Accreditation
Establishing trust through certification of policy adherence
About Accreditation
DirectTrust operates Accreditation programs for Health Information Service Providers (HISPs), Certificate Authorities (CAs), and Registration Authorities (RAs). Entities accredited by DirectTrust have demonstrated best practices, met HIPAA, privacy, and security compliance standards, and validated policy requirements. By becoming accredited, organizations can prove interoperability with other accredited entities, avoid one-off agreements with others, and can become part of the DirectTrust Trust Bundle to participate in the network.
Recently DirectTrust announced the closing of our merger with EHNAC, which creates a much more robust Accreditation body within DirectTrust. To learn more about this merger and its impact, including FAQs, visit this page.
Why is the accreditation of HISPs, CAs, and RAs Necessary?

Establishes Trust within Network

Promotes Interoperability

Demonstrates Policy Adherence

Ensures Uniform Security Compliance

Mitigates Risk of PHI Exchange

Verifies HIPAA and Privacy Compliance

Business Process Oversight

Illustrates Best Practices
The Process

Requirements for Accreditation
Accreditation Criteria
- Applicants must maintain a HIPAA Privacy and Security Accreditation or Certification throughout the life of their DirectTrust Accreditation. DirectTrust has approved and will accept HIPAA Privacy and Security Accreditation or Certification from the following vendors:
- DirectTrust governed by the Electronic Healthcare Network Accreditation Commission (EHNAC) – DirectTrust Privacy and Security Accreditation.
- Health Information Trust Alliance (HITRUST) – HIPAA Privacy and Security Certification *
- WebTrust – (Chartered Professional Accountants of Canada). Note: This Certification is only for Certificate and Registration Authorities.
- Operate in conformance with DirectTrust community standards including the DirectTrust Security and Trust Framework and Certificate Policies as applicable.
* Note: For Applicants that choose HITRUST, please review the following HITRUST MyCSF Tool Scope Settings, and contact DirectTrust as needed for clarification/verification on Scope settings:
- Applicants using MyCSF Version 9.1 or earlier MUST at a minimum select both Privacy and Security and MUST include in the Regulatory Factor setting: Subject to EHNAC Accreditation
- Applicants using MyCSF Version 9.2 or later SHALL at a minimum select both Privacy and Security and Shall include in the Regulatory Factor setting: Subject to EHNAC Accreditation and HIPAA and under HIPAA select: Security, Privacy and Breach
- Applicants using MyCSF Version 9.6.2 or later SHALL at a minimum specify Regulatory Factor = Subject to DirectTrust Accreditation
Additional Criteria for CA/RA Accreditation
- All Certificate and Identity Proofing Policies and Procedures meet DirectTrust’s Certificate Policy
- For CA/RA Applicants: DirectTrust will accept the WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security Certification in lieu of a HIPAA Privacy and Security Accreditation or Certification.
Additional Criteria for HISP Accreditation
- Conformance with all aspects of the Direct Standard® Exchange Protocol Ability to securely interoperate with other HISPs in the DirectTrust Network
Accreditation Fees
The DirectTrust Accreditation Fee Schedule may be changed at DirectTrust’s sole discretion. Once an Applicant executes and submits the Accreditation Package, the Accreditation Fee will not change.
HISP, CA, and RA Fees
Fees are based on an applicant’s gross revenue and are assessed in a revenue-based tiered structure. See additional notes on what fees include below. Any additional time required to complete the Review that is not attributable to delays caused by DirectTrust will be billed on a Time and Materials basis at a rate of $200.00 per hour.
- HISP fee includes 20 Hours of Reviewer time to complete the Review.
- CA fee includes 40 Hours of Reviewer Time to complete the Review.
- RA fee includes 32 Hours of Reviewer Time to complete the Review.
- RA Site Review fee includes 8 Hours of Reviewer Time per Site to complete the Review. Any expenses incurred by the Reviewer associated with travel to and from the RA Site location will be billed to the Applicant.
Cloud Service Provider Hosting Facility Accreditation Fees
For those Applicants that use a Cloud Service Provider (CSP), a separate appendix is provided in each Accreditation Questionnaire that contains Criteria that relate to the Cloud Service Provider environment.
DirectTrust assesses a flat fee of $1,000.00 per Cloud Service Provider instance.
The Fee for the Cloud Service Provider Hosting Review includes 3 Hours of Reviewer Time per Site to complete the Review. Any additional time required to complete the Cloud Service Provider Hosting Review that is not attributable to delays caused by DirectTrust will be billed on a Time and Materials basis at a rate of $200.00 per hour.
Level 1 Review Failure Fee
Level 1 Review Failure Fees are charged when an Applicant’s Self Attestation Questionnaire and or Evidence (response) is not in good order. A response is considered to be not in good order due to the following reasons:
- One or more Criterion are not answered i.e. left blank when a response is expected
- The rules for labeling Evidence and other artifacts as defined in the Accreditation Companion Guide are not followed
- A Criteria Response is not relevant
The Accreditation Program Reviewer performs an initial review of the Response to determine if the Response is in good order. For those Responses that are found to not be in good order the Reviewer will provide an explanation for each Criterion that is found to be either missing or not in good order.
$200.00 per hour for the time that it takes to provide the explanation for the failure. Subsequent Responses will be evaluated, and a Level 1 Review Failure Fee will be charged every time the Response fails the Level 1 Review.
Accreditation Late Fees
Late Fees are assessed each month. Please note Late Fees are cumulative.