Appl Clin Inform 2022; 13(03): 767-773
DOI: 10.1055/s-0042-1753540
Invited Editorial

Direct Secure Messaging in Practice—Recommendations for Improvements

Simone Arvisais-Anhalt
1   Department of Laboratory Medicine, University of California, San Francisco, California, United States
2   Department of Hospital Medicine, University of California, San Francisco, California, United States
Kathryn Ayers Wickenhauser
3   DirectTrust, Washington, District of Columbia, United States
Katherine Lusk
4   Texas Health Services Authority, Austin, Texas, United States
Christoph U. Lehmann
5   Clinical Informatics Center, UT Southwestern, Dallas, Texas, United States
James L. McCormack
6   Department of Medical Informatics and Clinical Epidemiology, School of Medicine, Oregon Health & Science University, Portland, Oregon, United States
7   Oregon Rural Practice-based Research Network, Oregon Health & Science University, Portland, Oregon, United States
Kristian Feterik
8   Department of Medicine, University of Pittsburgh School of Medicine, Pittsburgh, Pennsylvania, United States
› Author Affiliations

Background and Significance

Transitions and coordination of care require communication among clinicians that may occur through a variety of channels. Ideally, information received from a referring clinician is integrated automatically into the patient's electronic health record (EHR) to allow the seamless use of the information.[1] As clinicians work in a plethora of locations and for different employers, handoffs and collaborations rarely occur in a face-to-face setting and instead through electronic communication, such as messaging through EHR-based inboxes.[2] Most clinicians are familiar with EHR-based electronic communication within a health system and some may be aware of electronic communication across organizations that use the same EHR vendor.[3] However, fewer are aware of Direct Secure Messaging (DSM), which facilitates EHR-based electronic communication by health care organizations using different EHR systems (either different instances from the same vendor or across different vendors), even if they use it daily. This editorial intends to introduce the reader to DSM and its functionalities. Additionally, we highlight current challenges and shortcomings of this point-to-point communication tool that have prevented DSM from achieving a more important role in health care interoperability. Since 2011, DSM has been available as a push mechanism (sender-initiated) for exchanging encrypted health information among clinicians, patients, and organizations via the Internet.[4] EHR vendors are required to support DSM capabilities to meet the Certified Electronic Health Record Technology (CEHRT) requirements of 2014 and 2015.[5] [6] Although CEHRT helped to promote near-universal implementation of DSM capabilities among EHR vendors, EHR vendors implemented this feature under a variety of names resulting in a confusing nomenclature ([Table 1]).

Table 1

Examples of Direct Secure Messaging aliases in different EHR systems

EHR vendor

Alternate terms




Direct, Direct Messaging, Secure Messaging, Direct Secure Messaging


Direct Secure Messaging, eReferral


Cerner Direct, Secure Messaging, Direct Referrals, Direct Email, Direct Secure Messaging, Direct


Direct Message, Direct Messaging, Transition of Care, TOC


eClinicalDirect, P2P, Provider to Provider, Direct, Direct Secure Messaging, Direct Plus


Care Everywhere, Care Everywhere Outside Messaging, CE Outside Messaging, Direct Messaging, Direct Protocol

Evident (Centriq)

Secure Messaging

Glenwood Systems

Direct Messaging


Direct messaging

iShare Medical

iShare Medical Messaging




Direct Messaging


NextGen Share, Direct Messaging


Integrated Direct Messaging


Wellsky IaaS, Wellsky IO, Wellsky Direct

Abbreviation: EHR, electronic health record.

Source: Adapted from Direct Secure Messaging Aliases. Available at: Accessed April 26, 2022.

DSM is a flexible technical framework that was designed from the start to support a wide range of use cases for secure patient information transmission. Because DSM is agnostic to the message contents and can support multiple file formats as attachments, common uses include transitions of care (sending patient care summaries and coordinating referrals), notifications and messaging (real-time notification of acute care admissions, discharges, and transfers), and administrative functions (patient-specific pharmacy notifications). [Table 2] lists some of the currently used or proposed use cases for DSM in contrast to other modalities of health information exchange (HIE).

