Frequently Asked Questions

What are the new DirectTrust Accreditation Programs and how are they different from the previous and now superseded EHNAC DTAAP Accreditation?

In the later part of 2016 and early 2017 DirectTrust and EHNAC jointly agreed that separating the HISP Accreditation into two parts would provide greater flexibility for DirectTrust HISPs and allow each organization to focus on it specialized subject matter domain expertise.

After the successful implementation of the DirectTrust HISP Accreditation Program and the transition from the EHNAC DTAAP-HISP Accreditation Program, DirectTrust decided to create additional programs for its accredited Certificate and Registration Authorities.

The new CA/RA programs were created and are being transitioned from EHNAC at the end of 2019.

As of January 1, 2018 HISP Accreditations will only be performed by DirectTrust and after January 1, 2020 CA/RA Accreditations will only be performed by DirectTrust.

Each Applicant for the DirectTrust HISP Accreditation Program, CA Accreditation Program and RA Accreditation Program must choose a vendor to acquire HIPAA Privacy and Security Accreditation or Certification. The following vendors are approved by DirectTrust for HIPAA Privacy and Security Accreditation or Certification:
• EHNAC
• HITRUST

*Please Note: For Applicants that choose HITRUST, please contact DirectTrust to discuss the HITRUST CSF Tool Scope settings. For version 9.0 and later, the Applicant, MUST at a minimum, select Privacy and Security and include in the Regulatory Factor setting: Subject to EHNAC Accreditation.

Note: Commercial Certificate and Registration Authorities such as but not limited to: DigiCert or IdentTrust should contact DirectTrust for further details.

The new DirectTrust Accreditation Programs supersede the existing EHNAC DTAAP Accreditation Programs.

All applications for HISP Accreditation or re-accreditation must be made to DirectTrust after January 1, 2018 and all applications for CA/RA Accreditations must be made to DirectTrust after January 1, 2020. Note: for CA/RA Accreditations or re-accreditations, application must be made 8 months in advance of your accreditation valid until date. For those CA/RAs whose accreditation will expire before February 2020, application must be made to DirectTrust in 2019.

What is DirectTrust HISP Accreditation?

DirectTrust provides the policy and governance of a secure network that provides a service to allow the exchange of Personal Health Information between trusted end-points.

Every endpoint in the network is a Direct Address that is assigned to an individual or an organization. A Direct Address may be thought of as an electronic mail address that has been strongly identity proofed. When Direct Addresses exchange information between each other, the exchange is performed in a highly-secured manner such that the information may not be read by any other parties except for the intended recipient.

The security and trust used to transport the information is based on a Public Key Infrastructure (PKI). The PKI is the basis for the secure transport of the information and the strong identity proofing is the basis for providing a high level of trust.

Entities called HISPs (Health Information Service Providers) participate in the DirectTrust Network to facilitate and implement the Public Key Infrastructure used to protect the information and provide for the technology used to transmit and receive messages and their attachments.

To ensure that each HISP is operating in accordance with the DirectTrust Community Policy and Direct Specifications, each HISP goes through an accreditation process. The accreditation Process ensures that each HISP has been audited to ensure that it is in compliance and has implemented the HISP Policy correctly.

The PKI and operation of the DirectTrust Accredited Trust Anchor Bundle and the Governmental Trust Anchor Bundle relieves the HISP of having to execute contracts between all the endpoints in the network. As part of the accreditation process, each HISP is certified to be trusted so that they may all trust each other.

The DirectTrust Accreditation Program ensures that all of the HISPs are held to be in compliance with the DirectTrust Policy and standards.

What is DirectTrust CA Accreditation?

DirectTrust provides the policy and governance of a secure network that provides a service to allow the exchange of Personal Health Information between trusted end-points.

Every endpoint in the network is a Direct Address that is assigned to an individual or an organization. A Direct Address may be thought of as an electronic mail address that has been strongly identity proofed. When Direct Addresses exchange information between each other, the exchange is performed in a highly-secured manner such that the information may not be read by any other parties except for the intended recipient.

The security and trust used to transport the information is based on a Public Key Infrastructure (PKI). The PKI is the basis for the secure transport of the information and the strong identity proofing is the basis for providing a high level of trust.

Entities called Certificate Authorities (CA) participate in the DirectTrust Network to provide the Digital Certificates used in the PKI Infrastructure. Every DirectTrust Direct Address is bound to a Digital Certificate that meets the DirectTrust Certificate Authority Policy.

The DirectTrust Certificate Authority Accreditation Program ensures that every CA in the DirectTrust Network conforms to its Certificate Policy.

The DirectTrust Accreditation Program ensures that all of the CAs are held to be in compliance with the DirectTrust Policy and standards.

What is DirectTrust RA Accreditation?

DirectTrust provides the policy and governance of a secure network that provides a service to allow the exchange of Personal Health Information between trusted end-points.

