Criteria updates include new Digital Therapeutics program criteria, new HIPAA and Maryland reproductive health regulations, FTC breach reporting rules, and revised NIST standards

WASHINGTON, DC – September 24, 2024 – DirectTrust®, a non-profit healthcare industry alliance focused on furthering trust in healthcare data exchange through standards, accreditation, and other services, today announced it has posted new versions of program criteria for its 27 accreditation programs for public review and comment. The open process for adopting criteria commenced on September 23 and ends on November 22, 2024.

A key update for 2025 is the inclusion of the criteria for the new Digital Therapeutics program. A subgroup of the DirectTrust Criteria Council has established and codified proposed criteria of the new program which will be published for a 60-day public comment period. An add on to the DirectTrust Health App accreditation, the Digital Therapeutics program provides accreditation for efficacy, data privacy and security for digital therapeutics applications and platforms (DTx). Earlier this year, the Digital Therapeutics Alliance (DTA) and DirectTrust announced a strategic partnership to develop a program which would expand existing DirectTrust programs that provide independent assessment of health apps for privacy, security, and transparency, as well as interoperability compliance with regulations and best practices. DirectTrust is the program’s administrator, while DTA leads the criteria development.

DirectTrust’s Privacy and Security criteria have been updated to ensure full alignment with the latest regulatory changes. The Privacy criteria still encompass HIPAA, Personal Health & Wellness Data (PHWD), GDPR, and CCPA, but now incorporate new reproductive health rules under HIPAA and Maryland privacy laws, as well as ten new criteria from the FTC Breach Reporting Rule, particularly impacting non-HIPAA-regulated organizations handling sensitive data. On the Security side, criteria have been revised based on updates to NIST publications, including NIST 800-171 Rev3, 800-53 Rev5, and the NIST Cybersecurity Framework. Additionally, 35 optional “Enhanced Security Criteria” from NIST 800-172 have been introduced.

DirectTrust’s accreditation and certification programs are governed by the organization’s Electronic Healthcare Network Accreditation Commission (EHNAC). The criteria review process is an essential part of DirectTrust’s methodology and commitment to transparency, allowing stakeholders involved with healthcare data exchange to voice their recommendations and help shape standards-based accreditation within the healthcare industry.

Criteria versions for the following 27 enhanced programs are available for review:

  1. Accountable Care Organization (ACOAP) v5.0*
  2. Certificate Authority (CAAP) v2.1
  3. CARIN Code of Conduct for Consumer-Facing Applications (CARIN-CFA) v1.0
  4. Data Registry (DRAP) v5.0*
  5. Digital Therapeutics v1.0
  6. E-Prescribing Network (ePAP-EHN) v10.0*
  7. Electronic Prescriptions for Controlled Substances Certification Program for Pharmacy Vendors (EPCSCP-Pharmacy) v4.5
  8. Electronic Prescriptions for Controlled Substances Certification Program for Prescribing Vendors (EPCSCP-Prescribing) v4.5
  9. Financial Services Network (FSAP-EHN) v6.0*
  10. Financial Services Lockbox (FSAP-Lockbox) v6.0*
  11. Health App v2.0*
  12. Health Information Exchange (HIEAP) v5.0*
  13. Health Information Services Provider (HISP) v2.1
  14. Healthcare Network (HNAP-EHN) v14.0*
  15. Healthcare Network for Medical Billers (HNAP-Medical Biller) v5.0*
  16. Healthcare Network for Third Party Administrators (HNAP-TPA) v5.0*
  17. Healthcare Management Service Organization (MSOAP) v5.0*
  18. Outsourced Services (OSAP) v5.0*
  19. Practice Management System (PMSAP) v5.0*
  20. Privacy and Security v3.0*
  21. Registration Authority for Federal PKI (RA-Federal PKI) v1.2
  22. Registration Authority (RAAP) v1.2
  23. Trusted Network for Qualified Health Information Network Applicants (TNAP-HIN) v2.3
  24. Trusted Network for QHIN Participants (TNAP-Participant) v2.2
  25. UDAP Client App v1.1
  26. UDAP Client App – Basic v1.1
  27. UDAP Server v1.1

Visit www.DirectTrust.org for additional details, or visit the Commission’s criteria page to review the latest criteria and submit feedback during this comment period.

About DirectTrust®
DirectTrust® is a non-profit, vendor-neutral alliance dedicated to instilling trust in the exchange of health data. The organization serves as a forum for a consensus-driven community focused on health communication, an American National Standards Institute (ANSI) standards development organization, an accreditation and certification body through EHNAC (the Electronic Healthcare Network Accreditation Commission), and a developer of trust frameworks and supportive services for secure information exchange like Direct Secure Messaging and trusted, compliant document submission.

The goal of DirectTrust is to develop, promote, and, as necessary, help enforce the rules and best practices necessary to maintain privacy, security, and trust for stakeholders across and beyond healthcare. In addition, DirectTrust is committed to fostering widespread public confidence in the interoperable exchange of health information while promoting quality service, innovation, cooperation, and open competition in healthcare. To learn more, visit: DirectTrust.org.