DataMotion™ Direct allows healthcare providers to send and receive Protected Health Information (PHI) with other Direct address holders to meet MU2 requirements, comply with HIPAA, and enhance health information exchange.
Check out the frequently asked questions about DataMotion Direct, below.
The Direct Project established a set of standards to support workflows in which a patient transitions from one health care provider to another. Direct Secure Messaging (Direct) allows an EHR user to “push” a patient’s information to a clinician and for that clinician to receive the information in his or her EHR. “Push” refers to sending a patient’s information proactively, as opposed to a “pull” model, which information is requested when needed. Direct uses Public Key Infrastructure (PKI) to establish trust between its participants by applying digital certificates.
There are many ways to initiate a Direct Secure Message:
- XDR (Cross-enterprise Document Reliable Interchange) – This method uses a web service according to specifications defined by Integrating the Healthcare Enterprise (IHE). XDR requires an established relationship between the sender and receiver through a certificate exchange. DataMotion can establish one destination to send XDR Messages to (Endpoint) per company.
- SMTP Native Connection (Simple Mail Transfer Protocol) – This is the protocol used to send email over the internet, and the Direct Project added message-level encryption for use in healthcare. SMTP provides a means of discovering how to route a message based on the recipient’s address, using Domain Name System (DNS) services, so you don’t need an organization record for each recipient’s organization. DNS, like SMTP, is a staple of Internet connectivity.
- SMTP Web Interface (DataMotion Direct Messaging Portal) – While utilizing the same DNS and Lookup process as native SMTP, DataMotion provides a full featured web interface for sending and receiving Direct messages.
- API (Application Programming Interface) – These are a set of programming instructions and standards for accessing a Web-based software application. DataMotion has a full suite of APIs available for implementing an integrated experience with your application. These APIs allow you to create new messages, verify sent messages, manage users and more. Messages are still delivered via SMTP through the Direct Protocol.
A Direct address is used to route a Direct message to a specific recipient. It looks just like an email address and, like email, has two parts separated by an “at” (@) symbol.
Before @ is the local part of the address. The local part lets the health care organization receiving a Direct message know what user or In Basket pool should get the message. After @ is the domain part. The domain part serves two purposes:
- The domain lets the system sending a Direct message find the system to which it should send that message.
- If the message is being sent through a HISP (see below), the domain lets the HISP know to which of its members the HISP should route that message.
A Health Information Service Provider (HISP) is an intermediary that routes Direct Secure Messages to and from your organization.
When a HISP sends a Direct Secure Message, it will:
- Use DNS (Domain Name System – A service that translates domain names into IP addresses) to look up the server that the HISP should send the message and the certificate the HISP should use to encrypt the message.
- Check whether the HISP trusts the recipient’s digital certificate. If it does not, the HISP rejects the message.
- Encrypt the message using the recipient’s certificate.
- Sign the message using the sender’s certificate.
- Send the message
When a HISP receives a Direct Secure Message, it will:
- Check that it trusts the certificate used to sign the message. If it does not, the HISP rejects the message.
- Decrypt the message.
- If it is a third-party HISP, use the domain part of the Direct address to determine which of its member organizations is the intended recipient and send the message to that organization
Note that if two organizations happen to share the same HISP, the routing is simpler. In that case, the HISP would receive the message from one of its members and send it directly to the other member.
When you communicate with your HISP using XDR, DataMotion as a receiver’s HISP will use Direct SMTP to communicate with the rest of the world as illustrated in the diagram below.
Yes.
A HISP not only provides the actual software for sending messages it also provides a suite of other services required “behind the scenes” such as DNS hosting, certificate lookup and the rights of being part of the DirectTrust bundle(s).
A DirectTrust Bundle is a collection of trust anchors (high level digital certificates utilized to establish initial trust during Direct exchange, as opposed to end-entity Direct certificates) that meet a common set of minimum policy requirements within a Trust Community Profile.
DataMotion is a full service HISP for Direct, compliant with the Direct Project Protocols, with products/services including:
- Direct addresses issued for all your users
- Access to the comprehensive DataMotion Healthcare Provider Directory (HPD)
- Services to help you achieve Meaningful Use Stage 2 (MU2) certification
It’s an electronic, searchable resource that contains entries for providers, and potentially other entities like clinics or specialty departments, to which a Direct message may be sent. Each entry generally includes the recipient’s name, Direct address, practice location, contact information (phone/fax), National Provider Identifier (NPI), provider specialty, and role/functions within the organization.
