Direct Trusted Agent Accreditation Program
The DirectTrust community has entered into a collaborative agreement with non-profit EHNAC (The Electronic Healthcare Network Accreditation Commission) to develop and offer an Accreditation Program for Trusted Agents, which include Health Internet Service Providers, HISPs, Certificate Authorities, CAs, and Registration Authorities, RAs. Our Accreditation Program is flexible and recognizes the diversity of combinations of these agents that exist in the market place. For example, some EHR vendors are implementing Direct, and in effect playing all three of these roles for their own customers; while other EHRs and PHRs are pairing up with full service HISPs and CAs in order to take advantage of the special expertise in PKI management these have.
Successful accreditation leads to the recognition of those companies via both the DirectTrust and EHNAC websites, and inclusion of their anchor certificates in the DirectTrust Anchor Bundle Distribution Program from DirectTrust (See https://bundles.directtrust.org for more information on DirectTrust’s anchor bundles.)
All Accreditation criteria for CAs, RAs and HISPs can be found at the EHNAC site by clicking here.
Accreditation Fees and Renewal
As of March, 2015, there are 36 fully accredited HISPs, CAs, and RAs, and one fully accredited CA/RA. There are 15 candidate accredited HISPs, CAs, and RAs. View logos of these organizations here.
The Background of the Direct Trusted Agent Accreditation Program (DTAAP)
Launched in March 2010 as a part of the Nationwide Health Information Network (“NwHIN”), the Direct Project was created to specify a simple, secure, scalable, and standards-based way for participants to send authenticated, encrypted health information directly to known, trusted recipients over the Internet, enabling interoperable, secure messaging in the healthcare industry (“Industry”). Those Direct Project specifications and protocols are now known as the Direct standard, which meets a federal requirement for Meaningful Use Stage 2 as laid out by ONC and CMS in recently promulgated regulations and rules; “Directed exchange” is the term used for this secure communication.
For health care professionals, patients, and others to take advantage of Directed exchange of health information, Health Information Service Providers (HISPs), must coordinate the roles of Certificate Authorities (CAs), and Registration Authorities (RAs), while carrying out the responsibility for managing the intricate parts of the deployment of digital certificates and of managing public and private keys, which are necessary for Directed exchange subscribers to be assured of consistent privacy, security, and trust. Together, HISPs, CAs, and RAs are known as Trust Agents for the deployment and adoption of Directed exchange.
As of April 4, 2013, ONC announced the exemplar cooperative award to DirectTrust with its partnership with EHNAC for the promulgation and launch of the national accreditation program for HISPs, CAs and RAs and will work collaboratively with the organization to achieve compliance and adoption.
The EHNAC/DirectTrust HISP, CA, or RA Accreditation Program
- Validates the technical, security, trust, and business practice conformance of Trust Agents involved in Direct.
- Assures HISP-to-HISP interoperability among accredited Trust Agents and other Direct participants.
- Facilitates security, interoperability and trust among Direct exchange participants; fosters public confidence; and otherwise promotes the adoption and success of Directed exchange through the promotion of policies and best practices for security and trust, consistent with state and federal law, for the purpose of improving the quality of health care through secure electronic exchange of health information. DirectTrust has developed and is continuing to develop specific standards and policies for Directed exchange Trust Agents, which enjoy widespread recognition in the Directed exchange community.
- Reduces risk to PHI and operations through the demonstration of a risk management program with effective controls that appropriately minimize threats.
- Prepares your organization for implementing secure communications in support of Meaningful Use requirements by ONC including secure, scalable, standards-based ways for participants to send authenticated, encrypted health information directly to known, trusted recipients over the internet.
We recognize the unique business and technical requirements of this niche and have developed three distinct accreditation programs that interested stakeholders can make application to pursue. They are:
A Health Information Service Provider (HISP) is an organization that provides services on the Internet to facilitate use of Direct. A HISP is a logical concept that encompasses certain services that are required for Direct-mediated exchange, such as the management of trust between senders and receivers. It may be a separate business or technical entity from the sender or receiver, depending on the deployment option chosen by the implementation. A user typically agrees to allow the HISP to maintain a digital certificate on his/her/its behalf. Using this digital certificate, the HISP can securely send or receive Direct messages for the entity. The user initiates outgoing messages, and accesses incoming messages, through facilities provided by the HISP (often through a secure e-mail portal or client).
* A HISP must complete the CA and RA sections of the self-assessment (SA); however, it is designated as a HISP only if it does not provide its own CA and RA services. The CA and RA, if contracted by the HISP, and not owned, must either already be EHNAC accredited or must be required to have a site visit/audit.
An authority trusted by one or more users to create and assign certificates. The CA performs the following general functions:
- Binds identities to cryptographic keys;
- Creates and signs certificates;
- Distributes certificates appropriately;
- Revokes certificates;
- Distributes certificate status information in the form of Certificate Revocation Lists (CRLs) or other mechanisms and;
- Provides a repository where certificates and certificate status information is stored and made available (if applicable).
* A CA must also complete the RA sections of the self-assessment.
An entity whose primary function is to reliably authenticate identities of individuals, organizations, representatives of organizations and their services, and administrators of services and devices. They are responsible for identification and authentication of certificate subjects. RAs evaluate and either approve or reject subscriber certificate management transactions (including certificate requests, renewal and re-key requests, and revocation requests).
* An RA can stand alone without needing to complete any other sections of the self-assessment