The following resources may be helpful to you after your organization has received Accreditation or Certification from DirectTrust
DirectTrust provides multiple reports to organizations that have achieved accreditation, each intended for a specific audience. DirectTrust does not control how these reports are shared, we only provide recommendations. See below for the reports we provide with most of our programs, along with the intended use for each.
Includes the detailed criteria and responses, along with specific recommendations identified to be addressed prior to the next accreditation cycle. Because this report is so comprehensive, it may also be helpful in satisfying third party assessment questionnaires.
According to the 2021 H.R. 7898 – Public Law 116-321 (also known as the “HIPAA Safe Harbor Law”), in order for an organization to avail themselves of decreased enforcement penalties/fines and audit scrutiny, each HIPAA Covered Entity and/or Business Associate must be able to demonstrate compliance with Recognized Security Practices for at least a 12-month period of time. DirectTrust accreditation demonstrates compliance against these Recognized Security Practices. Therefore, this report provides confirmation of compliance with HIPAA Security, the NIST Cybersecurity Framework, the applicable components of the HITECH Breach Act as well as the relevant components of HIPAA Privacy. Also, NIST SP 800-171 Rev2 scoring is provided, demonstrating compliance against the specified NIST 800-53 Rev 4 families of security controls per the 800-171 Rev 2 framework. The organization’s compliance against these standards is provided in graphical format.
DirectTrust recognizes that its accredited entities (“Accredited Entities”) and accreditation candidates (“Accreditation Candidates”) operate in a dynamic business environment that includes many business and legal variables ancillary to the fundamental scope of DirectTrust’s accreditation process. However, because that environment involves business and legal risks that may impact (1) DirectTrust accrediting operations; and (2) accreditation eligibility, DirectTrust has developed a collaborative process to (A) enable Accredited Entities and Accreditation Candidates to identify significant business, financial, operational and legal developments that have the potential to compromise or undermine their ability to meet the DirectTrust Accreditation Criteria (“Sentinel Events”) and (B) provide DirectTrust with written notification of such Sentinel Events.
Business risk evaluation is necessary for DirectTrust to accomplish the following objectives in a timely manner:
Acquire timely knowledge of Sentinel Events (described in Exhibit A) that may affect the accreditation status of an Accredited Entity or Accreditation Candidate.
Maintain credibility of DirectTrust as a nationally recognized accreditation body.
A Sentinel Event is any significant material impacting development, action or change in the business, financial, operational or legal status of an entity, which occurs (1) with respect to an Accredited Entity, after accreditation, or (2) with respect to an Accreditation Candidate, after the application has been submitted to DirectTrust. The material impacting change in status may be based on any one or more of the Sentinel Events indicated below or described in the Sentinel Events Exhibit A.
Notification Process: When should DirectTrust be notified?
An Officer of DirectTrust must be notified in writing of the occurrence of any Sentinel Event. Written notification in the manner described in Section 3 below must be received by DirectTrust no later than three (3) business days from when the Sentinel Event occurs. Failure to provide such notification could result in loss of Accreditation, loss of Candidacy status or such other action as DirectTrust may determine to be appropriate.
As part of the notification process, the Accredited Entity or Accreditation Candidate shall provide an officer of DirectTrust with the “known facts,” as determined to have a material impact, and shall continue to provide DirectTrust written notice of additional relevant information as such information becomes “known facts.” The additional relevant information shall be delivered to DirectTrust by an email sent to Admin@DirectTrust.org.
“Known facts” shall include, but not be limited to, (A) any relevant data, information or circumstances regarding a Sentinel Event having a material impact which an Accredited Entity or Accreditation Candidate (i) is required by law, by a contract to which it is a party, or by any other legal obligation to report or disclose to a third party, or (ii) has disclosed in a public statement or in any non-confidential manner; (B) reports or information that must be reported to a government agency; and (C) all findings of fact in the form of an agency action by a duly authorized regulatory agency or in a judgment by a court of original jurisdiction, notwithstanding any subsequent appeals.
