Accreditation

Establishing trust through certification of policy adherence

About Accreditation

Trust is everything in healthcare, which is why DirectTrust accredits organizations to demonstrate compliance with policy and industry best practices.  While DirectTrust historically has operated accreditation programs pertaining to Direct Secure Messaging, our 2023 merger with EHNAC (the Electronic Healthcare Network Accreditation Commission) expanded our offerings to include more than 20 different accreditation programs.

Our Accreditation offerings include:

To access more information on the programs offered by EHNAC as part of DirectTrust, visit EHNAC.org.

Our HISP, CA, and RA accreditations remain under the DirectTrust policies, procedures, and processes for 2023.  In 2024, we will move to a single accreditation umbrella under EHNAC, including a streamlined fee structure and presentation of accreditation programs.

To learn more about our merger with EHNAC and its impact, including FAQs, visit this page.

DirectTrust/EHNAC Accreditation Fees Beginning in 2024

As we continue our incorporation of EHNAC into DirectTrust, we’ve spent a great deal of time reviewing the Accreditation Fees and are updating our fee structure to be effective January 1, 2024. Our new Accreditation Fee structure is designed for scalability for organizations of varying sizes and program pursuits. As such, the structure contains several different types of fees which are outlined below.

Accreditation Fees

Accreditation fees are based on program(s), location(s), and revenue-level. Accredited organizations incur an Annual Fee. Every other year when an organization pursues accreditation (their On-Cycle year), they additionally incur Assessment, Location, and (if applicable) Multi-Program Discounted and Program-Specific Fees, as appropriate. On Off-Cycle years, organizations pay only the Annual Fee. Please see the definitions for more information regarding what’s included in our fee structure.

Recurring Revenue Assessment Revenue Additional Fees
Revenue Tier Annual Fee Multi-Program Discounted Fee Assessment Fee Assessment Fee for Additional Programs Additional Location Fee HITRUST Criteria Fee Identity Practices Assessment Fee
1 – Very Small – Under $3M $3,000 $1,500 $5,500 $1,500 $3,500 $3,500 $4,000
2 – Small – Greater than $3 Less than $8M $4,250 $2,125 $6,000 $2,000 $4,000 $4,000 $4,500
3 – Medium – Greater than $8 Less than $20M $8,500 $4,250 $9,500 $2,500 $4,000 $4,000 $5,000
4 – Medium/Large – Greater than $20 Less than $50M $13,000 $6,500 $10,000 $4,000 $5,000 $5,000 $5,000
5 – Large – Greater than $50 Less than $75M $20,000 $10,000 $13,000 $4,500 $5,000 $5,000 $8,000
6 – Very Large – Greater than $75M $26,500 $13,250 $15,000 $5,000 $6,000 $6,000 $8,000

*Federal, state, and non-profit organizations are included in the Small Size above.

Program-Specific Fees Annual Fee Multi-Program Discounted Fee Assessment Fee Additional Location Fee
CARIN Code of Conduct $3,250 NA $4,000 NA
EPCS $3,250 $1,625* $4,000 NA
OSAP $4,250 NA $6,000 $4,000
TDRAAP-Basic $1,200 NA NA NA

*EPCS can only be a Multiple Program with another EPCS program.

Fee Definitions

Recurring Revenue Fees:

  • Annual Fee: The Annual Fee is charged to each organization on an annual basis and is calculated based on the organization’s revenue and program selection. The Annual Fee supports program administration and maintenance for the first program an organization pursues.
  • Multi-Program Discounted Fee: In lieu of an Annual Fee for each subsequent program, a discounted Annual Fee is paid initially at program enrollment and biennial renewal.

Accreditation Program Assessment Fees:

  • Assessment Fee: The Assessment Fee is the base fee for the assessment of the first program and first location.
  • Assessment Fee for Additional Programs: The Additional Program Assessment Fee is charged for the assessment of any programs beyond the first program included in the Assessment Fee.
  • Additional Location Fee: The Additional Location fee applies for any additional locations beyond the first location included in the Assessment Fee. If a Location requires more than one day of review, an Additional Location Fee will be incurred.

Additional Program-Specific Fees:

  • HITRUST Criteria Fee: The HITRUST Criteria Fee is incurred when an organization does not hold a validated HITRUST certification but completes the HITRUST-aligned security version of the self-assessment. Electing to use the HITRUST criteria does not grant the applicant a HITRUST validated certification.
  • Identity Practices Assessment Fee: The Identity Practices Assessment Fee applies to Certificate Authorities and Identity Providers for each individual Practices Statement review. This is in addition to the Assessment fees.

