- To learn more about Secure Messaging, Patient Portals and their usage, see the Patient Engagement Playbook.
- “Direct” standard is based upon the underlying standard: Simple Mail Transfer Protocol (SMTP) RFC 5321 and for security uses Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Message Specification, RFC 5751.
- For Direct, interoperability may depend on establishing “trust” between two parties and vary based on the trust community(ies) to which parties belong. DirectTrust is a trust community which facilitates Direct communication among users for provider messaging and consumer-mediated exchange.
- As of March 2019, DirectTrust received accreditation as an ANSI SDO. A new division of the organization, DirectTrust Standards has convened a consensus body to update and maintain the Direct Standard (TM) going forward and to seek ANSI approval for the Standard.
- Current Procedural Terminology (CPT) Consumer Friendly Descriptors (CFDs) may be used when data is being exchanged between patients and providers.
- The SMART® on FHIR Project is working in this area, and may have additional implementation guidance, as well as a list of applications supporting this interoperability need.
- When using the SMART on FHIR model, the authentication model uses OAuth2. Except for “Secure Communication”, the security patterns listed do not apply.
- The Applicability Statement for Secure Health Transport Version 1.3 is a newer version of the standard that is available for health IT developers to voluntarily update and provide to their customers. It became available when it was added to the Approved Standards for 2022 through ONC’s Standards Version Advancement Process (SVAP).
- System Authentication – The information and process necessary to authenticate the systems involved.
- User Details – Identifies the end user who is accessing the data.
- User Role – Identifies the role asserted by the individual initiating the transaction.
- Purpose of Use – Identifies the purpose for the transaction.
- Security Labeling – The health information is labeled with security metadata necessary for access control by the end user.
- Secure Communication – Create a secure channel for client-to-server and server-to-server communication.
- Secure Message Router – Securely route and enforce policy on inbound and outbound messages without interruption of delivery.