Criteria Development

DirectTrust Accreditation Criteria is developed through a collaborative and transparent process involving industry stakeholders.

How DirectTrust Develops Accreditation Criteria

DirectTrust develops its criteria for accreditation through a structured and collaborative process that involves input from industry experts, stakeholders, and healthcare professionals.

The process of drafting criteria for accreditation typically begins with a Needs Assessment, that takes into account emerging technologies, regulatory changes, industry trends, and evolving healthcare challenges. DirectTrust actively engages a wide range of stakeholders to provide valuable input on the development of accreditation criteria. Draft criteria are developed, incorporating existing industry standards, regulations, and best practices relevant to the specific area of accreditation. This may include standards such as HIPAA, HITECH Act, NIST cybersecurity frameworks, and other applicable regulations. Additionally, stakeholder specific criteria are also included.

After criteria are drafted, DirectTrust seeks input from the broader healthcare community by conducting a public comment period during which interested parties can review and provide feedback on the draft accreditation criteria. This feedback is carefully considered in the refinement of the criteria. Based on the feedback received during the public comment period, the drafting and review committee makes necessary revisions to the accreditation criteria. These revisions aim to ensure that the criteria are clear, practical, and reflective of industry standards. Once the criteria are finalized and approved by EHNAC, they become the official standards for accreditation in the designated area. Accreditation programs are established based on these criteria. Periodic reviews and updates occur for accreditation criteria to keep them current with evolving industry standards, regulations, and technology advancements. This ensures that the criteria remain relevant and effective over time.

Through this rigorous and collaborative process, DirectTrust ensures that its accreditation criteria align with the most current industry standards and best practices, promoting excellence in healthcare data exchange, security, and quality of care.

Accreditation Process

Are you interested in learning more about the DirectTrust accreditation process, from application to recognition? We’ve outlined an overview for you.

Learn More

Drafting Criteria

DirectTrust looks to existing regulation, best practices, and stakeholder guidance to draft Criteria for programs. As criteria are developed, organizations pursue Beta accreditation and provide feedback on what criteria were included.

As an example, for the Privacy and Security Accreditation Program, the criteria are based mostly on regulatory body requirements and best practices, with stakeholders contributing a few additional controls. The Security criteria is primarily based on NIST SP 800-171, as it is widely accepted and CMS-recommended criteria for “Protecting Controlled Unclassified Information”. It provides security requirements from NIST’s much broader SP 800-53 program. Additional controls from the NIST Cybersecurity Framework are also incorporated. Finally, stakeholders agreed a few additional controls regarding HIPAA/HITECH should be incorporated as criteria into the program.

Promulgation of Proposed Criteria

Prior to adoption and final approval, any draft criteria proposed for adoption shall be shared on the DirectTrust website, as well as through digital media like the Newsletter with indication of how to provide feedback.

Public Comment

During the comment period DirectTrust solicits and considers the opinions, comments, suggestions and criticism of all interested parties with regard to the necessity, appropriateness and workability of any draft criteria proposed for adoption. Parties can use the DirectTrust Criteria Comment Form for submitting suggestions, feedback, or comments.

The comment period prior to DirectTrust’s adoption of any industry criteria is 60 calendar days from the date the criteria are promulgated.

Repealing Criteria

The provisions applying to the adoption of industry draft criteria by DirectTrust shall also apply to the repeal of any criteria previously recognized.

Approving Criteria

Upon the completion of the promulgation and comment period, the Commissioners review the proposed criteria and any comments received during the adoption process.

The Commissioners shall vote on the appropriateness of recognition of the criteria into a DirectTrust accreditation program by majority vote.

Criteria Council membership is open to all DirectTrust accredited organizations as well as other interested healthcare industry professionals.  
DirectTrust invites you to help further its mission to promote standards-based accreditation within the healthcare data exchange industry by joining the Criteria Council. We continuously looks to build and elevate the makeup of the Council, to secure representation from a variety of healthcare industry sources and diverse input from leading stakeholders. Participation within this exclusive group of industry insiders is a unique way to directly contribute to the strength and security of our nation’s healthcare system.
At a minimum, participation on the Criteria Council involves one conference call per month lasting 30-60 minutes. Between these calls there may be email exchanges or additional calls depending on current initiatives and Council priorities.  Please visit the Criteria Development and Criteria page of our website for more information on the criteria development process.
Each year, the Criteria Council enhances the criteria in all the programs to ensure it is keeping up with industry requirements and trends. More than ever, we are seeing cybersecurity issues being addressed by governing bodies. By participating on the Criteria Council, you can ensure that your organization has a say in ensuring that all the regulations and best practices are addressed in our accreditation programs.
This also provides a great opportunity for you to network with industry insiders, learn about recent developments in healthcare security and privacy mandates and help to develop the criteria that is core to our accreditation programs. If you or a member of your organization is interested in serving as a Council Member, please contact us and we will send a Volunteer Agreement to begin the process. Join the Criteria Council!

See our Accreditation Programs