Table 2

Use cases for Direct Secure Messaging (DSM)








Paper or voice

Transitions of care

• Exchange care summaries







• Send and receive referrals




• ADT notifications






Provider messaging

• Provider-to-provider





• Patient-to/from-provider





• Pharmacy, payer, other messaging




Additional use cases

• Public health reporting







• Immunization status






• Test result delivery






Abbreviations: ADT, admission/discharge/transfer; FHIR, fast health care interoperability resources; HIE, health information exchange; QBIE, query-based information exchange.

If the data are formatted using existing standards such as the Consolidated Clinical Document Architecture, discrete elements may be incorporated directly into the receiving EHR. For example, a DSM message that contains the patient's immunization data in a machine-readable format can be used to incorporate past immunizations into the local EHR's immunization section allowing the EHR's forecasting tool to access the data and avoid duplicate, unnecessary immunizations. The benefits of incorporating data contrast with traditional modes of communication such as fax, scanned paper records, or email ([Fig. 1]). Even if incorporated into the EHR, scanned or faxed records are usually in the form of attachments that are not searchable or accessible to decision support. Given DSM's secure and encrypted nature, the authors are unaware of any cases where it has been misused to send spam.

Zoom Image
Fig. 1 Email versus Direct Secure Messaging: what's the difference?


History of Direct Secure Messaging

In 2004, the U.S. government, in collaboration with public and private stakeholders, proposed the Nationwide Health Information Network (NHIN) to link regional and state HIEs securely to create a national, interoperable “network of networks” for sharing health care data. The NHIN framework contained technical, policy, and other requirements as well as data use and service level agreements enabling health data exchange. Despite these proposed interoperability advances at the level of global health information technology (HIT) infrastructure, the goals of NHIN were largely unattained and there still remain significant interoperability needs affecting clinicians' day-to-day practice. In 2009, in response to the need for “simple interoperability” to enable effortless communication (e.g., clinician to clinician electronic communication across institutions),[7] the NHIN Workgroup recommended the creation of additional specifications to include simple, direct, secure standards for point-to-point messages. Heeding these recommendations, the Office of the National Coordinator for Health Information Technology (ONC) launched the Direct Project in 2010.[8] This volunteer group of participants from more than 60 organizations assembled consensus standards that support secure exchange of basic clinical information and public health data,[9] and were included in the NHIN framework.[10] In 2012, DirectTrust was founded as a nonprofit membership organization to become the guardian of the work of the Direct Project, including the Direct Standard on which DSM is based.[11] DirectTrust remains not only the custodian of the standard, but also the entity that ensures the requirements regarding security, privacy, encryption, and certificates are enforced.[12] DirectTrust accredits health information service providers (HISPs), certificate authorities, and registration authorities to ensure compliance with an agreed-upon set of standards, so that the network of organizations remains secure.[13] To date, DirectTrust has been seen as the authority and source of truth related to DSM.[14]


HITECH's Effect on DSM

The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law in 2009 to promote adoption and “meaningful use” of HIT. Meaningful Use (MU) Stage 1 created the baseline standards for electronic data capture and information sharing. It required the capability for secure clinician-to-clinician messaging of patient information, but it did not mandate its use. MU Stage 2 and 3 did require that ambulatory clinicians use DSM for transmission of clinical summaries to third parties; however, this requirement was limited to only a small fraction of transition of care events. While MU helped drive the provision of DSM, universal adoption was not achieved and depending on the situation, health care information is still often exchanged through a combination of electronic messaging, fax, telephone, and physical mail.


