Updates for 2025 include new Digital Therapeutic program criteria, new HIPAA and Maryland reproductive health regulations, FTC breach reporting rules, and revised NIST standards

 WASHINGTON, DC – January 2, 2025 – DirectTrust®, a non-profit healthcare industry alliance focused on furthering trust in healthcare technology and data exchange through standards, accreditation, and other services, announced the release of new versions of program criteria for its 26 accreditation programs starting January 1, 2025.

Key updates for 2025 include finalized criteria for the new Digital Therapeutic program which was developed in partnership with the Digital Therapeutics Alliance (DTA). An optional complement to DirectTrust’s Health App accreditation, the program provides certification for the efficacy, data privacy, and security of digital therapeutic (DTx) applications and platforms. DirectTrust oversees the administration of the program, while DTA leads criteria development.

DirectTrust Privacy and Security criteria have been updated to reflect the latest regulatory changes. The Privacy criteria still cover HIPAA, Personal Health & Wellness Data (PHWD), GDPR, and CCPA, but now also include new reproductive health regulations under HIPAA and Maryland privacy laws, as well as ten new criteria from the FTC Breach Reporting Rule, which impact non-HIPAA-regulated organizations handling sensitive data.

On the Security side, revisions were made to align with updates in NIST publications, including NIST 800-171 Rev3, 800-53 Rev5, NIST 800-66 Rev2, and the NIST Cybersecurity Framework v2.0. Additionally, 35 optional “Enhanced Security Criteria” from NIST 800-172 have been introduced to further strengthen security practices.

Following the standard, 60-day public comment period, DirectTrust’s Criteria Committee and Commission have incorporated public feedback to finalize and adopt the enhanced 2025 criteria versions for the following 26 accreditation programs:

  1. Accountable Care Organization v5.0*
  2. Certificate Authority v2.1
  3. CARIN Code of Conduct for Consumer-Facing Applications (CARIN-CFA) v1.0
  4. Data Registry v5.0*
  5. Digital Therapeutic v1.0
  6. E-Prescribing for Electronic Health Networks v10.0*
  7. Electronic Prescriptions for Controlled Substances Certification Program for Pharmacy Vendors v4.5
  8. Electronic Prescriptions for Controlled Substances Certification Program for Prescribing Vendors v4.5
  9. Financial Services for Electronic Health Networks v6.0*
  10. Financial Services for Lockbox v6.0*
  11. Health App v2.0*
  12. Health Information Exchange v5.0*
  13. Health Information Service Provider (HISP) v2.1
  14. Healthcare Network for Electronic Health Networks v14.0*
  15. Healthcare Network for Medical Billers v5.0*
  16. Healthcare Network for Third Party Administrators v5.0*
  17. Healthcare Management Service Organization v5.0*
  18. Outsourced Services v5.0*
  19. Practice Management System v5.0*
  20. Privacy and Security v3.0*
  21. Registration Authority for Federal PKI v1.2
  22. Registration Authority v1.2
  23. Trusted Network for QHIN Participants v2.2
  24. UDAP Client App v1.1
  25. UDAP Client App – Basic v1.1
  26. UDAP Server v1.1

* Denotes programs that contain DirectTrust’s standard Privacy and Security criteria.

 DirectTrust’s accreditation and certification programs are governed by the organization’s Electronic Healthcare Network Accreditation Commission (EHNAC). Visit the DirectTrust Commission’s criteria page for additional details.

About DirectTrust®
DirectTrust® is a non-profit, vendor-neutral alliance dedicated to establishing trust in a connected world. The organization serves as a forum for a consensus-driven community focused on health communication and cybersecurity, an ANSI standards development organization, an accreditation and certification body governed by EHNAC, and a developer of technical trust frameworks and supportive services for secure information exchange like Direct Secure Messaging and identity-verified credentials.

The goal of DirectTrust is to develop, promote, and, as necessary, help enforce the rules and best practices necessary to maintain privacy, security, and trust for stakeholders across and beyond healthcare. In addition, DirectTrust is committed to fostering widespread public confidence in the interoperable exchange of health information while promoting quality service, innovation, cooperation, and open competition in healthcare. To learn more, visit: DirectTrust.org.