Establishing trust through certification of policy adherence
DirectTrust operates Accreditation programs for Health Information Service Providers (HISPs), Certificate Authorities (CAs), and Registration Authorities (RAs). Entities accredited by DirectTrust have demonstrated best practices, met HIPAA, privacy, and security compliance standards, and validated policy requirements. By becoming accredited, organizations can prove interoperability with other accredited entities, avoid one-off agreements with others, and can become part of the DirectTrust Trust Bundle to participate in the network.
Why is the accreditation of HISPs, CAs, and RAs Necessary?
Establishes Trust within Network
Demonstrates Policy Adherence
Ensures Uniform Security Compliance
Mitigates Risk of PHI Exchange
Verifies HIPAA and Privacy Compliance
Business Process Oversight
Illustrates Best Practices
Requirements for Accreditation
Applicants must maintain a HIPAA Privacy and Security Accreditation or Certification throughout the life of their DirectTrust Accreditation. DirectTrust has approved and will accept HIPAA Privacy and Security Accreditation or Certification from the following vendors:
HITRUST – HIPAA Privacy and Security Certification *
Operate in conformance with DirectTrust community standards including the DirectTrust Security and Trust Framework and Certificate Policies as applicable.
* Note: For Applicants that choose HITRUST, please review the following HITRUST CSF Tool Scope Settings, and contact DirectTrust as needed for clarification/verification on Scope settings:
HISP Accreditation Applicants using CSF version 9.2 and later MUST at a minimum include in the Regulatory Factor setting: Subject to EHNAC Accreditation and HIPAA
CA/RA Only (do not also operate as a HISP) Accreditation Applicants using CSF version 9.2 and later MUST at a minimum include in the Regulatory Factor setting: Subject to EHNAC Accreditation
Additional Criteria for CA/RA Accreditation
All Certificate and Identity Proofing Policies and Procedures meet DirectTrust’s Certificate Policy
For CA/RA Applicants: DirectTrust will accept the WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security Certification in lieu of a HIPAA Privacy and Security Accreditation or Certification.
Additional Criteria for HISP Accreditation
Conformance with all aspects of the Direct Standard™ Exchange Protocol Ability to securely interoperate with other HISPs in the DirectTrust Network
The DirectTrust Accreditation Fee Schedule may be changed at DirectTrust’s sole discretion. Once an Applicant executes and submits the Accreditation Package, the Accreditation Fee will not change.
HISP, CA, and RA Fees
Fees are based on an applicant’s gross revenue and are assessed in a revenue-based tiered structure. See additional notes on what fees include below. Any additional time required to complete the Review that is not attributable to delays caused by DirectTrust will be billed on a Time and Materials basis at a rate of $200.00 per hour.
HISP fee includes 20 Hours of Reviewer time to complete the Review.
CA fee includes 40 Hours of Reviewer Time to complete the Review.
RA fee includes 32 Hours of Reviewer Time to complete the Review.
RA Site Review fee includes 8 Hours of Reviewer Time per Site to complete the Review. Any expenses incurred by the Reviewer associated with travel to and from the RA Site location will be billed to the Applicant.
Cloud Service Provider Hosting Facility Accreditation Fees
For those Applicants that use a Cloud Service Provider (CSP), a separate appendix is provided in each Accreditation Questionnaire that contains Criteria that relate to the Cloud Service Provider environment.
DirectTrust assesses a flat fee of $1,000.00 per Cloud Service Provider instance.
The Fee for the Cloud Service Provider Hosting Review includes 3 Hours of Reviewer Time per Site to complete the Review. Any additional time required to complete the Cloud Service Provider Hosting Review that is not attributable to delays caused by DirectTrust will be billed on a Time and Materials basis at a rate of $200.00 per hour.
Level 1 Review Failure Fee
Level 1 Review Failure Fees are charged when an Applicant’s Self Attestation Questionnaire and or Evidence (response) is not in good order. A response is considered to be not in good order due to the following reasons:
One or more Criterion are not answered i.e. left blank when a response is expected
The rules for labeling Evidence and other artifacts as defined in the Accreditation Companion Guide are not followed
A Criteria Response is not relevant
The Accreditation Program Reviewer performs an initial review of the Response to determine if the Response is in good order. For those Responses that are found to not be in good order the Reviewer will provide an explanation for each Criterion that is found to be either missing or not in good order.
$200.00 per hour for the time that it takes to provide the explanation for the failure. Subsequent Responses will be evaluated, and a Level 1 Review Failure Fee will be charged every time the Response fails the Level 1 Review.
Accreditation Late Fees
Late Fees are assessed each month. Please note Late Fees are cumulative.