Every endpoint in the network is a Direct Address that is assigned to an individual or an organization. A Direct Address may be thought of as an electronic mail address that has been strongly identity proofed. When Direct Addresses exchange information between each other, the exchange is performed in a highly-secured manner such that the information may not be read by any other parties except for the intended recipient.

The security and trust used to transport the information is based on a Public Key Infrastructure (PKI). The PKI is the basis for the secure transport of the information and the strong identity proofing is the basis for providing a high level of trust.

Entities called Registration Authorities (RA) participate in the DirectTrust Network to provide the strong identity proofing required by the Certificate Authorities. Every end point in the DirectTrust Network is strongly identity proofed by the DirectTrust Registration Authority.

The DirectTrust Registration Authority Accreditation Program ensures that every RA in the DirectTrust Network conforms its Registration Authority Policy.

The DirectTrust Accreditation Program ensures that all of the RAs are held to be in compliance with the DirectTrust Policy and standards.

Why should I become DirectTrust Accredited?

Participation in the DirectTrust Security and Trust Network as a HISP, CA or RA requires accreditation from a DirectTrust Accreditation Program. The DirectTrust Accreditation ensures that all of the entities in the DirectTrust Network all conform to the same policies.

Any HISP that wishes to exchange messages within the DirectTrust Security and Trust Network MUST be DirectTrust Accredited and participate in either the Accredited Trust Anchor Bundle, the Governmental Trust Anchor Bundle or both.

Any CA that wishes to issue Certificates for use in the DirectTrust Network must be accredited by DirectTrust. Every DirectTrust Accredited CA must use a DirectTrust Accredited Registration Authority.

How much does it cost to become DirectTrust Accredited?

Please see the Accreditation Fee information provided on the accreditation website: 

https://accreditation.directtrust.org/accreditation-fees/

How do I start the HISP or CA/RA Accreditation Process?

The first step is to complete the Accreditation Application, an online form that asks for demographic and other information.

Once the form has been completed, a non-refundable payment must be made as per the instructions on the website.

After payment has been received, the Accreditation Program administrator will contact you to give you your ID and Password to grant access the Applicant Access part of the website. This part of the website is secured with your ID and Password. All of your uploaded data and information is securely stored and only visible to the Applicant, the Accreditation Program Administrator and Accreditation Program Reviewer.

Are there any differences between the EHNAC DTAAP HISP Accreditation and the new DirectTrust HISP Accreditation?
The DirectTrust Accreditation Program has been streamlined and the number of self attestation criteria questions has been significantly reduced. The DirectTrust Accreditation Programs require a HIPAA Privacy and Security Accreditation or Certification that may be acquired from EHNAC or HITRUST.
Are there any differences between the EHNAC DTAAP CA Accreditation and the new DirectTrust CA Accreditation?
The DirectTrust CA Accreditation Program has been revised and in some cases the number of self attestation criteria questions have been increased. The DirectTrust CA Accreditation Program requires a HIPAA Privacy and Security Accreditation or Certification that may be acquired from EHNAC or HITRUST.
Are there any differences between the EHNAC DTAAP RA Accreditation and the new DirectTrust RA Accreditation?
The DirectTrust RA Accreditation Program has been streamlined and the number of self attestation criteria questions have been reduced. The DirectTrust RA Accreditation Program requires a HIPAA Privacy and Security Accreditation or Certification that may be acquired from DirectTrust or HITRUST.
How long does Accreditation last?
DirectTrust Accreditation is valid for two years.
How long is the Accreditation process?
Applicants have 8 months from the date their application is approved and their payment is received to complete the accreditation process. The actual elapsed time depends on the Applicant response time completing all of the Self Attestation questions and submitting the required Evidence.
How early can an Applicant submit an Accreditation Program Self Attestation Questionnaire prior to the Applicant's valid until date?

The Accreditation Program Self Attestation Questionnaire response MUST be submitted within four (4) months of the application approval process in order to allow DirectTrust adequate time to review the Applicant HISP’s submission.

Please see the Accreditation Program Standard Operating Procedures for more information.

After I become accredited, how do I join the DirectTrust Trust Bundles?

To join the DirectTrust Trust Bundles go to https://services.directtrust.org and begin the application process.

Are there fees associated with joining the DirectTrust Trust Bundles?
Yes, for more information on the fees go to https://services.directtrust.org/network-services-fees/.
What are the requirements for inclusion in the Accredited Trust Anchor Bundle?

For a list of requirements for inclusion in the Accredited Trust Anchor Bundle go to https://services.directtrust.org/about_accredited_bundle/.

HELP!, I've read through the web site and this FAQ sheet and feel I am stuck, what should I do?

We understand that the process for becoming accredited may be a bit overwhelming before it’s completely understood, we assure you that while it does require some work, we are here to help guide you through it.

If you have specific questions after looking online at accreditation.directtrust.org, then please contact the Accreditation Program Administrator at apadmin@directtrust.org.

Contact DirectTrust Accreditation