Friday, August 18, 2017

What's my Doctor's Direct Address

Lisa Nelson [a self-described CDA SME, Wife, Mother and designated daughter of two octogenarians] gave quite a fanciful skit and the ONC meeting last week.  In it, she pretended to be interrupted by her cell-phone, and had conversations with her youngest child [who needed a physical sent for camp], husband [who was sick while travelling], and eldest child regarding the fact that one of the grandparents fell and was in the hospital.  Throughout her response was the same.  Get their Direct address and I'll send ... and then some followup on what to do next [which was to mostly not worry because she had things under control].  That skit, she says, is her dream.

I believe in dreams.  An audience member sitting next to me said in aside: "I'm not sure many providers know or could even find out what their Direct Address was."

I decided to test this out, because I don't actually know the answer to that question for my provider. Nor does he, and NOT for lack of trying.  My secure message to him was quite simple (I've somewhat redacted his responses to preserve his privacy ... my data I feel free to share, but not his):

Do you have a direct address that could be used by other providers to send you data (e.g., a CCDA)? What would I tell them when they ask for it?

Very Same Day, 4.5 hours later.

Hello Keith, 

I have never been asked these technical questions in past and I am not sure. However, I have sent a message to our [Vendor] team to let me know how this works and I will let you know accordingly . I have not heard back from them as yet. I certainly know there are non [my hcp organization] providers who already have a link and they transfer the records directly to us electronically. [other hcp organization] hospital is one of them. 


Following Day

Hello Keith, 

I have left message with our [Vendor] team again and I have still not heard form our [Vendor] team for an answer. I am away from tomorrow for the next week. Certainly there is a electronic link for transferring records because, what I have seen is that [various] Hospitals send me some of the hospital records directly. I believe they have a link, not sure if it is CCDA. I think the [Vendor] team can establish a link if there is not already one in place with the provider you are mentioning. 

Thanks for your patience. 


I responded thanking him for his diligence and let him know my request wasn't urgent.  I then sent an e-mail off to the Medical Director for Informatics to track it down from the other end.

My point here though, it NOT to fault my healthcare provider.  When we design Direct Messaging, we included the notion that patients would be empowered by it in the addressing scheme.  Anyone could have a Direct Address, and it would be a secure way for all stakeholders in the HealthIT ecosystem to exchange information.

But it's not, and there are several different explanations I've considered for why that might be:

  1. Unintermediated electronic communication between patients and their physicians is avoided by policy due to HIPAA and ...
  2. Provider to provider communication is OK (I can get just about any provider to fax records with a phone call to another provider ... but fax them to my HOME number? God forbid, and HIPAA forfend.)
Now you and I know that the HIPAA boogeyman here SHOULDN'T exist.  But it does.  And because of it and years of prior policy, there's a challenge.

Other challenges include patient matching and trust.  When a provider gets a direct message from another provider about a patient, they implicitly trust the source, and are willing to match the patient with the data in the message.  But when patients start communicating via unintermediated electronic means, well, the information goes through a different set of filters.  The first step then is to be sure that one understands WHO the source of the communication is.  Did it come from, and was it intended to be about "my patient".

So, handing out Direct addresses for providers to patients seems culturally to be a bad idea, because you cannot actually know how they'll use it.

The answer here is to flip the addressing scheme, I think.  My Dr's Direct Address for me should be myuserid's+routing@hcpdomain.  When I give that address out, and someone uses it, the message, when received, can be securely accessed by hcpdomain, and it can route it internally as appropriate based on what I used for route.  So, if my userid was mg, and I set up my routing for my pcp to my doctor, his address would be mg's+pcp@hcpdomain.

We don't have to change the Direct Specification to support this.  That's already baked in to the specification.  Patient matching is built in when mg@hcpdomain is my identity as known to my healthcare provider.

It's not his "direct address", but rather "my direct address" for him.

Let's make it easy for patients and doctors to figure this stuff out.  The Direct Project was supposed to be the on-ramp to the health exchange super-highway.  What good is an on-ramp if patient's cannot find it.

    -- Keith

P.S. I had another post planned for the day, but the communication from my provider led me to rethinking Direct addressing, and I thought it relevant to the topics already discussed this week.

P.P.S and an update for the win: I asked someone who would know at my HCP's organization when I wrote the post, and was given w/in 12 hours. Unencrypted e-mail is SO effective (and completely legitimate for me and my HCP to use as I have given permission for that form of communication).


  1. Brilliant solution! Having the patient send a shared secret in their Direct address allows me, as the recipient healthcare provider, to make sure that it matches with the demographics that I receive with the message (assuming, for example, that I receive an attached CDA document). But the solution wouldn't work for Direct messages with no codified demographics (e.g. an attached photo or no attachment at all) because I would never trust a match on a single identifier.

    1. On the other hand, how protected is the To: address in a Direct message? Not sure you want that metadata containing a "secret" intercepted...

    2. Identifiers (such as a direct address), aren't secrets. As for trusting a match on a single identifier, surely you do all the time, every time someone sends you an email..., or you make a phone call ;-)

  2. I do find it interesting that it is common to be able to lookup a Provider on the web, and you will find their phone number and FAX number, yet they don't have their Direct Address listed... This should be listed... even if they primarily want it used Provider-to-Provider. Surely they don't expect patients to use their FAX.

    I do have a Patient centric Direct Address, everyone with HealthVault has one. But I have not ever figued out a use.

    My provider can be 'messaged' within their web site. A very nice web site. But no indication of normal e-mail, nor Direct...

    Hmmm, I would say this is more simply evidence of Direct existing because of Regulation mandate (incentives), while not being valuable enough to use. Might be poorly explained. But in my view it is simply too cumbersome.

  3. The C-CDA IG (which is a USA specification) should have required (recommended strongly) that all providers listed in a Patient's CDA (or at least the main PCP) be indicated in the with a that contained their Direct Address. clearly a "mailto:" type entry, but I am not finding a logical "@use" value for Direct.

  4. Sounds like some questions for ONC. How do patients find a provider's Direct address? How do providers find other providers Direct addresses? How do patient's get a Direct address?

    Hey ONC, why don't patients have access to a national provider directory? I know you guys are working provider directory requirements, but that stuff is the kitchen sink. Why not make it simple and just provide me a white pages of providers, facility name, street address, city, state, zip, phone numbers and Direct address. ONC, why not mandate that if they have a web site with contact info to include a Direct address.

    I know that DirectTrust has a directory, but that is limited to providers.

  5. NPPES per recent #PatientAccess rule!

  6. Just wanted to mention that some EMR systems' patient portals (Epic's for example) let you look up a provider's direct address. In Epic, the minimum required fields to look up a provider are Last Name and State.