HISP DESCRIPTION OF SERVICE
Version: November 11, 2020
This HISP Description of Service describe the Direct Messaging Service (the “Service”) and govern the terms of DataMotion providing the Service and the use of the Service identified in the Master Services Agreement Order Form (the “Order Form”). Capitalized terms not defined in this HISP Description of Service shall have the meaning ascribed to them in the Master Services Agreement Terms and Conditions located at https://www.datamotion.com/master-service-agreement-terms-and-conditions/ (the “Terms & Conditions”). Capitalized terms not defined in this HISP Description of Service shall have the meaning ascribed to them in the Terms & Conditions or the Order Form, as applicable. Any exceptions to the Terms & Conditions related to the Service are noted in this HISP Description of Service and are not to be construed as permanent modifications to the Terms & Conditions (i.e. they apply only to the Service). The term of this HISP Description of Service is effective beginning upon the Order Effective Date and continues through the completion of the engagement as it relates to the Service.
DataMotion is an Electronic Healthcare Network Accreditation Commission (“EHNAC”) accredited Health Information Service Provider (“HISP”) which enables secure transport of electronic health information between authorized users. In accordance with the standards and guidelines of EHNAC, the Service enables secure access for its authorized users, provides secure storage of the data during transport, ensures emergency back up and disaster recovery of data, and enables compliance with generally accepted information privacy and security standards and applicable laws, rules, and regulations, including, but not limited to, HIPAA.
DataMotion does not access, read or process contents of the encrypted email sent using the Service and has no knowledge whether the contents of the encrypted email contain ePHI or any other sensitive information.
DataMotion has installed a valid digital certificate for its HISP Service from DigiCert, an EHNAC certified Certificate Authority (the “CA”), in compliance with the requirements of the Direct Project.
DataMotion has established and shall continuously maintain a Trust Anchor relationship with DirectTrust.org, a designated and approved agency for the implementation of the Direct Project.
DataMotion will provide the Service for certificate management and user registration, and facilitate user onboarding and communications in conformity with requirements of the Direct Project, and in accordance with the terms of this HISP Description of Service.
The Service will include the following components:
1. Enrollment. DataMotion shall enroll Customer to register in accordance with the following procedure:
1.1. Customer shall be solely responsible for its organizational and administrative qualifications to enable DataMotion to obtain for Customer a Direct Org Certificate (based on Customer organizational domain) and Direct Address Certificate (based on the Administrator name and email address as well as the Org Certificate) from the CA.
1.2. Upon issue of the respective Direct Org Certificate and Direct Address Certificate, DataMotion will notify Customer and add the respective certificates in its database in order to provide access to the Service.
1.3. Subsequently, DataMotion will setup a co-branded DataMotion Direct Account for Customer. The named administrator (the “Administrator”) will manage the Customer account and will be authorized to add additional Users for Customer up to the maximum number of licensed Users. For the avoidance of doubt, the maximum number of licensed Users includes the Administrator. The account will be co-branded with Customer logo and provided with overall account management capabilities.
1.4. DataMotion will create a Direct Address for each User on-boarded based on each User’s required information in accordance with DirectTrust rules and guidelines and as further detailed in Section 8 below (“Directory Information”). Each Direct Address created by DataMotion will become part of its health provider directory (“HPD”) and made available to all Users of HISP. All Direct Addresses in the HPD will be accessible to any user with a Direct Address in DataMotion HISP or from any third party HISP using a compatible search function and in accordance with Direct Protocol. Customer and its Users expressly consent without limitation to include the Direct Address(es) in the HPD and to share the Directory Information with HPD of third party HISPs in accordance with guidelines provided by DirectTrust.
2.1. DataMotion will provide the Administrator with basic training regarding Customer’s registration, onboarding and use of DataMotion’s Service. The training will be provided remotely using online meeting, conferencing or similar tools.
2.2. Customer shall be responsible for subsequent onboarding and training of any and all of its Users and their ongoing support (i.e., helpdesk customer service regarding basic questions about the Service for which Customer has received adequate training from DataMotion).
2.3. DataMotion is not required to provide training or technical support services to Users, including training on password protection and information security requirements. DataMotion shall have no direct contact with any User except to provision the Services in accordance with this Agreement.
3. Reporting. DataMotion will provide Customer suitable tools required for generating reports for its Direct Project compliance reporting and for submissions required for, if any, monetary reimbursement. Except for baseline reports, if additional report writing tools are required, Customer shall be responsible for the applicable Professional Service Fees, if any, for tools to be developed by DataMotion.
4. Certificate Management. As part of DataMotion Direct HISP offering, certificate services are provided according to guidelines established by the Direct Project. These guidelines include certificate management, establishing Trust Anchors with approved partner HISPs, obtaining from the CA the organizational certificate for Customer to Direct-enable its subscribers, and maintaining certificates and renewals. DataMotion will provide notification to Customer when the certificate(s) is/are due for renewal. DataMotion shall automatically renew the certificate(s) with the CA unless Customer notifies DataMotion sixty (60) days prior to the renewal date not to renew the certificate. Customer shall be responsible for payment of any and all fees related to certificate renewal.
5. E-Communications. Any User communication passing through the Services automatically expires after 30 days and it is purged from the system. In addition, a User may delete a communication at any time prior to its expiration. Such deleted communication is also purged from the system. Any deleted or expired and purged communication cannot be recovered in any manner whatsoever and it is permanently lost. User is solely responsible for ensuring any information contained in such communications is appropriately handled, stored or archived independent of HISP Services, and DataMotion shall have no obligation or liability for the deletion of such communications.
6. Customer Security Responsibilities. Customer and its Users shall take proper measures to ensure security of access to the Service. This includes, but is not limited to: (i), the security credentials (User name and password for login) that allows outside access to a User’s account, (ii) not including personal information in non-encrypted fields such as “Subject” line, (iii) making sure that the recipient’s email address is correctly spelled. Customer acknowledges that DataMotion shall not be liable for any security violations by Customer or a User or by any recipient of their secure communications. Customer is solely responsible for providing proper training to Users and ongoing supervision of their use of the Services.
7. Customer Use of Service. Customer shall use commercially reasonable efforts to ensure that Customer and Users use the Services exclusively for authorized and legal purposes, consistent with all applicable laws, regulations and the rights of others. Customer shall notify DataMotion of any known misuse of the Service by a User (e.g., HISP Services used to send spam), although the parties recognize that the Customer will not monitor the content of any communications. Customer shall not attempt to interfere with or disrupt the Service or attempt to gain access to any systems or networks that connect thereto by any unlawful means.
8. Directory Information
|C||Provider Identifier, only for records containing the Direct Address.|
|O||Organization Name / Location Name (Typically Clinic)|
|C||Primary Telephone Number|
C – Conditional (if known, please provide)
R – Required
O – Optional
Copyright ©2020 DataMotion, Inc. All rights reserved.