectly perpetuated throughout the report. The mention of DirectTrust in the subtitle, with the absence of other networks, indicates that cost is an issue for our network and not others, which we disagree with.
  1. Page 14: “Some of the smaller facilities in rural locations reported costs prevented community partners from joining an HIE or DirectTrust.”

Page 21: “…identified a lack of community provider access to Direct Messaging due to cost…”

  • Membership in an HIE or DirectTrust is not required for participation in Direct Secure Messaging, rather community partners may already have access to Direct Secure Messaging within their EHR or other technology platform, as Direct Secure Messaging is incorporated into every 2014 and forward Certified Electronic Health Record Technology (CEHRT)
  • Unfortunately, this statement perpetuates the misinformation that entities need to join DirectTrust, or incur the costs of Accreditation, to participate in Direct Secure Messaging, which is untrue.
  • We are aware there are issues with Direct Secure Messaging adoption in part created by the variability of implementation across platforms, but for many organizations lack of understanding or awareness is the barrier to adoption rather than cost. Many organizations have access to Direct Secure Messaging within their technology, they are unaware they have the capability to utilize it, something that our EHR Roundtable and other parts of the organization continually work to educate and address.
  1. Page 14: “Some facilities wanted to use VA Exchange or VA Direct but had no community partners with whom information could be shared.
    • Facilities using 2014 and forward edition Certified Electronic Health Record Technology (CEHRT) have the capability to utilize Direct Secure Messaging within their platform, meaning if those facilities are using 2014 or forward CEHRT, they have the capability to use Direct Secure Messaging
    • More than 251,000 organizations and 2.43 million addresses are served by a DirectTrust HISP and can take part in trusted exchange through the DirectTrust network, encompassing many different care settings and locations, and likely VA community partners.