Building the Trust Framework for Direct Exchange


July, 2012

DirectTrust.org is organized as a non-profit, competitively neutral, self-regulatory entity created by and for Direct community participants. Our goal is to develop, promote and, as necessary, help enforce the rules and best practices necessary to maintain security and trust within the Direct community, and to foster widespread public confidence in the Directed exchange of health information.



DirectTrust.org is an outgrowth of a series of discussions and workgroup meetings that began in April, 2011, among stakeholders interested in helping to develop a Security and Trust Framework suitable for the stable and interoperable growth of Direct exchange in the United States. Trust is important to the confidence that the public will have in both privacy and security of Directed exchanges of messages and attachments. A central issue in those discussions was how to make it possible for purchasers and subscribers of the new Health Internet Service Provider, HISP, and Certificate Authority services for Directed exchange to have confidence in their choices in these trust agents, and be assured that vendors would subscribe to, and be held accountable to, a common yardstick of security and trust best practices.

A central issue taken up by this group of parties was how to establish trust among HISP-CAs in the issuance, exchange, and management of digital certificates that are used in the cryptographic method employed by Directed exchange, known as Public Key Infrastructure technology, PKI. Businesses, state/federal agencies and contractors have long deployed PKI for secure e-mail, controlled access to web services, and online authentication, among other uses, for over a decade. However, its use in health care has been very limited. Most health care providers are not familiar with participation in a PKI, and, since the Direct Project potentially represents the largest scale deployment of a PKI within health care to date, there is an urgent need for education about PKI architecture and the formation of a community that can instill confidence in its uses.

David McCallie (Cerner Corp.), Brett Peterson (Ability), David C. Kibbe (AAFP), and Gary Christensen (RIQI) were among the first participants in those discussions, although the members of the workgroup (that came to be known as the Direct Rules of the Road workgroup) quickly grew to more than two dozen individuals. By late September, there were over 50. In early November, 2011, the members of that workgroup formally moved their work to the DirectTrust.org wiki, in the anticipation of the establishment of DirectTrust.org as an independent non-profit organization. DirectTrust.org was incorporated as a not-for-profit trade association in April, 2012, and as of late June there were over 180 participants in the DirectTrust.org wiki. They include representatives from HISP vendors, Certificate Authorities, state and regional HIEs, physician membership organizations, EHR and PHR companies, consultants, and other interested parties.

It is the intention of those who have come together to help form this new entity that DirectTrust.org will be complementary and subject to, as well as supportive of, the governance rules and regulations for the Direct Project and the Nationwide Health Information Network, NwHIN, promulgated by HHS and ONC, and the mandates of the HITECH Act.