A Health Information Service Provider (HISP) is an authorized network service operator that enables nationwide clinical data exchange based on Direct Secure Messaging, a HIPAA compliant and interoperable transport method promoted by the Office of the National Coordinator of Health IT of the US Department of Health and Human Services (ONC/HHS). HISPs and Direct Secure Messaging are regulated and monitored by the DirectTrust.org, a governance organization empowered by HHS.
HISPs offer Healthcare organizations (hospitals, physicians, health plans, health information exchanges) and consumers an onramp to the Direct Secure Messaging network where trading partners can exchange protected health information (PHI), in structured and unstructured format, across the internet with maximum security and privacy. Exchange partners can easily discover each other’s address on the DirectTrust network through a healthcare provider directory (HPD) compiled, shared, and published by HISPs participating in the DirectTrust HPD program.
The nationwide dial-tone delivered by HISPs and overseen by DirectTrust represents a modern, affordable, and standards-based alternative to sharing clinical data by fax, virtual private networks, and proprietary interfaces – exchange methods that are costly and increasingly outmoded as healthcare embraces digital communications with the economies, scale, and ubiquity of the internet. Operationally, HISP-delivered Direct Secure Messaging services are most closely related to fax in that both methods “push” data between senders and recipients and return a delivery notification upon completion.
Collectively, HISPs are the communications backbone of the DirectTrust health information exchange. Individually, HISPs are access points to the DirectTrust Network and are referred to as DirectTrust network service providers or Direct Trusted Agents. Direct Secure Messaging, Direct exchange, ONC Direct, and HISP services are the terms generally used to describe the clinical data exchange service HISPs provide.
Because the message attachments (HL7 C-CDAs or CDA) processed by HISPs meet Health IT interoperability standards, PHI exchanged via Direct Secure Messaging can be sent and received from EHR workflow. The same interoperability standard allows data sharing among any EHR and any software solution connected to a HISP. Using an email analogy, you may have Microsoft Outlook installed on your computer, but if it isn’t connected to an email network, your emails can’t go anywhere and none can get to you. Similarly, your CEHRT can send and receive Direct-compliant messages, but those messages won’t go anywhere unless you and those who you are communicating with have valid
HISPs are important partners for Health IT developers seeking ONC EHR Certification. HISPs provide certification requirements related to Direct Secure Messaging that are out of scope for most developers, enabling them to meet and satisfy Certification requirements.
Some HISPs are end-user facing with recognizable brand names and user interfaces while others operate behind the scenes as an integrated module of an EHR or similar health IT solution. HISPs that tightly integrate with EHRs or HIEs are sometimes owned and operated by the solution vendor and provide a captive service tailored to the solution. Independent (aka: pure-play) HISPs are typically full-service providers offering a range of connectivity and service options to suit the needs of a range of end-user requirements.
HISPs provide multiple sub-services underlying the Direct Secure Messaging service:
- Direct Secure Messaging Addresses
- A Direct address is similar to a typical email address with the exception that it operates exclusively on the DirectTrust network. The specialized digital certificate affixed to a Domain/Direct Address is recognized by DirectTrust network operators can only be issued by an accredited DirectTrust HISP. The digital passport represented by the certificate makes Direct Addresses unique from Gmail, Outlook, Yahoo, and similar addresses that operate on standard email. The Certificate also encrypts messages and confirm the identity of the sender and receiver, resulting in non-repudiation. encrypt the data on behalf of an organization. Support for managing the encryption and decryption at the HISP level
- DirectTrust Onramp Connectivity Options
- edge protocols (eg: XDR or S/MIME)
- A web-based mail portal with accessibility support
- Protocol transformation and routing: SMIME/SMTP, IHE XDR, web services
- Digital Certificate Issuance and Live Cycle Management
- The DirectTrust-authorized digital certificates provisioned by HISPs required specialized management and sharing capabilities that only HISPs are qualified to provide.
- Participation in the DirectTrust Accredited bundle.
- Certificate issuance and registration authority
- Identity Authentication (aka: identity proofing)
- To maintain the DirectTrust network clean of bad actors (e.g.: spammers), HISPs are required to confirm the true identity of participants in Direct Messaging prior to provisioning a Direct Address
- Message Delivery Notification
- Message completion acknowledgements collected and reported out by HISPs are considered to be irrevocable proof of message delivery and thus have important weight in legal and CMS reporting
- Direct Secure Messaging Service Support
- Providing online and phone support for onboarding, connectivity issues and outages, and other service needs
- High-availability and disaster recovery:
- Healthcare Provider Directory (HPD)
- Publish Direct Addresses to DirectTrust HPD
- Enforcing DirectTrust Rules of the Road
- Maintain accreditation attesting to trust relations
- Security and Trust Framework