The written notification should include the following information:
Name of the individual reporting the Sentinel Event (company name, individual name, title, address, phone number, and email address
Description of the Sentinel Event
Date the Sentinel Event occurred
DirectTrust Accreditation impact(s) or considerations that could materially and adversely affect the company’s compliance with the Accreditation Criteria; e.g., changes in key executive management in a small company or release of a press announcement in a public company
Other factual information DirectTrust should consider
If the Sentinel Event has resulted in non-conformity with the Accreditation Criteria, a proposed plan to restore conformity, i.e., an explanation in reasonable detail of how the company will promptly reestablish conformity with all applicable DirectTrust Accreditation Criteria
Appropriate documentation should be submitted along with the disclosures, e.g., press releases, etc.
The following is an illustrative but not exhaustive topical list of Sentinel Events. Refer to the Sentinel Event Exhibit “A” document in the sidebar for detailed explanations.
Entering into an agreement of sale to sell or otherwise directly or indirectly divest an Accredited Entity or an Accreditation Candidate
Entering into an agreement to purchase or otherwise directly or indirectly acquire an Accredited Entity or Accreditation Candidate
Entering into a new agreement to outsource a site that fits the definition of an In-scope Organization Site or an In-scope Outsourced Site.
Financial impairment of an Accredited Entity or Accreditation Candidate.
Change in ownership or control> 25%.
Disruption of service to customers > 8 hours for telecom, or security violation.
A security breach that is reportable as a matter of state or federal law. DirectTrust does not warrant that its accreditation framework will prevent any breach or cyberattack. Refer to the HIPAA Breach Definition Notification Rule – 45 CFR §§ 164.400-414.
Workforce reduction by > 15%.
Key management changes.
Company fine(s) of > $100K for regulatory violations, marketing or advertising practices, antitrust violations, or tax disputes.
Adding or significantly modifying an In-scope Organization Site or an In-scope Outsourced Site.
Significant events associated with an In-scope Organization Site or an In-scope Outsourced Site including but not limited to the addition or significant modification of physical locations.
For those certified through an EPCSCP Program, a Sentinel Event must be reported for each significant systems upgrade, functional alteration, or when made aware of any application issue related to e-prescribing in accordance with the regulations. See Exhibit A: Sentinel Events, section F. Critical DirectTrust Accredited System Events for more information (in the downloadable file).
For those certified/accredited through the TDRAAP Program, a Sentinel Event must be reported for each significant change to the product which has been proven via UDAP testing as part of the review process.
For those accredited through the TNAP-HIN program, a Sentinel Event must be reported if HITRUST certification is not maintained throughout the TNAP-HIN accreditation.
For those accredited for any program who have been certified by HITRUST and who have used a validated report to satisfy the security or privacy criteria in any DirectTrust program, a Sentinel Event must be reported if HITRUST certification is not maintained throughout the accreditation period.
Within seventy-two (72) hours of DirectTrust’s receipt of such written notice, the President and CEO of DirectTrust, if he/she deems the Sentinel Event to be of a materially substantive nature, shall notify the Chair of the Commission and he/she shall convene a meeting of the Ad Hoc Sentinel Event Committee of DirectTrust (“Council”), consisting of three EHNAC Commissioners, to consider the matter. In determining its recommended course of action, the Council shall consider the seriousness and time-criticality of the Sentinel Event. The Council shall provide its written recommendation to the Commissioners within twenty-four (24) hours of the conclusion of its meeting, including, if recommended, the necessity for a special meeting of the Commissioners to take action on any recommendation of the Committee. Other than the publication of any change to the status of an DirectTrust Accredited Entity or an DirectTrust Accreditation Candidate on the web site, all deliberations by DirectTrust on the report of a Sentinel Event, including its evaluation and recommendations, shall be kept confidential. Accreditation by DirectTrust is awarded based upon its review of the organization for that specific “point in time” that the accreditation process occurred. DirectTrust is not responsible for any changes in policies, procedures or controls, processes or access that may occur subsequently in which it has no visibility or is unaware. It is the organization’s responsibility to report significant changes to us through our Sentinel Events policy.
The EHNAC Commissioners shall review the recommendation of the Committee on a timely basis, either at a special meeting of the Commissioners if the matter is deemed urgent by the Committee’s Report, or no later than the next regularly scheduled meeting of the Commission. Written findings and action taken by the Commission shall be communicated in writing to the affected Accredited Entity or Accreditation Candidate within two (2) business days of the conclusion of the meeting of the Commission. The written communication also shall include a description of DirectTrust’s appeal procedures.