The role of a HISP is to securely route Direct messages. When you join a HISP with bundled directory services, you typically will gain access to the provider directories from your HISP’s other customers, and the other customers likewise will gain access to your provider directory.
Yes, if you have that provider’s Direct address, DataMotion as a HISP can route a message to anyone who has a Direct address. However, doing so also requires establishing a trust relationship between DataMotion and the recipient’s HISP. As an EHNAC-accredited HISP, DataMotion can interoperate with any HISP that participates in the DirectTrust bundle.
Possibly. While not every HISP will be able to provide you with a directory that extends beyond its own customers, DataMotion substantially extends the scope of its provider directory by partnering with other HISPs and healthcare entities to make DataMotion Direct addresses discoverable to other providers across the country
DataMotion is an Electronic Healthcare Network Accreditation Commission (EHNAC) accredited HISP. EHNAC’s Direct Trusted Agent Accreditation Program (DTAAP) ensures that HISPs adhere to policy and best practice recommendations surrounding Directed exchange.
The DataMotion HISP Technical Support Agreement, part of the overall DataMotion HISP Agreement outlines the support mechanism for the DataMotion HISP. The SLA specifies the response time for different levels of support issues.
A typical domain name for your organization would be @direct.healthcompany.com.
Once your application is approved, your new Direct address is assigned. It might look something like this: [b.wells@direct.yourclinic.com], or this: [b.wells@direct.dmhisp.com]. Depending on whether your organization will have many Direct address holders and its own, custom direct domain name as seen in the first example, or if you want to use the DataMotion Direct ‘dmhisp.com’ domain – which makes sense for small organizations that just need a few Direct addresses.
There can be options regarding a domain name as well as some technical limitations that could affect what options are compatible with your current webhost or DNS provider. DataMotion provides assistance to Direct customers to make the right choice of domain name and structure.
Because of the strict guidelines and protocols set forth by Direct Trust, both the sender and recipient of a Direct message must have a Direct address. If the recipient does not have a Direct address, then the message will not be sent.
No. Direct Secure Messages may only be sent to a Direct another Direct address. A standard email address is not a Direct address.
DataMotion offers multiple options for establishing a connection between third party health information technologies and the DataMotion HISP. Standards compliant connectivity is achieved via:
- Web service calls/APIs
- SMTP/POP3
- XDR/XDM + SOAP
- DataMotion-provided web portal
Integration typically involves the following steps:
- Establish Direct addresses for the EHR users who need access to Direct
- If the EHR supports connectivity via the XDR protocol, establish an XDR connection
- If API integration is involved, use the developer sandbox provided by DataMotion to develop and test the application calling into the DataMotion APIs.
The DataMotion Direct Software Developer Kit (SDK) offers up a set of robust APIs that integrate into your workflow without any disruption. DataMotion will setup all the Direct addresses, certificates, encryption, and message routing. DataMotion provides assistance all the way through and is also recognized by our customers as a reliable integration partner.
You can send a Direct message to (or receive a Direct message from) any EHR that is in DataMotion’s HISP, or to any EHR that is in another HISP.
Yes, it is possible to access your Direct Messages in a secure manner from your cell phone, tablet, and any other mobile device, using the DataMotion mobile optimized Direct Messaging Portal.
To enable developers and compress development cycles, DataMotion’s connectivity methodologies are incorporated into a developers sandbox with open web standards such as web services, S/MIME, SMTP, etc. to test your system. Developers familiar with standard web communication protocols, including HTTP, XML, and SOAP will be able to use the sandbox with minimal training and support. The sandbox contains:
- Integration code samples
- API documentation
- Implementation guide
Visit our Direct Developer Center here!
Yes, you can provision your own users through the DataMotion Direct Administrator User Interface.
DirectTrust standards currently support a model where certificates can be unique to an individual Direct address, or to a collective, organizational domain. Read more here
- Individual Certificates are assigned to a person who is not part of an organization but needs to send Direct messages.
- Organizational Certificates are assigned to an Organization’s domain for use in Direct messaging.
DataMotion offers the following categories of Direct addresses:
- Individual Direct Address
- Group Direct Address
- Workflow Direct Address
Read more about these types of addresses here
As per DataMotion HISP agreement, the standard data retention period for each DataMotion Direct mailbox is 30 days.
DataMotion adheres to DirectTrust LoA3 for all Direct Users (equivalent to NIST 800-63-1 Level 3 or Kantara Level 3 or FBCA Basic or Medium). Read more here
DataMotion can implement your Direct solution in as little as 1 day.
Yes. DataMotion covers the MU requirements for both Transitions of Care and View Download Transmit (VDT).