Frequently Asked Questions
What is DirectTrust HISP Accreditation?
DirectTrust provides the policy and governance of a secure network that provides a service to allow the exchange of Personal Health Information between trusted end-points.
Every endpoint in the network is a Direct Address that is assigned to an individual or an organization. A Direct Address may be thought of as an electronic mail address that has been strongly identity proofed. When Direct Addresses exchange information between each other, the exchange is performed in a highly-secured manner such that the information may not be read by any other parties except for the intended recipient.
The security and trust used to transport the information is based on a Public Key Infrastructure (PKI). The PKI is the basis for the secure transport of the information and the strong identity proofing is the basis for providing a high level of trust.
Entities called HISPs (Health Information Service Providers) participate in the DirectTrust Network to facilitate and implement the Public Key Infrastructure used to protect the information and provide for the technology used to transmit and receive messages and their attachments.
To ensure that each HISP is operating in accordance with the DirectTrust Community Policy and Direct Specifications, each HISP goes through an accreditation process. The accreditation Process ensures that each HISP has been audited to ensure that it is in compliance and has implemented the HISP Policy correctly.
The PKI and operation of the DirectTrust Accredited Trust Anchor Bundle relieves the HISP of having to execute contracts between all the endpoints in the network. As part of the accreditation process, each HISP is certified to be trusted so that they may all trust each other.
The DirectTrust Accreditation Program ensures that all of the HISPs are held to be in compliance with the DirectTrust Community Policy and standards.
What is the new DirectTrust Accreditation Program and how is it different from the previous and now superseded EHNAC DTAAP HISP Accreditation?
In the later part of 2016 and early 2017 DirectTrust and EHNAC jointly agreed that separating the HISP Accreditation into two parts would provide greater flexibility for DirectTrust HISPs and allow each organization to focus on it specialized subject matter domain expertise.
The new Accreditation Program supersedes the existing EHNAC DTAAP HISP Accreditation. All applications for HISP Accreditation or re-accreditation must be made to DirectTrust after January 1, 2018.
The new DirectTrust HISP Accreditation Program consists of two parts:
HISP Accreditation – this program is operated and administered solely by DirectTrust.
HIPAA Privacy and Security Certification or Accreditation – DirectTrust will accept this Certification from EHNAC or HITRUST. If you choose HITRUST you must contact DirectTrust for special instructions to give to HITRUST to ensure that the audit has the correct scope directives to cover DirectTrust’s requirements. We are currently working to develop a list of instructions that will replace this language once they are developed.
Giving Applicant HISPs the ability to choose Privacy and Security vendors allows them greater flexibility in terms of cost and service.
Why should I become DirectTrust Accredited?
Participation in the DirectTrust Security and Trust Network allows your HISP to operate at a very high level of trust and security.
Any HISP that wishes to exchange messages within the DirectTrust Security and Trust Network MUST be DirectTrust Accredited and participate in the Accredited Trust Anchor Bundle..
How much does it cost to become DirectTrust Accredited?
The Accreditation Program is a new program at DirectTrust. DirectTrust is charging $4,500 for HISP Accreditation. Note: this fee does not include the cost for the HIPAA Privacy and Security Certification or Accreditation, please contact the vendor you are choosing for this certification, either EHNAC or HITRUST.
At the end of 2018, DirectTrust will review the pricing and reserves the right to change the fee amount.
How do I start the HISP Accreditation Process?
The first step is to visit the accreditation.directtrust.org web site. You begin by completing an online web form that asks for demographic and other information.
Once the form has been completed, non-refundable payment must be made as per the instructions on the web site.
After payment has been received, the Accreditation Program administrator will contact you to give you your Id and Password to access the Applicant Access part of the website. This part of the web site is secured with your Id and Password. All of your data and information is securely stored and only visible to the Applicant HISP, the HISP Accreditation Program Administrator and HISP Accreditation Program Reviewer
Are there any differences between the EHNAC DTAAP HISP Accreditation and the new DirectTrust HISP Accreditation?
The new DirectTrust HISP Accreditation Program has been streamlined and the number of self attestation questions has been significantly reduced. The new Accreditation Program is now two parts: HISP Accreditation which requires a separate HIPAA Privacy and Security Certification or Accreditation.
How long does Accreditation last?
DirectTrust Accreditation is valid for two years.
How long is the Accreditation process?
Applicants have 6 months from the date their application is approved and their payment is received to complete the accreditation process. The actual elapsed time depends on the Applicant HISPs response time completing all of the Self Attestation questions and submitting the required Evidence.
How early can a HISP submit a HISP Accreditation Program Self Attestation Questionnaire prior to the HISP's valid until date?
The HISP Accreditation Program Self Attestation Questionnaire response MUST be submitted within three (3) months of the application approval process in order to allow DirectTrust adequate time to review the Applicant HISP’s submission.
HISPs can submit the DirectTrust HISP Accreditation application at anytime, but submission of artifacts and evidence for the Self-Attestation Questionnaire must be current. Therefore, DirectTrust will not accept the submission of the Self Attestation Questionnaire and supporting evidence any earlier than six months prior to the HISP Accreditation valid until date.
After I become accredited, how do I join the DirectTrust Trust Bundles?
To join the DirectTrust Trust Bundles go to https://services.directtrust.org/ and begin the application process.
Are there fees associated with joining the DirectTrust Trust Bundles?
Yes, for more information on the fees go to https://services.directtrust.org/network-services-fees/.
What are the requirements for inclusion in the Accredited Trust Anchor Bundle?
For a list of requirements for inclusion in the Accredited Trust Anchor Bundle go to https://services.directtrust.org/about_accredited_bundle/.
What are the requirements for inclusion in the Governmental Trust Anchor Bundle?
For a list of requirements for inclusion in the Governmental Trust Anchor Bundle go to https://services.directtrust.org/gtab/.
HELP!, I've read through the web site and this FAQ sheet and feel I am stuck, what should I do?
We understand that the process for becoming accredited may be a bit overwhelming before it’s completely understood. We assure you that it while does require some work, we are here to help guide you through it.
If you have specific questions after looking online at accreditation.directtrust.org, then please contact the Accreditation Program Administrator at firstname.lastname@example.org.