** JAVA RI Security Vulnerability has been announced.  See details by clicking here. (updated 9/11/14)

Security and Trust Compliance Workgroup

Workgroup Co-chairs(s):

Luis Maas, EMR Direct

Jeff McDonald, RelayHealth

Date and Time of Weekly Calls:

Alternating Fridays at 2:00 pm ET 

Purpose/Description of Workgroup:

  • The DirectTrust Security and Trust Compliance workgroup is charged with maintaining a program which can be used by HISPs, CAs, and RAs to voluntarily apply, qualify, and thereby be able to attest, to having met or exceeded best practices for security and trust, all within the context of and abiding by the policies and regulations as promulgated by ONC and HHS for Direct exchange, and respectful of state laws pertaining to privacy and security that may apply.
  • It is important to note that the Direct Project itself does not implement Direct exchange services, nor does it specify how trust between HISPs (and between their organizational or individual subscribers) is to be established and maintained. A uniform framework for security and trust is required, however, if HISPs are to attain interoperability with one another. Thus, there is a gap in the ability of Direct exchange to scale nationally which this effort is intended to fill as a public benefit and a service to Direct exchange participants everywhere.
  • The overall DirectTrust goal is to help assure the stability and interoperability of Direct exchange implementations nationally, and to develop, promote, and as necessary enforce the best practices necessary to maintain security and trust within the Direct Community. We seek to be a neutral party to provide a lighthouse function to the community of Direct participants, both suppliers and subscribers


  • Create and Maintain an accreditation program for HISPs, CAs, and RAs, by consolidating the security and trust best practices criteria assembled by regional and state efforts to establish national trust communities for Direct.
  • Create a consistent “measuring stick” by which a HISP, CA, or RA can measure adherence to security and trust best practices that is economically scalable and produces a high confidence in exchange.




  • Direct Trusted Agent Accreditation Program (DTAAP) launched.
  • DirectTrust HISP Policy v 1.0 released.


In Progress / Under Consideration