Inpriva was the first in the nation to handle the transmission of live patient PHI between two different EHR systems using the DirectProject specifications. And now Inpriva is able to offer these same service capabilities to our partners in the HIE, ACO and IDN Community sectors. Together we can bring fundamental change in the way healthcare is provided. We recognize the strides that have been made to bring about EHR adoption and we are excited to be able to offer the secure electronic messaging services that will finally connect the various EHR platforms and providers. Inpriva has been a leader in the development of secure communications for healthcare professionals for years and is an active participant in the Direct Project and numerous national standards bodies promoting the adoption of Direct-Compliant email and messaging services.

All of Inpriva’s services and capabilities are available to the HIE, ACO and IDN Community participants. Inpriva has a full suite of services including Certificate Authority, Trust Anchor, Provider Directory, Patient Consent Gateway and of course, our hDirectMail service. All of our services are designed to be Direct Project compliant and are available under a variety of business models to fit your needs.

Healthcare Grade e-Mail for Healthcare Professionals

hDirectMail is an electronic messaging and email service designed to provide Covered Entities and their Business Associates a private, secure, Direct-compliant channel for the exchange of patient Protected Health Information.

Included as part of the hDirectMail core service offering are the following features:

  • Identity authentication services are integrated into the hDirect Network to ensure that each end-user has a proofed, unique identity that can be used to communicate securely and instantly with any other trusted user that has a Direct-compliant endpoint (e-mail address).

The integration with Identity Services enables larger organizations to provide proof of identity for their employee’s using a simple-to-use interface into our system. The resulting certificates are considered as secure as the certificates that we proof.

  • Secure e-mail interfaces, all using SSL/TLS encryption to ensure the confidentiality and integrity of the information content. The interfaces currently supported are:
    • SMTP
    • POP3
    • IMAP
    • Direct Web Service Edge protocol
    • IHE XDR Web Service protocol
  • Direct-compliant S/MIME digital signing and encryption of all message traffic between organizations.
  • An administrative secure, web-based control panel that allows clients to self-administer accounts, trust policies, and value-added services.

As a provider of health information networks, and specifically, Direct Project-compliant services, our communication services are agnostic with respect to the contents of the message being transmitted and any attachments contained in the transmitted message. With that said, we do specifically support HITSP C32 (CCD) content as well as IHE XDM/XDR packaging and metadata content in order to provide healthcare-specific audit functionality for our clients.

Inpriva has been a leader in the area of healthcare standards, participating and leading efforts nationally and internationally. We are committed to ensuring that our service offerings are compliant with all relevant standards both current, and future.

The following lists the particular standards that our service offerings currently comply with and/or leverage:

  • Direct Project specification
  • OASIS WS-Security 1.0
  • HITSP C32 (CCD)


Inpriva has designed its identity management and Certificate Authority services (“Inpriva-CA”) in such a way that the Certificate Authority services can be considered a subset of the identity management services. These CA services may be “private labeled” so that the “CA” that is presented to the world may be designated by you. The CA may issue Digital Certificates intended for different purposes and that reflect different Certificate Policies—e.g. Direct Digital Certificates and Digital Identity Certificates (supporting digital signatures). The Inpriva-provided CA services can issue digital certificates cross-certified to the Federal Bridge and referencing a Certificate Policy that reflects the identity proofing and assurance policies required by you. A related identity management service is secure two-factor, person-centric authentication that allows a provider to be proofed once but use that same identity to gain authorized access to sensitive healthcare resources across organization boundaries.

Policies and Procedures
Inpriva closely follows the policies and procedures required by the “X.509 Certificate Policy For The Federal Bridge Certification Authority (FBCA)” (“FBCA Certificate Policy”) published by the Federal Public Key Infrastructure Policy Authority and available at . In addition, Inpriva will enforce any more specific policies and procedures specified in the Certificate Policy Profiles referenced in its certificate policies or those of your company.

