Accreditation
Establishing trust through certification of policy adherence
About Accreditation
Trust is everything in healthcare, which is why DirectTrust accredits organizations to demonstrate compliance with policy and industry best practices. While DirectTrust historically has operated accreditation programs pertaining to Direct Secure Messaging, our 2023 merger with EHNAC (the Electronic Healthcare Network Accreditation Commission) expanded our offerings to include more than 20 different accreditation programs.
Our Accreditation offerings include:
- Accountable Care Organizations
- CARIN Code of Conduct
- Certificate Authorities
- Cloud-Enabled Services
- Data Registry
- DirectTrust Privacy and Security
- EHNAC Privacy and Security
- e-Prescribing
- e-Prescribing of Controlled Substances Certification Program for Pharmacy Applications
- e-Prescribing of Controlled Substances Certification Program for Prescribing Applications
- Financial Services
- Electronic Health Network
- Lockbox
- Health Information Exchanges
- Health Information Service Providers
- Healthcare Networks
- Third-Party Administrators
- Payer
- Medical Biller
- Management Services Organizations
- Outsourced Services
- Accountable Care Organization
- Call Center
- Cloud Service Provider
- Data Center
- Disaster Recovery
- Health Information Exchange technology providers
- Media Storage
- Network Administrator
- Printing
- Product Development
- Scanning
- Practice Management Systems
- Registration Authorities
- Trusted Dynamic Registration and Authentication
- Trusted Network
- Health Information Network
- Health Information Network Participant
To access more information on the programs offered by EHNAC as part of DirectTrust, visit EHNAC.org.
Our HISP, CA, and RA accreditations remain under the DirectTrust policies, procedures, and processes for 2023. In 2024, we will move to a single accreditation umbrella under EHNAC, including a streamlined fee structure and presentation of accreditation programs.
To learn more about our merger with EHNAC and its impact, including FAQs, visit this page.
As we continue our incorporation of EHNAC into DirectTrust, we’ve spent a great deal of time reviewing the Accreditation Fees and are updating our fee structure to be effective January 1, 2024. Our new Accreditation Fee structure is designed for scalability for organizations of varying sizes and program pursuits. As such, the structure contains several different types of fees which are outlined below.
Accreditation Fees
Accreditation fees are based on program(s), location(s), and revenue-level. Accredited organizations incur an Annual Fee. Every other year when an organization pursues accreditation (their On-Cycle year), they additionally incur Assessment, Location, and (if applicable) Multi-Program Discounted and Program-Specific Fees, as appropriate. On Off-Cycle years, organizations pay only the Annual Fee. Please see the definitions for more information regarding what’s included in our fee structure.
Recurring Revenue | Assessment Revenue | Additional Fees | |||||
---|---|---|---|---|---|---|---|
Revenue Tier | Annual Fee | Multi-Program Discounted Fee | Assessment Fee | Assessment Fee for Additional Programs | Additional Location Fee | HITRUST Criteria Fee | Identity Practices Assessment Fee |
1 – Very Small – Under $3M | $3,000 | $1,500 | $5,500 | $1,500 | $3,500 | $3,500 | $4,000 |
2 – Small – Greater than $3 Less than $8M | $4,250 | $2,125 | $6,000 | $2,000 | $4,000 | $4,000 | $4,500 |
3 – Medium – Greater than $8 Less than $20M | $8,500 | $4,250 | $9,500 | $2,500 | $4,000 | $4,000 | $5,000 |
4 – Medium/Large – Greater than $20 Less than $50M | $13,000 | $6,500 | $10,000 | $4,000 | $5,000 | $5,000 | $5,000 |
5 – Large – Greater than $50 Less than $75M | $20,000 | $10,000 | $13,000 | $4,500 | $5,000 | $5,000 | $8,000 |
6 – Very Large – Greater than $75M | $26,500 | $13,250 | $15,000 | $5,000 | $6,000 | $6,000 | $8,000 |
*Federal, state, and non-profit organizations are included in the Small Size above.
Program-Specific Fees | Annual Fee | Multi-Program Discounted Fee | Assessment Fee | Additional Location Fee |
---|---|---|---|---|
CARIN Code of Conduct | $3,250 | NA | $4,000 | NA |
EPCS | $3,250 | $1,625* | $4,000 | NA |
OSAP | $4,250 | NA | $6,000 | $4,000 |
TDRAAP-Basic | $1,200 | NA | NA | NA |
*EPCS can only be a Multiple Program with another EPCS program.
Fee Definitions
Recurring Revenue Fees:
- Annual Fee: The Annual Fee is charged to each organization on an annual basis and is calculated based on the organization’s revenue and program selection. The Annual Fee supports program administration and maintenance for the first program an organization pursues.
- Multi-Program Discounted Fee: In lieu of an Annual Fee for each subsequent program, a discounted Annual Fee is paid initially at program enrollment and biennial renewal.
Accreditation Program Assessment Fees:
- Assessment Fee: The Assessment Fee is the base fee for the assessment of the first program and first location.
- Assessment Fee for Additional Programs: The Additional Program Assessment Fee is charged for the assessment of any programs beyond the first program included in the Assessment Fee.
- Additional Location Fee: The Additional Location fee applies for any additional locations beyond the first location included in the Assessment Fee. If a Location requires more than one day of review, an Additional Location Fee will be incurred.
Additional Program-Specific Fees:
- HITRUST Criteria Fee: The HITRUST Criteria Fee is incurred when an organization does not hold a validated HITRUST certification but completes the HITRUST-aligned security version of the self-assessment. Electing to use the HITRUST criteria does not grant the applicant a HITRUST validated certification.
- Identity Practices Assessment Fee: The Identity Practices Assessment Fee applies to Certificate Authorities and Identity Providers for each individual Practices Statement review. This is in addition to the Assessment fees.
About DirectTrust HISP/CA/RA Accreditation
DirectTrust operates Accreditation programs for Health Information Service Providers (HISPs), Certificate Authorities (CAs), and Registration Authorities (RAs). Entities accredited by DirectTrust have demonstrated best practices, met HIPAA, privacy, and security compliance standards, and validated policy requirements. By becoming accredited, organizations can prove interoperability with other accredited entities, avoid one-off agreements with others, and can become part of the DirectTrust Trust Bundle to participate in the network.
Why is the accreditation of HISPs, CAs, and RAs Necessary?

