By Lisa Nelson, Fractional Chief Technical Officer, DirectTrust

Defining Spam in the Context of Direct

The term “spam” has different definitions in different settings. In some cases, it’s a canned-meat product, but that’s not what we’re talking about here.

Spam in the context of information exchange typically refers to unsolicited and unwanted bulk messages, usually sent via email, often for advertising, phishing, or spreading malware – think, the junk folder on your email account.

In the context of DirectTrust, spam is defined as messages that violate the prohibitions established by the DirectTrust Aggregated Directory Data Sharing Policy. The intent of this policy is not to impede standing medical practices, interactions with insurance companies, or suggestions by Accountable Care Organizations for follow-on procedures, etc. The intent is to provide reasonable assurances to Direct message recipients that their systems will not be flooded with messages inappropriate for their electronic systems’ workflow as a result of their participation in the DirectTrust Directory.

Non-Permitted Uses of Directory Information

Qualified Users of the DirectTrust Aggregated Directory may not use Directory information for any purpose not covered in the “Permitted Uses” section of this Policy without express written permission of the organization who shared their Directory Information.  Under the Directory Policy, the following uses are not permitted:

  • Selling, disclosing, making available, or otherwise permitting to obtain, DirectTrust Directory Information to any third party that is not a Qualified User and/or which is not a legal client of the Receiving Party, and which is receiving HISP services from the Receiving Party.
  • Providing and/or using the Directory Information for direct marketing, database marketing, telemarketing, marketing analysis, or research purposes.
  • Under no circumstances shall the Receiving Party use, or permit their Subscribers to use, the Directory Information for any of the following activities: advertising, pop-up ads, soliciting business, surveys.
  • Any unsolicited communications using Directory Information by or on behalf of parties not already part of the healthcare team or not already part of the normal healthcare workflows.

Permitted Uses of Directory Information

The DirectTrust Aggregated Directory Data Sharing Policy explicitly permits DirectTrust to securely provide information to CMS for their inclusion in the publicly available NPPES public listings, limited information for Aggregated Directory entries that contain Direct addresses associated with providers who are identified with their Type 1 National Provider Identifier (NPI), and permits DirectTrust to provide a public query capability to query for Direct addresses and limited information from the Aggregated Directory entries using the Type 1 NPI as a search parameter.

The description of permitted uses focuses on access and distribution of the Aggregated Directory listing information. Enforcement of the Directory Sharing Policy by DirectTrust supports flagging communications that use Directory Information by or on behalf of parties not already part of a patient’s healthcare team, or not already part of the normal healthcare workflow. Patient-specific messages about a medication change or formulary update are generally permitted (not considered spam). Even more general types of messages tied to specific patients, even if unsolicited, are generally not considered spam. However, if the sender is not a part of the patient’s recognized care team, and the information is not considered part of the normal healthcare workflow, then an unsolicited message could be considered spam, even if it is referencing a specific patient.

Bottom line: Spam assessment may require careful consideration, and multiple perspectives may need to be explored. Guidance provided below on how to avoid policy violations should be heeded and DirectTrust can be consulted regarding specific situations to assess potential spam risks.

What If There’s a Violation of Policy?

Organizations sending messages in violation of this policy can be reported to DirectTrust. After examining the circumstances, if a violation has occurred, DirectTrust will notify the HISP in writing to report the violation and within 24 hours, the HISP will notify the Subscriber responsible for the violation, requesting they immediately stop sending messages of the reported type to the Direct addresses of concern. The HISP, as the Receiving Party of the Aggregated Directory, will take action, if necessary, within two business days after notice of the violation, to block the sending of messages using Directory information in violation of this Policy.

How Can Violations of Policy be Avoided?

To ensure your organization does not send messages that run a fowl of this policy, consider the following:

  1. Confirm a match on use case between sending and receiving addresses

Make sure the address you’re sending to supports the intended use case for your message.

  1. Avoid sending content that is not relevant or pertinent

Steer clear of sending messages that do not pertain to a person or set of persons already receiving or requesting services from the recipient organization.

  1. Refine your messaging approach to utilize solicited rather than unsolicited messages

Establish business or operating processes that enable Message Receivers to request messages through a form of subscription or business agreement and allow them to indicate which Direct address they prefer to be used when your organization or personnel sends the requested types of messages.

  1. Never share or use Directory information in any of the ways prohibited by the DirectTrust Directory Policy

For more information, review the current version of the Policy, which has been in effect since October 18, 2023.

How to Report Suspected Spam

Send an email to [email protected].  If the message content includes personally identifiable information (PII), do not forward the message content. If the message includes no PII, include a screen capture of the content that was received, and describe why you believe this message violates Directory prohibitions. Include dates and times when the message was received and the Direct address used to send the message.  If more than one address within your domain received the same or similar message content, include a list of all the Directory addresses that were involved.