Trusted Network

Trusted Network

The Trusted Network Accreditation Program (TNAP) was developed to directly align with the development of the 21st Century Cures Act required Trusted Exchange Framework and Common Agreement (TEFCA). DirectTrust seeks to promote interoperability by assuring the security and privacy of trusted networks and the use of enabling technologies in the healthcare ecosystem. This program provides third-party review with accreditation for Trusted Exchange participants, rights management, as well as compliance with TEFCA regulatory requirements. The program also addresses security and privacy regulatory requirements.

TEFCA affects a diverse group of industry stakeholders including Health Information Networks, Health Information Exchanges, Accountable Care Organizations, data registries, labs, providers, payers, vendors, and suppliers – and this program has been designed to address all of their needs.

The Trusted Network Accreditation Program (TNAP) is comprised of a third-party assessment against DirectTrust’s TEFCA-specific requirements, as well as our base privacy and security criteria. Through this process, the program assesses an organization’s ability to comply with TEFCA’s regulatory requirements and the organization’s applicable privacy and security regulatory requirements. Such regulatory requirements include, for example, HIPAA, HITECH, ACA legislative reform provisions, the NIST Cybersecurity Framework, GDPR, and others. This comprehensive third-party review provides an additional level of confidence for Health Information Networks that they can trust their downstream participants.

The DirectTrust Trusted Network Accreditation Program ensures a consistent focus on privacy, security and other core industry requirements including a focus on organizational structure, delineation of third parties and their contractual and agency statuses, protected health information data flow, business practices, and management of human and physical resources. The criteria for this program are publicly reviewed and enhanced at a minimum of once per year, and more often when necessary due to regulatory requirements, industry-promoted best practices, or other significant factors.

Developed through a coalition of industry collaborators, this program is:

• designed for Health Information Network (HIN) Participants that would like to demonstrate compliance;
• thorough in its presentation and assessment of TEFCA requirements as well as privacy and security requirements based on an organization’s regulatory requirements;
• vendor- and technology-agnostic to support blockchain and other enabling technologies.

We follow a structured, transparent and industry-inclusive process that provides for continual improvement. Criteria for this program is available on our Programs and Criteria Page.

TNAP-Participant/Participant Member – desire to be recognized as a Participant or as a Participant Member in the Assistant Secretary of Technology and Policy (formerly the Office of the National Coordinator)’s Trust Exchange Framework. According to the ASTP as defined within the April 2019 released materials, “Participants may include persons or entities that have entered into a contract to participate in a QHIN. Some examples of Participants could include, but are not limited to, a HIN, a health system, a health IT developer, a payer, or a federal agency.” Likewise, the ASTP suggests the following: “Participant Members may include persons or entities that use the services of a Participant to send and receive EHI. For example, if a QHIN is composed of health information exchanges, the health information exchange would be the Participant, and those who use the health information exchange services, (such as health systems, ambulatory providers, health IT developers, payers, and others) are the Participant Members. Alternatively, a health IT developer could be a direct Participant of a QHIN, in which case, the Participant Members may be the provider practice that uses the health IT developer’s software or services.”

NOTE: TNAP-Participant Accreditation doesn’t designate an organization as accepted by the Recognized Coordinating Entity as a Participant. Approval from the Recognized Coordinating Entity and the ASTP is still necessary and entirely separate from this accreditation process.