Establishes Trust within Network

Promotes Interoperability

Demonstrates Policy Adherence

Ensures Uniform Security Compliance

Mitigates Risk of PHI Exchange

Verifies HIPAA and Privacy Compliance

Business Process Oversight

Illustrates Best Practices
The Process

Requirements for Accreditation
Accreditation Criteria
- Applicants must maintain a HIPAA Privacy and Security Accreditation or Certification throughout the life of their DirectTrust Accreditation. DirectTrust has approved and will accept HIPAA Privacy and Security Accreditation or Certification from the following vendors:
- DirectTrust governed by the Electronic Healthcare Network Accreditation Commission (EHNAC) – DirectTrust Privacy and Security Accreditation.
- Health Information Trust Alliance (HITRUST) – HIPAA Privacy and Security Certification *
- WebTrust – (Chartered Professional Accountants of Canada). Note: This Certification is only for Certificate and Registration Authorities.
- Operate in conformance with DirectTrust community standards including the DirectTrust Security and Trust Framework and Certificate Policies as applicable.
* Note: For Applicants that choose HITRUST, please review the following HITRUST MyCSF Tool Scope Settings, and contact DirectTrust as needed for clarification/verification on Scope settings:
- Applicants using MyCSF Version 9.1 or earlier MUST at a minimum select both Privacy and Security and MUST include in the Regulatory Factor setting: Subject to EHNAC Accreditation
- Applicants using MyCSF Version 9.2 or later SHALL at a minimum select both Privacy and Security and Shall include in the Regulatory Factor setting: Subject to EHNAC Accreditation and HIPAA and under HIPAA select: Security, Privacy and Breach
- Applicants using MyCSF Version 9.6.2 or later SHALL at a minimum specify Regulatory Factor = Subject to DirectTrust Accreditation
Additional Criteria for CA/RA Accreditation
- All Certificate and Identity Proofing Policies and Procedures meet DirectTrust’s Certificate Policy
- For CA/RA Applicants: DirectTrust will accept the WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security Certification in lieu of a HIPAA Privacy and Security Accreditation or Certification.
Additional Criteria for HISP Accreditation
- Conformance with all aspects of the Direct Standard® Exchange Protocol Ability to securely interoperate with other HISPs in the DirectTrust Network
Current DirectTrust Accreditation Fees
The DirectTrust Accreditation Fee Schedule may be changed at DirectTrust’s sole discretion. Once an Applicant executes and submits the Accreditation Package, the Accreditation Fee will not change.
HISP, CA, and RA Fees
Fees are based on an applicant’s gross revenue and are assessed in a revenue-based tiered structure. See additional notes on what fees include below. Any additional time required to complete the Review that is not attributable to delays caused by DirectTrust will be billed on a Time and Materials basis at a rate of $200.00 per hour.
- HISP fee includes 20 Hours of Reviewer time to complete the Review.
- CA fee includes 40 Hours of Reviewer Time to complete the Review.
- RA fee includes 32 Hours of Reviewer Time to complete the Review.
- RA Site Review fee includes 8 Hours of Reviewer Time per Site to complete the Review. Any expenses incurred by the Reviewer associated with travel to and from the RA Site location will be billed to the Applicant.
Cloud Service Provider Hosting Facility Accreditation Fees
For those Applicants that use a Cloud Service Provider (CSP), a separate appendix is provided in each Accreditation Questionnaire that contains Criteria that relate to the Cloud Service Provider environment.
DirectTrust assesses a flat fee of $1,000.00 per Cloud Service Provider instance.
The Fee for the Cloud Service Provider Hosting Review includes 3 Hours of Reviewer Time per Site to complete the Review. Any additional time required to complete the Cloud Service Provider Hosting Review that is not attributable to delays caused by DirectTrust will be billed on a Time and Materials basis at a rate of $200.00 per hour.
Level 1 Review Failure Fee
Level 1 Review Failure Fees are charged when an Applicant’s Self Attestation Questionnaire and or Evidence (response) is not in good order. A response is considered to be not in good order due to the following reasons:
- One or more Criterion are not answered i.e. left blank when a response is expected
- The rules for labeling Evidence and other artifacts as defined in the Accreditation Companion Guide are not followed
- A Criteria Response is not relevant
The Accreditation Program Reviewer performs an initial review of the Response to determine if the Response is in good order. For those Responses that are found to not be in good order the Reviewer will provide an explanation for each Criterion that is found to be either missing or not in good order.
$200.00 per hour for the time that it takes to provide the explanation for the failure. Subsequent Responses will be evaluated, and a Level 1 Review Failure Fee will be charged every time the Response fails the Level 1 Review.
Accreditation Late Fees
Late Fees are assessed each month. Please note Late Fees are cumulative.