Participating in DSM

Clinicians participate in DSM when the institutions where they perform their clinical duties, such as hospitals and health care practices, request a personal DSM address for them. Once the address is generated, it is linked to the clinician's EHR inbox, or the messages are accessible through a web portal. A clinician may have multiple DSM addresses if the employer uses several EHR or technology systems, or the clinician practices at multiple institutions with distinct EHRs. Changing employers usually requires retiring the old DSM address and assigning a new one. [Fig. 2] illustrates a standardized appearance of DSM addresses. Once a clinician has a DSM address and DSM is enabled at a clinician's institution, the clinician may use DSM to securely exchange patient information from his/her DSM address with another clinician using a different EHR if the recipient clinician meets the same two criteria: an active DSM address and DSM enabled at the institutional level ([Fig. 3]). To message other clinicians, their DSM addresses must be known to the sender. DirectTrust collects published Direct addresses from participating HISPs and compiles them into a single aggregated directory. According to the DirectTrust, at the time of writing this manuscript, about half of all DSM addresses are included in the aggregated directory.[15] This aggregated directory is then provided back to the HISPs so they can make the information available to their users.[15] Today, there is great variation in both what information HISPs provide to their users and how they provide the information. Some HISPs share DSM addresses exclusively within their own customer community. Others may not capture the National Provider Identification or use nonstandard ways to capture the clinician's physical address making address matching difficult to impossible. This variability has hindered growth of DSM, as it may impede the ability to locate an address. On June 30, 2020, ONC and Centers for Medicare and Medicaid Services (CMS) mandated[16] that clinicians participating in Medicare list their digital contact information, like a DSM address or Fast Healthcare Interoperability Resources endpoint, in the National Plan and Provider Enumeration System to improve information exchange. Despite this mandate, many clinicians have failed to do so as evidenced by the recent “Public Reporting of Missing Digital Contact Information” published by CMS,[17] where the names of those who did not report DSM addresses can be found. It is unclear how much of the nonadherence to publishing digital contact information is related to clinicians not being assigned DSM addresses, clinicians being unaware of the reporting requirement, or there being issues with the database. Adoption of DSM has been on the rise. By the end of 2021 there were nearly 2.8 million addresses in the United States (a 33% increase from 2020)[18] and yet it is unknown how many of these are actively used. Also unknown is the breakdown of clinicians these addresses are assigned to (physicians, nurses, administrators, organizations, patients, etc.). In 2021, there were nearly 945 million messages exchanged and the cumulative number of messages since the inception of DSM exceeded 2.9 billion.[18] However, the content of these messages, their (un)successful receipt and opening, and their usefulness remain unexamined.

Zoom Image
Fig. 2 Direct Secure Messaging address looks like an email with direct often in the domain.
Zoom Image
Fig. 3 Sample Direct Secure Messaging workflow. A health information service provider (HISP) is an accredited network service operator that enables clinical data exchange using Direct Secure Messaging.


Remaining Challenges

DSM is one strategy among many to increase interoperability in health care; however, there remain many barriers to DSM reaching its full potential and effectiveness. Two of the major challenges include incomplete adoption and clinician burden.

In a consensus statement recommending feature, function, and usability enhancements to DSM, Lane et al described 57 specific capabilities that sending and receiving systems (including EHRs, HISPs, and HIEs) should have for efficient and effective use by clinicians ([Table 3]).[19] Of these, 23 were found to be high priority for transitions of care, clinical messaging, and administrative functions. These included improvements to message content and metadata, options for delivery and distribution, general usability, patient-matching and record reconciliation, and system features for handling transmission and content errors. While many EHR systems do support some of these features, they are not implemented consistently across EHR vendors or are often only partially implemented by organizations.

Table 3

Supporting Direct Secure Messaging functions in the EHR

Inbound messages

• Receiving systems automatically match incoming messages to existing patients.

• For new or unmatched patients, the messages are queued for patient registration or manual matching.

• Receiving systems can consume all supported attachment types[a].

• Direct message components[b] and attachments display reliably in a consistent manner in a personal inbox of the recipient.

• Receiving systems support auto-routing of messages based on message context.

• Recipients can sort messages by common characteristics and attributes[c].

• Recipients can reply to the sender of a Direct message and to one or more additional recipients of the original message.

• Recipient user can forward messages and any associated attachments to one or more other recipients within their organization.

• Standardized data vocabularies[d] support transmission of discrete data.

• Receiving systems can notify end users about a new Direct message in real time.

Outbound messages

• Sending users may create and send a patient-specific message to any DSM recipient.

• The recipient address selection does not rely solely on a list prepopulated by the organization but allows also for manual entry.

• Sending users can add one or more patient-specific attachments including structured and unstructured data.

• Sending users can enter a message subject and indicate the priority level.

• Sending and receiving users can identify the message context without opening the message.

• Sending users can configure and maintain a list of frequently used DSM recipients and distribution lists.

• Users can send messages to multiple recipients.

• Users can compose and send a message on behalf of another individual with proper authorization and attribution.

• If the message cannot be delivered, the sending user is notified.

Abbreviations: DSM, Direct Secure Messaging; EHR, electronic health record.

