Similar to how a cotter pin in an engine prevents nuts and bolts from loosening or falling out due to high vibrations, the ORG_UID field holds information together for a single organization in a Directory CSV contribution file. The ORG_UID field is the part that makes it possible for multiple flat file entry rows to stay connected as a hierarchical representation of the information needed about the healthcare organization, care facility, or the organization’s provider personnel, which makes it possible to find Direct addresses when they are needed.
Each organization using Direct to exchange information gets its identity verified before the X.509 certificates are issued. The certificates are then associated with the organization’s Direct addresses. Regardless of whether the certificate is bound to the domain of the address or the entire address, the organization’s verified name information is carried in the subject organization name (O field) of each certificate. This organization’s information is contributed to the DirectTrust Directory along with any locations they manage where care is provided and all the Direct addresses they use to facilitate interoperability for their organization, their locations, or their personnel.
Personnel using Direct to send secure messages also are identity-proofed and the certificate associated with their Direct address carries their organization’s name in the subject organization name (O field) as well.
For the special case of a physician who operates as a sole proprietor, the organization name used in the DirectTrust Directory and the subject organization name of the certificate that backs their address(es) are derived from information associated with the sole proprietor.
| Directory Best Practices Note – How to Populate Organization Information for a Sole Proprietor Physician
Since an unaffiliated provider has no official ORG_NAME, the ORG_NAME should be populated with a concatenated string of the provider’s ‘PROV_FIRST_NAME + ” “ + PROV_MID_NAME + “ “ + PROV_LAST_NAME + “ “ + PROV_SUFFIX’. If any of these PROV fields are NULL, the space (“ “) should be eliminated to avoid double spacing in the concatenated string used to populate the ORG_NAME field. Leading and trailing spaces should also be removed. |
The HISP providing the Direct service is responsible for assigning a unique identifier to each verified organization. The unique identifier assigned by the HISP for one specific organization using their service is used in the Directory contribution in the field called ORG_UID.
When a vendor integrator includes Direct services as part of their solution, the HISP and that vendor must agree on how each verified organization will be assigned an ORG_UID identifier. For example, the vendor may assign a unique customer ID and then the HISP may prepend that ID with the identifier they have established for the vendor.
| Directory Best Practices Note – Always Include ORG_UID
As of the Directory Services User Guide v2.8, best practice guidance has been for HISPs to include ORG_UID identifiers in the Directory CSV contribution file. Relying on the Directory Service to assign ORG_UIDs does not allow proper hierarchical representation of the Directory Data and prevents searching from being effective. |
ORG_UID appears on every row in the CSV contribution file where Direct address information is associated with that specific organization. When the Directory contributions are aggregated, the HISPID (HISP identifier) field is appended to the ORG_UID so that every single organization in the DirectTrust Aggregated Directory has a unique identifier. Organizations that use Direct services from two different HISPs can, in this way, be differentiated.
Every Direct address ensures the Provenance information about who is sharing health information is available and trusted. The “who” information always includes the organization and may additionally provide the specific personnel information.
Data Provenance describes the information’s author which must include the author organization and may also include the author person. In CDA® and FHIR®, representing data Provenance requires the organization to be represented at a minimum, and supports the inclusion of a specific person. In the DirectTrust Directory, ORG_UID is used to maintain the asserted relationship between the organization and its employees together despite a flat CSV file representation of otherwise hierarchical data.
Each row of the Directory CSV contribution file provides different parts of the hierarchically modeled directory information. It may require many rows of data to represent a single situation.
For example, a healthcare organization with two locations and two different providers at each location would need a minimum of (5) row entries in the CSV file to contribute their Direct address information.
Example:
- The first row would contain the information for the organization which is the named organization in their X.509 certificates.
- Next the CSV file contains rows to represent the two practice addresses of the two locations where care is delivered. If each location has two providers, that’s four more rows.
Constructing a Directory CSV contribution file can be accomplished in a step-by-step process.
The first row always includes the organization’s information by supplying its mailing address confirmed during the identity proofing process for the organization (ORG_GEO_ADDR_TYPE = mailing).
Next, if an organization has any organization-level addresses (workflow addresses), the first one could be provided on the same row as the organization with their mailing address information. If there were more than one organization-level address, additional addresses could be provided by repeating the organization’s mailing address on more rows. The ORG_UID value is repeated on each row to maintain the organizational context for the information.
Next, include rows for each location where the organization provides care (ORG_GEO_ADDR_TYPE=practice). Workflow addresses specific to a particular location can be included on a row in which the ORG_UID sets the context of the organization and the practice address information sets the context of the location.
Finally, Direct addresses for personnel who use Direct for individual-provider or individual-employee secure messaging can be included. To associate the personnel with the organization, the PROV_ fields are preceded with the ORG_UID of the organization and the organizational mailing information. To associate the personnel with a specific care location, the PROV_ fields are preceded with the ORG_UID of the organization and then the practice address information for the location where they provide care.
