The term “HISP” is often used when discussing Direct Secure Messaging, but what exactly is a HISP?
A Health Information Service Provider, or HISP, is an accredited network service operator that enables nationwide clinical data exchange using Direct Secure Messaging (aka Direct, Direct Messaging and the Direct Project). Direct is a HIPAA compliant and interoperable transport method promoted by the Office of the National Coordinator of Health IT of the US Department of Health and Human Services (ONC/HHS). HISPs and Direct are regulated and monitored by the DirectTrust.org, a governance organization empowered by HHS.
HISPs offer healthcare organizations (hospitals, physicians, health plans, health information exchanges) and consumers an onramp to the Direct Secure Messaging network where trading partners can exchange protected health information (PHI), in a structured and unstructured format, across the internet with maximum security and privacy. Exchange partners can easily discover each other’s address on the DirectTrust network through a healthcare provider directory (HPD). The addresses are compiled, shared, and published by HISPs participating in the DirectTrust HPD program.
The nationwide messaging service delivered by HISPs and overseen by DirectTrust represents a modern, affordable, and standards-based alternative to sharing clinical data by fax, virtual private networks, and proprietary interfaces. The latter exchange methods are costly and increasingly outmoded as healthcare embraces digital communications with the economies, scale, and ubiquity of the internet. Operationally, HISP-delivered Direct Secure Messaging services are most closely related to fax in that both methods “push” data between senders and recipients and return a delivery notification upon completion.
Collectively, HISPs are the communications backbone of the DirectTrust health information exchange. Individually, they are access points to the DirectTrust Network and referred to as DirectTrust network service providers or Direct Trusted Agents. Direct Secure Messaging, Direct exchange, ONC Direct, and HISP services are the terms generally used to describe the clinical data exchange service HISPs provide.
Because the electronic medical record message attachments (HL7 C-CDAs or CDA) processed by HISPs meet Health IT interoperability standards, PHI exchanged via Direct Secure Messaging can be sent and received from EHR workflows. The same standard allows data sharing among any EHR and any software solution connected to a HISP. To use email as an analogy, you may have Microsoft Outlook installed on your computer, but if it isn’t connected to an email network, your emails can’t go anywhere, and none can get to you. Similarly, your EHR can send and receive Direct-compliant messages, but those messages won’t go anywhere unless you and those who you are communicating with have valid HISP service, addresses and Direct Trust certificates.
For Health IT developers seeking ONC/EHR Certification, HISPs are important partners. HISPs provide certification requirements related to Direct Secure Messaging that are out of scope for most developers, enabling them to meet and satisfy Certification requirements.
Some HISPs are end-user facing with recognizable brand names and user interfaces while others operate behind the scenes as an integrated module of an EHR or similar health IT solution. Those that tightly integrate with EHRs or HIEs are sometimes owned and operated by the solution vendor and provide a captive service tailored to the solution. Independent (aka: pure-play) HISPs are typically full-service providers offering a range of connectivity and service options to suit the needs of a range of end-user requirements.
HISPs provide multiple sub-services underlying the Direct Secure Messaging service, including:
- Direct Secure Messaging Addresses
- Direct addresses are similar to typical email addresses with the exception that they operate exclusively on the DirectTrust network. The specialized digital certificate affixed to a Domain/Direct Address is recognized by DirectTrust network operators and can only be issued by an accredited DirectTrust HISP. The digital passport represented by the certificate makes Direct addresses unique from Gmail, Outlook, Yahoo, and similar addresses that operate on standard email. The Certificate also encrypts messages and confirms the identity of the sender and receiver, resulting in non-repudiation.
- DirectTrust Onramp Connectivity Options
- Edge protocols (eg: XDR or S/MIME)
- Web-based mail portal with accessibility support
- Protocol transformation and routing: SMIME/SMTP, IHE XDR, web services
- Digital Certificate Issuance and Live Cycle Management
- The DirectTrust-authorized digital certificates provisioned by HISPs require specialized management and sharing capabilities that only HISPs are qualified to provide.
- Participation in the DirectTrust Accredited bundle
- Certificate issuance and registration authority
- Identity Authentication (aka: identity proofing)
- To keep the DirectTrust network clean of bad actors (e.g: spammers), HISPs are required to confirm the true identity of participants in Direct Messaging prior to provisioning a Direct Address
- Message Delivery Notification
- Message completion acknowledgements collected and reported out by HISPs are considered to be irrevocable proof of message delivery and thus have important weight in legal and CMS reporting
- Direct Secure Messaging Service Support
- Online and phone support for onboarding, connectivity issues and outages, and other service needs
- High-availability and disaster recovery
- Healthcare Provider Directory (HPD)
- Publish Direct Addresses to DirectTrust HPD
- Enforcing DirectTrust Rules of the Road
- Maintain accreditation attesting to trust relations
- Security and Trust Framework
Now that you know everything about HISPs, be sure to read our blogs to learn everything you need to know about Direct and the Healthcare Provider Directory. DataMotion is an accredited HISP of Direct Secure Messaging.