CARIN Code of Conduct

CARIN Code of Conduct

The CARIN Code of Conduct for Consumer-Facing Applications (CARIN-CFA) Accreditation Program is an independent accreditation of consumer-facing apps, enabling patient and data holder confidence in app developers’ ability to safeguard sensitive consumer health data. DirectTrust’s CARIN-CFA Accreditation Program was established in collaboration with the CARIN Alliance. 

CARIN Code of Conduct for Consumer-Facing Applications Accreditation is recognized by CMS as an evaluation pathway for participation in the Medicare App Library.

About the Program

DirectTrust CARIN-CFA Accreditation provides a clear, independent pathway for organizations to demonstrate conformance to transparent privacy, security, and data use standards.

DirectTrust Assessors conduct independent reviews against the CARIN-CFA criteria, ensuring conformance to and implementation of the CARIN Code of Conduct. The accreditation criteria are derived directly from the CARIN Code of Conduct itself, an authoritative framework for consumer-directed health data exchange, and are aligned to its full intent, principles, and expectations. By combining the CARIN Code with independent Assessor review, the accreditation program enables organizations to publicly demonstrate alignment with the industry’s highest standards for secure, transparent, and privacy-protective digital health data exchange. This process supports helping patients understand participating applications’ privacy policies, data use practices, security safeguards, and consent protocols – enabling more informed decisions about which applications best meet their needs.

Evaluation areas include:

• Privacy and security safeguards
• Transparency and consumer notice practices
• Data use and secondary sharing controls
• Consumer rights and revocation mechanisms
• Organizational governance and accountability

About the CARIN Code of Conduct

The CARIN Code of Conduct was first developed to provide expectations for data handling practices of digital health applications which may not be subject to HIPAA. The Code supports the goals of the Centers for Medicare & Medicaid Services (CMS) rulemaking, including the Interoperability and Patient Access Rule, which aims to accelerate the ability of individuals to access personal health information via applications that leverage HL7® FHIR® application programming interfaces (APIs). The Code represents the consensus view of a group of over 60 multi-sector stakeholder participants and references internationally recognized standards and best practices. 

Participation in CMS’s Medicare App Library

The Centers for Medicare & Medicaid Services (CMS) recognizes DirectTrust’s CARIN-CFA Accreditation as an independent evaluation pathway for app vetting that eligible applications may use to demonstrate conformance with CMS criteria for listing in the Medicare App Library.

This recognition aligns the accredited privacy, security, and responsible data use practices defined in the CARIN Code of Conduct with CMS’s broader vision for a trusted, interoperable digital health ecosystem.

Pricing

DirectTrust is a non-profit organization with extensive experience administering robust health technology accreditation and certification programs across the ecosystem. The programs are built on transparent criteria and rigorous, assessor-led methodologies developed and refined over years of practice; the CARIN-CFA Accreditation reflects that same standard of rigor and independence. As outlined above, this program includes 35–45 hours of dedicated human Assessor time, including document review, evidence evaluation, and a live meeting with the applicant.

Annual fees support the operation, administration, and maintenance of the program. Assessment fees support the additional Assessor work required in the accreditation year, including evidence evaluation, interviews, and reporting.

This is a 2-year accreditation. Fees are as follows:

• Year 1: $5,600 (includes Annual and Assessment Fees) 
• Year 2: $3,100 (includes Annual Fee)

Criteria and Application

Criteria for the CARIN Code of Conduct for Consumer-Facing Applications is available here. To begin the application process for this program, please complete the application form. Questions? Reach out to us at Accreditation@DirectTrust.org.