Source: Adapted from Lane SR, Miller H, Ames E, et al. Consensus statement: feature and function recommendations to optimize clinician usability of direct interoperability to enhance patient care. Appl Clin Inform. 2018;9(1):205–220

a Examples of supported attachment types include XDM, PDF, GIF, and JPEG.

b Direct message components include sender, intended recipient, CCed recipients, message subject, priority, message body text, message context, etc.

c Common characteristics and attributes of Direct Secure Message include date/time of receipt, patient, sending user, recipient, context, priority, and subject.

d Examples of standardized data vocabularies include CPT, ICD-10-CM, SNOMED-CT, RxNorm, and LOINC.


Incomplete Adoption

Despite the growth of DSM, clinicians still lack DSM addresses, are unaware that they have a DSM address, or do not utilize DSM. Some organizations have not yet implemented an EHR (approximately 14% of ambulatory clinicians) and therefore do not use DSM. Other organizations may not have DSM turned on in their EHRs.[20] DSM is often a background technical functionality hidden to the user of technology, preventing awareness of this form of health care messaging. Furthermore, the rebranding of the DSM function ([Table 1]) has also created barriers to organizations' understanding that they are using the same underlying technology standard and can exchange information with each other. DirectTrust has created broad educational initiatives and tools, including “Steps for Success for Direct Secure Messaging” ([Table 4]). Considering EHR vendors have established relationships with the clinicians they support, that connection presents unique educational opportunities. We recommend that EHR vendors use the term Direct Secure Messaging to label this technology and all functionality related to it, as well as provide education on their DSM offerings.

Table 4

Steps for success for Direct Secure Messaging

Confirm capabilities

Check with your technology vendor to determine all of your Direct Secure Messaging capabilities! Direct can be used to support many workflows including referrals, transitions of care, and more.

Identify Direct addresses

Work with your technology vendor to identify any existing Direct addresses assigned to your organization. Consider optimizing Direct by creating addresses for specific purposes or departments, like referrals or admission/discharge/transfer notifications, etc.

Educate team

Teach team members how easy it is to use Direct! Make sure they understand the positive impact it will have on their workload, freeing up valuable time for patient-facing care.

Share Direct address

Be sure to publish your address in national directories (like DirectTrust and NPPES). Anywhere you have your fax number, list your Direct address(es), including your Web site, email signature line, fax cover sheet, and even in your organization's phone greeting and prompts.

Talk to partners

Let your frequent referral partners know you prefer Direct! Ask them to send patient information, referrals, requests for laboratories, etc. via Direct rather than other methods. Ask for their Direct address(es) to reciprocate the efficiencies you have gained to them!

Abbreviation: NPPES, National Plan and Provider Enumeration System.

Source: Adapted from Direct Secure Messaging Steps for Success Infographic. Available at: Accessed April 26, 2022.

Data integrity issues related to DSM address lookup through directories also hinder adoption. These issues include but are not limited to missing DSM addresses, lack of timely updates with clinician service transitions, or incomplete clinician demographics. Routines like EHRs only sharing addresses within their community of customers create unnecessary barriers to exchange. The lack of standardized access to a shared interoperable directory may result in failure to locate the recipient's DSM address or sending to an outdated address. Data integrity opportunities exist within organizations and within the vendor community. As DSM becomes more commonly used, the need for knowledge management to assure data integrity that supports leveraging DSM has become apparent.

Another limitation of DSM reaching its full capabilities may be the lack of standardization for message handling, leading some recipient EHRs to strip DSM attachments from messages and thus effectively blocking the message delivery. We recommend that vendors review their DSM functionalities and assure that all standardized content be deliverable.

One factor that could explain the reason why clinicians do not have DSM addresses is the lack of incentives for organizations to turn on DSM and to manage an active DSM address book. Additionally, tertiary referral centers may attribute little value to referral information. Receiving information may lead to less utilization of services provided at an institution (e.g., decreased use of advance radiology imaging), which may negatively affect the financial health of the organization. While the publication of missing digital endpoints for clinicians is a first step to provide broader access to Direct addresses and decrease the known address barrier, we recommend that ONC and legislators consider incentives that will increase adoption of DSM.