Registration Authority
Customers may serve as the Registration Authority (RA) for the Inpriva-CA and would have primary responsibility for establishing Subscriber identity either directly or through designated qualified Trusted Agents or approved procedures allowing an entity certified and authorized by a State or Federal Entity to confirm identities (e.g. a Notary Public). The identity proofing will conform to FBCA Medium Assurance Level (maps to NIST Level 3).
Both Inpriva-CA and your company, in its capacity as an RA, must enforce the policy and procedure requirements as specified in the FBCA Certificate Policy. Individuals representing your company-RA must be proofed to FBCA Medium Assurance Level and authenticated using two-factor methods upon login to the Enrollment System. Initially, we will provide two-factor authentication using one time password (OTP) hard tokens in a manner compliant with the OpenID and OAuth specifications.

Inpriva also provides OpenID-compliant and OAuth-compliant services that allow the Subscriber to create an OpenID Identifier and bind it to the Inpriva-CA proofed identity. This Identifier together with an OTP hard token is used to provide the two-factor authentication required for access to the Enrollment System. Inpriva can optionally provide support for the use of PKI-based credentials, which may be preferred in some cases.

Certificate Expiration
As a digital certificate’s expiration date approaches, the Inpriva-CA can be configured to send out notification emails to interested parties. Configurable parameters for the notifications include recipient(s), message content, date, relative date (with respect to expiration) and frequency. Default schedules can be established and these can be modified by the RA Administrator.
If the existing digital certificate has not expired, the Subscriber can access their Inpriva-CA account, either by going to the the Inpriva-CA website directly or by following a link provided in a email expiration notice send to the Subscriber. After the Subscriber affirms that no material changes have occurred and makes any payment required, Inpriva-CA will revalidate as necessary and flag the digital certificate as extended and reissuable. The Subscriber’s HISP may then submit a request to renew the Subscriber’s Direct Digital Certificate. Optionally, notifications of the renewal of the digital certificate may be sent to the Subscriber’s designated HISP.

Certificate Revocation
Many situations or events may result in the need to revoke a digital certificate. Depending on the circumstances, the revocation may be initiated by Inpriva-CA or the Subscriber. For example, the Inpriva-CA may need to revoke a certificate due a change in status of a proofed attribute or a compromise of a CA private key. Reasons that the Subscriber may request a revocation or reissue include private key compromise, a change in HISP, a change in sponsored employee status or changes in a proofed attribute. Depending on the situation, the request for a revocation or reissue may come directly from the Subscriber, through your company-RA or from a HISP acting as the agent for the Subscriber.

Inpriva utilizes redundant logging with cryptographically enforced integrity checking to ensure critical key material is only utilized in authorized transactions. Key material itself are created and stored in FIPS-certified Hardware Security Modules (HSMs). Policy, subscriber and relying party agreements require key material outside the contol of Inpriva to be protected to minimal standards which may include the use of FIPS-certified hardware devices to protect private keys. Any violations require revocation of corresponding certificates.

Certificate revocation processes follow the requirements of the FBCA Certificate Policy. Publish of certificate revocation status to OCSP servers and Certificate Revocation Lists (CRLs) is carried out according to applicable technical specifications and standards.

CRLs are generated and published daily. However, the Inpriva-CA can optionally publish more frequently if required by emerging federal policy and guidelines. Certificate revocation status is published in near real-time using the Online Certificate Status Protocol (OCSP).

Certificate Revocation Lists (CRLs) and the Online Certificate Status Protocol (OCSP) are both available to other systems in accordance with requirements of the FBCA Certificate Policy. Digital Certificates issued by the Inpriva-CA include fields referencing the location of published CRLs and the real-time OCSP service.

Inpriva makes available to all of it’s subscribers a complete Directory of all Direct-compliant Inpriva subscriber addresses. The Directory contains all public information regarding the subscriber such as name, direct address, organization, physical address, etc. Subscribers can search the Directory in a variety of methods to find specific healthcare providers or business associates and their corresponding Direct email address. This service is provided free of charge to all subscribers of Inpriva’s hDirectMail service.

Inpriva also provides access to our Directory of subscribers to any other qualified Health Information Service Provider to facilitate the transmission of Direct-compliant messages between subscribers, regardless of the underlying Health Information Service Provider.

