DirectTrust operates Accreditation Programs for Health Information Service Providers (HISP) and for Certificate and Registration Authorities (CA/RA).
The purpose of the Accreditation Program is to ensure that Accredited Entities are compliant with DirectTrust Policy requirements and ensures interoperability with other conforming Accredited Entities.
Accreditation by DirectTrust is a requirement for HISPs and CA/RAs wishing to have their anchor certificate included in one or more of the DirectTrust Trust Anchor Bundles, and their end-entity certificates used by their customers for Direct exchange with over 1.9 million participants in the DirectTrust network.
HIPAA Privacy and Security Accreditation or Certification is a requirement for all of the DirectTrust Accreditation Programs. The Accredited Entity must acquire a HIPAA Privacy and Security Accreditation from a DirectTrust approved vendor.
Currently, DirectTrust accepts HIPAA Privacy and Security Accreditation or Certification from EHNAC or HITRUST.
Accreditation Program Requirements
A HIPAA Privacy and Security Accreditation or Certification is required for HISP and CA/RA Accreditation. At this time the HIPAA Privacy and Security Accreditation or Certification may be received from EHNAC or HITRUST.
The DirectTrust Accreditation Programs demonstrates that the Accredited Entity is in compliance with DirectTrust Policy and may participate in the DirectTrust Network.
Compliance with DirectTrust’s Policies ensures that the Applicant:
- Is in conformance with all aspects of the Direct Exchange Protocol
- Interoperates securely with other HISPs in the DirectTrust Network
- Operates within the security, trust and business practice guidelines of the DirectTrust Security and Trust Framework
- Demonstrates the HISP’s ability to mitigate risk when handling Personal Health Information (PHI) through the implementation of effective management controls and practices.
- Certificates and Identity Proofing Policy and Procedures are in conformance with DirectTrust’s Certificate Policy
Applicants must maintain a HIPAA Privacy and Security Accreditation or Certification that is valid for the duration of the DirectTrust Accreditation period. At the start of the HISP and/or CA/RA Accreditation Process, the Applicant will be advised that maintaining HIPAA Privacy and Security Certification or Accreditation is a requirement of the DirectTrust Accreditation Program.
During the Accreditation process each Applicant must supply evidence that they are either Accredited or Certified for HIPAA Privacy and Security. DirectTrust will only grant an accreditation after the Applicant demonstrates they have acquired a HIPAA Privacy and Security Accreditation or Certification.
DirectTrust has approved and will accept HIPAA Privacy and Security Accreditation or Certification from the following vendors:
EHNAC – the Electronic Healthcare Network Accreditation Commission provide HIPAA Privacy and Security Accreditation.
HITRUST* – Health Information Trust Alliance, HIPAA Privacy and Security Certification
*Note: For those HISP Applicants that choose HITRUST, please contact DirectTrust to discuss the HITRUST CSF Tool Scope settings in the CSF Tool For version 9.0 or higher, HISP Applicants at a minimum, MUST select Privacy and Security and include in the Regulatory Factor setting: Subject to EHNAC Accreditation.
Note: Commercial Certificate and Registration Authorities such as but not limited to: DigiCert or IdentTrust should contact DirectTrust for further details.