The following are examples, illustrative but not exhaustive, of actions that may be taken by the Commission:
Revocation of accreditation.
Request for further documentation. If the additional documentation is not provided, revocation of accreditation.
Request the organization to reapply and follow the re-accreditation process if it is determined that the Sentinel Event provides a substantive change to the entity. Such other actions as are deemed appropriate.
Change in Accreditation Status.
Please Note: if an organization fails to respond to a high priority email from DirectTrust within 7 business days indicating their intention to proceed with the accreditation process then DirectTrust will make the determination that the organization no longer intends to maintain their accreditation status and will be removed from the website and the organization will no longer be accredited on that date.
If one or more of the following occur(s) within 12 months of the last accreditation, a location review must be made to the new or modified facility(ies):
Accredited Entity enters into a new agreement with an In-scope-Outsourced Site.
Accredited Entity adds or significantly modifies a physical location that would qualify as an In-scope Organization Site or an In-scope Outsourced Site.
A significant event occurs associated with functions involving the creation, reception, maintenance, or transmission of PHI that are outsourced to third parties including but not limited to their addition of significant modification of physical locations.
Increasing the level of identity or authentication assurance supported by a TDRAAP accredited program.
A notifiable breach. (Refer to the Breach Definition and the HIPAA Breach Notification Rule – 45 CFR §§ 164.400-414).
If the Significant Event occurs after 12 months past the last accreditation, a location review may be made to the new or modified facility(ies) if determined to be necessary by DirectTrust. If decided a location review is necessary, the information gathered will be applied to the subsequent accreditation effort and reports accordingly.
NOTE: A change in the organization’s contact individual having responsibility to liaison with DirectTrust needs to be communicated within 10 days of a change in personnel so that there is no disruption in any notices or communications between the entities.
DirectTrust urges attempts to resolve issues between accredited parties and their partner before submitting a notification.
The Non-compliant Notification System allow the public to notify DirectTrust of a candidate or accredited organization’s suspected non-compliance with accreditation criteria.
In order to create an equitable process by which partners may submit notification of suspected non-compliance with DirectTrust’s criteria by candidates or accredited organizations, the DirectTrust EHNAC Commissioners have adopted and will utilize the Non-Compliance Investigation Process when such notification has been submitted.
The EHNAC Commission will receive the notification and assess whether there has been non-compliance.
If they determine there has not been non-compliance, the submitter of the notification will be notified by the Commission of the determination, including the reason, and the notification will be considered resolved.
If the EHNAC determines that there has been non-compliance, it will notify the Commission and recommend proceeding with an investigation.
If the Commission denies the request to proceed, the submitter of the notification will be notified by the commission of the decision not to proceed, including an explanation of that decision, and the notification and allegations will be considered resolved.
If the Commission accepts the recommendation to proceed, the commission will notify the affected accredited organization of the alleged non-compliance and ask for clear and specific evidence to the contrary. NOTE: When the accredited organization is notified of the allegations, it will be allowed to view the evidence supporting the alleged non-compliance and will be made aware of the trading partner’s identity.
If the Commission determines that the accredited organization successfully responded to, i.e., refuted, the notice of non-compliance or has either remedied the alleged non-compliance or developed a plan of action that will correct the non- compliance within a specific period satisfactory to the commission, a written notice, including the commission’s determination and its reason, shall be sent from the commission to both the submitter of the original notice and the accredited organization.
If the Commission determines that the accredited organization has not successfully refuted the notice of non-compliance or remedied the alleged non-compliance, a plan of action must be developed and implemented that will correct the non-compliance in a specific period of time satisfactory to the commission.
The Commission may determine during the investigative and/or remediation stages that a location review is necessary to review and validate the remediation effort.
Ultimately, the Commission has the authority to (a) reject allegations; (b) change an accreditation status to “denied” or “provisional” accreditation, if there is non-compliance and if there is no remediation or the length of time for remediation is too long; or (c) restore full accreditation if the accredited organization has brought its efforts back in compliance with the criteria.