Clinician Burden

Recent years have seen an escalating number of reports about physician dissatisfaction and burden.[21] The increased tasks requiring “pajama time”—defined as physicians working after hours at home in the EHR—can be partially attributed to the increased volume of messages, including DSM.[22] Other modes of communication such as HL7 (Health Level 7) messages, electronic faxes, patient–clinician communication, referral and consultation messages, medication refill requests, EHR-native decision support messages, pharmacy benefits manager notifications, hospitalization messages, and health plans' authorization and denial communications have added to an unrelenting and insurmountable growth of messages in the EHR inbox. The flood of messages results in clinicians not working “at the top of their license,” which refers to the fact that many of the messages should not have reached the clinician in the first place. Instead, practice support staff, such as medical assistants, billing clerks, nurses, or office managers, should be the initial recipients. Indeed, the implementation of DSM at any organization must take into consideration appropriate clinical process changes to responsibly accept unsolicited messages and leverage existing technical capabilities to do so.



There are many causes that contribute to recipient inboxes overflowing with messages; unfortunately, only few are within a recipient's control. This reality necessitates close review of how DSM contributes to clinician burden and what systematic changes to DSM can be made to decrease this burden. The authors have identified two causes of clinician burden that can be attributed to DSM and potentially resolved. First, the authors have experienced DSM with ambiguous or vague message titles that require the clinician to open the patient record to correlate message data with existing patient information. Second, the authors have experienced DSM messages that are frequently duplicative where the same message may be delivered from multiple sources.



Despite a consensus statement in 2018,[19] consistently implemented standards for inbound and outbound message handling in EHR systems have not been realized, thereby hampering the ability to automatically route messages to the most appropriate individual. We recommend the development of EHR functionality to automatically de-duplicate and route messages to the appropriate staff or respective staff EHR messaging pools. We further recommend that EHR vendors provide education to their users about the capabilities of DSM ([Table 5]).

Table 5

Summary recommendations for improving DSM

• We recommend that EHR vendors use the term Direct Secure Messaging to label this technology and all functionality related to it, as well as provide education on their DSM offerings.

• We recommend that vendors review their DSM functionalities and assure that all standardized content be deliverable.

• We recommend that ONC and legislators consider incentives that will drive increased adoption of DSM.

• We recommend the development of EHR functionality to automatically de-duplicate and route messages to the appropriate staff or respective staff EHR messaging pools.

• We recommend that EHR vendors provide education to their users about the capabilities of DSM.

Abbreviations: DSM, Direct Secure Messaging; EHR, electronic health record; ONC, Office of the National Coordinator for Health Information Technology.


Conclusion—Making DSM More Usable

Information sharing through DSM point-to-point communication offers connectivity and digital collaboration among clinicians across the entire health system. DSM supports access to critical information as patients transition across systems and clinicians. With an ability to deliver a variety of document types, DSM has the potential to prevent duplicate testing and to fill information gaps; however, as currently implemented across the United States, DSM's full potential has not been realized. To improve health information interoperability, standards for DSM content, payload, context, priority, and metadata must be developed and collectively implemented. EHR functionalities to sort, filter, and redirect DSM messages efficiently are urgently needed. The health care community must embrace data integrity and standardization processes that result in interoperability of comprehensive DSM address directories. Incentives for the use of DSM must be improved and extended. Policies requiring vendors to integrate DSM efficiently into workflows and incentivizing organizations to use DSM will lead to adoption that is more complete. Future efforts should be devoted to describing DSM challenges in broad detail, proposing workable solutions to reduce EHR inbox management burden, and providing guidance on management of clinician directories to advance increasing use the DSM standard.


Conflict of Interest

None declared.

Address for correspondence

Kristian Feterik, MD, MBA
Department of Medicine, UPMC Montefiore
200 Lothrop Street, MUH G-100, Pittsburgh, PA 15213
United States   

Publication History

Received: 14 March 2022

Accepted: 06 June 2022

Article published online:
04 August 2022

© 2022. Thieme. All rights reserved.

Georg Thieme Verlag KG
Rüdigerstraße 14, 70469 Stuttgart, Germany

Zoom Image
Fig. 1 Email versus Direct Secure Messaging: what's the difference?
Zoom Image
Fig. 2 Direct Secure Messaging address looks like an email with direct often in the domain.
Zoom Image
Fig. 3 Sample Direct Secure Messaging workflow. A health information service provider (HISP) is an accredited network service operator that enables clinical data exchange using Direct Secure Messaging.