Healthcare Organization (HCO) Directory
The Healthcare Organization (HCO) Directory Services offered are based upon an open source LDAP repository and includes the IHE HDP schema as described in the IHE IT Infrastructure Framework Supplement – Healthcare Provider Directory. The HCO Directory Services include support for the DSML interfaces described by the IHE specification.

Inpriva also supports the creation of unique Directories that contain information beyond what is required in the DirectProject initiative. These standalone Directories can be used as authoritative Directories for Trust Communities created at an organization, state or regional level. Authoritative information for provider entries will have to be identified and the Directory owner would be responsible for the process maintaining the directory’s content.

In both cases, the HCO Directory will be hosted and operated in a High Availability environment with replicated directory servers.

Inpriva has a fully defined partner program whereby our partners can actively promote the widespread adoption of DirectProject compliant messaging for the healthcare industry. Our partner programs provide healthcare industry participants the ability to tailor a program with Inpriva that meets their financial, legal and operational requirements.

Becoming a Marketing Partner is easy to do and brings measurable benefits to the Partner and Inpriva. The Marketing Partners only responsibility is to actively endorse Inpriva’s hDirectMail service to their constituents and in return earn commissions on all of the services purchased by their members. Alternatively, Marketing Partners could arrange for a membership discount for their constituents instead of taking a commission. Inpriva directly supports the marketing activities and handles all of the sales, enrollment, service delivery and billing functions. To learn more about our Marketing Partner Program”>email us or call (970) 472-1441.

The Marketing Partner performs the following functions to endorses Inpriva services to their constituents:

  • Direct communications
  • Web-site presence
  • Group events
  • Other marketing programs

Inpriva performs the following functions:

  • Provides all marketing materials for Inpriva services
  • Performs the sales function and enrolls end-users in the service
  • Bills & collects payments from end-users
  • Performs customer service
  • Pay Partner Marketing fees based on billings to end-users

For those healthcare industry participants that want to actively sell Inpriva’s services we have our Sales Agent Program. It is the Sales Agent’s responsibility to promote and sell Inpriva’s services to end-users. In return, Inpriva pays you a recurring commission on the end-users billings for as long as they remain a customer. Inpriva provides all of the training and marketing materials and supports the agent throughout the sales process. Inpriva is responsible for delivering the services, billing and collections from end-users, while the Agent earns a recurring commission for maintaining the end-user relationship. To learn more about the Sales Agent Program email us or call (970) 472-1441.

Sales Agents perform the following functions:

  • Assign sales and technical resources to the Inpriva program
  • Sell Inpriva branded product to end-users
  • Sign contracts and enroll end-users
  • Supports the service activation process
  • Maintains the customer relationship

Inpriva performs the following functions:

  • Authorize Agent to sell our services
  • Train Sales Agent employees on all Inpriva services
  • Provide sales collateral and direct marketing support
  • Activate new end-users and ensure service is working properly
  • Invoice & collect payments from end-users
  • Performs all customer service functions
  • Pay agent fees based on billings to end-users

Inpriva’s Reseller Program is designed to enable healthcare industry participants the ability to resell any of Inpriva’s services to their customers and have ultimate control over the marketing, pricing, branding and billing of those services. As an authorized reseller you will be able to integrate Inpriva services into your service offerings on a bundled or standalone basis. Being a reseller means you have the opportunity to take advantage of the massive market for DirectProject compliant messaging services without having to make the investment to become a Health Information Service Provider. To learn more about the Reseller Program email us or call (970) 472-1441.

Resellers perform the following functions:

  • Actively markets and sells service to the end-user
  • Enrolls end-users in services ensures service contracts are completed
  • Bills & collects payments from end-users
  • Performs fist level customer service
  • Pays Inpriva for the wholesale cost of services provided to end-users

Resellers have the option to:

  • Private Label the service
  • Integrate the Inpriva web-site into their own
  • Integrate ordering and service information into their systems
  • Integrate billing into their billing systems

Inpriva performs the following functions:

  • Contracts with reseller to sell our services
  • Train Reseller employees on all Inpriva services
  • Provide sales collateral and direct marketing support
  • Activate new end-users and ensure service is working properly
  • Performs 2nd level customer service and network support
  • Bills Reseller for all accounts and value added services at agreed upon rates