About DirectTrust HISP/CA/RA Accreditation

DirectTrust operates Accreditation programs for Health Information Service Providers (HISPs), Certificate Authorities (CAs), and Registration Authorities (RAs). Entities accredited by DirectTrust have demonstrated best practices, met HIPAA, privacy, and security compliance standards, and validated policy requirements. By becoming accredited, organizations can prove interoperability with other accredited entities, avoid one-off agreements with others, and can become part of the DirectTrust Trust Bundle to participate in the network.

Why is the accreditation of HISPs, CAs, and RAs Necessary?

Establishes Trust within Network

Promotes Interoperability

Demonstrates Policy Adherence

Ensures Uniform Security Compliance

Mitigates Risk of PHI Exchange

Verifies HIPAA and Privacy Compliance

Business Process Oversight

Illustrates Best Practices

The Process

Requirements for Accreditation

Accreditation Criteria 

  • Applicants must maintain a HIPAA Privacy and Security Accreditation or Certification throughout the life of their DirectTrust Accreditation. DirectTrust has approved and will accept HIPAA Privacy and Security Accreditation or Certification from the following vendors:
  • Operate in conformance with DirectTrust community standards including the DirectTrust Security and Trust Framework and Certificate Policies as applicable.

* Note: For Applicants that choose HITRUST, please review the following HITRUST MyCSF Tool Scope Settings, and contact DirectTrust as needed for clarification/verification on Scope settings: 

  • Applicants using MyCSF Version 9.1 or earlier MUST at a minimum select both Privacy and Security and MUST include in the Regulatory Factor setting: Subject to EHNAC Accreditation
  • Applicants using MyCSF Version 9.2 or later SHALL at a minimum select both Privacy and Security and Shall include in the Regulatory Factor setting: Subject to EHNAC Accreditation and HIPAA and under HIPAA select: Security, Privacy and Breach
  • Applicants using MyCSF Version 9.6.2 or later SHALL at a minimum specify Regulatory Factor = Subject to DirectTrust Accreditation

Additional Criteria for CA/RA Accreditation 

  • All Certificate and Identity Proofing Policies and Procedures meet DirectTrust’s Certificate Policy
  • For CA/RA Applicants: DirectTrust will accept the WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security Certification in lieu of a HIPAA Privacy and Security Accreditation or Certification.

Additional Criteria for HISP Accreditation 

  • Conformance with all aspects of the Direct Standard® Exchange Protocol Ability to securely interoperate with other HISPs in the DirectTrust Network

Current DirectTrust Accreditation Fees

The DirectTrust Accreditation Fee Schedule may be changed at DirectTrust’s sole discretion. Once an Applicant executes and submits the Accreditation Package, the Accreditation Fee will not change.

HISP, CA, and RA Fees

Fees are based on an applicant’s gross revenue and are assessed in a revenue-based tiered structure. See additional notes on what fees include below. Any additional time required to complete the Review that is not attributable to delays caused by DirectTrust will be billed on a Time and Materials basis at a rate of $200.00 per hour.

  • HISP fee includes 20 Hours of Reviewer time to complete the Review.
  • CA fee includes 40 Hours of Reviewer Time to complete the Review.
  • RA fee includes 32 Hours of Reviewer Time to complete the Review.
  • RA Site Review fee includes 8 Hours of Reviewer Time per Site to complete the Review. Any expenses incurred by the Reviewer associated with travel to and from the RA Site location will be billed to the Applicant.

Cloud Service Provider Hosting Facility Accreditation Fees

For those Applicants that use a Cloud Service Provider (CSP), a separate appendix is provided in each Accreditation Questionnaire that contains Criteria that relate to the Cloud Service Provider environment.

DirectTrust assesses a flat fee of $1,000.00 per Cloud Service Provider instance.

The Fee for the Cloud Service Provider Hosting Review includes 3 Hours of Reviewer Time per Site to complete the Review. Any additional time required to complete the Cloud Service Provider Hosting Review that is not attributable to delays caused by DirectTrust will be billed on a Time and Materials basis at a rate of $200.00 per hour.

Level 1 Review Failure Fee

Level 1 Review Failure Fees are charged when an Applicant’s Self Attestation Questionnaire and or Evidence (response) is not in good order. A response is considered to be not in good order due to the following reasons:

  • One or more Criterion are not answered i.e. left blank when a response is expected
  • The rules for labeling Evidence and other artifacts as defined in the Accreditation Companion Guide are not followed
  • A Criteria Response is not relevant

The Accreditation Program Reviewer performs an initial review of the Response to determine if the Response is in good order. For those Responses that are found to not be in good order the Reviewer will provide an explanation for each Criterion that is found to be either missing or not in good order.

$200.00 per hour for the time that it takes to provide the explanation for the failure. Subsequent Responses will be evaluated, and a Level 1 Review Failure Fee will be charged every time the Response fails the Level 1 Review.

Accreditation Late Fees

Late Fees are assessed each month. Please note Late Fees are cumulative.

Standard Operating Procedure Document

Accredited Organizations List