DirectTrust now operates an Accreditation Program for its Health Information Service Providers (HISPs). The purpose of the Accreditation Program is to ensure that HISPs are in compliance with DirectTrust HISP Policy requirements and ensures interoperability with other conforming HISPs.
Accreditation by DirectTrust is a requirement for HISPs wishing to have their anchor certificate included in one or more of the DirectTrust Trust Anchor Bundles, and their end-entity certificates used by their customers for Direct exchange with over 1.6 million participants in the DirectTrust network.
The DirectTrust HISP Accreditation was previously administered by the Electronic Healthcare Network Accreditation Commission (EHNAC) and known as DTAAP HISP Accreditation.
DirectTrust and EHNAC have agreed to separate the accreditation into two parts: HIPAA Privacy and Security Certification or Accreditation and HISP Accreditation.
As of January 1, 2018 the DTAAP-HISP program currently administered by EHNAC will no longer exist. Any HISP Accreditation granted under this program will be honored by DirectTrust until its expiration date.
After January 1, 2018. all new HISP Accreditation and re- Accreditation will be solely administered by DirectTrust under its HISP Accreditation Program.
Accreditation Program Requirements
DirectTrust operates and Administers the HISP Accreditation Program. As part of the HISP Accreditation Program, the HIPAA Privacy and Security Certification or Accreditation is a requirement and at this time may be received from EHNAC, HITRUST or other certification organizations in the future that DirectTrust approves.
The Accreditation Program requires that a HISP complete a Self Attestation Questionnaire and provide evidence to prove it is in compliance.
Compliance with DirectTrust’s HISP Community Policies ensures that the HISP:
- Is in conformance with all aspects of the Direct Exchange Protocol
- Interoperates securely with other HISPs in the DirectTrust Network
- Operates within the security, trust and business practice guidelines of the DirectTrust Security and Trust Framework
- Demonstrates the HISP’s ability to mitigate risk when handling Personal Health Information (PHI) through the implementation of effective management controls and practices
Applicant HISPs must have a HIPAA Privacy and Security Certification or Accreditation that is valid for the duration of the HISP Accreditation. At the start of the HISP Accreditation Process, the Applicant HISP will be advised that this is a requirement of the DirectTrust Accreditation Program.
After the Applicant HISP completed the Accreditation Program Self Attestation process it must provide proof that it has completed the HIPAA Privacy and Security Certification or Accreditation. Evidence of the Certification is required by the end of the Accreditation Process and a HISP will not receive accreditation without it.
DirectTrust has approved and will accept HIPAA Privacy and Security Certification or Accreditation from the following vendors:
EHNAC – Electronic Healthcare Network Accreditation Commission
HITRUST* – Health Information Trust Alliance
*Note: For those HISP Applicants that choose HITRUST, please contact DirectTrust to discuss the HITRUST CSF Tool Scope settings in the CSF Tool. For version 8.1 of the CSF Tool, Applicants MUST select both Privacy and Security. For version 9.0, HISP Applicants at a minimum, MUST select Privacy and Security and include in the Regulatory Factor setting: EHNAC Accreditation.