Establishing trust through certification of policy adherence
DirectTrust operates Accreditation programs for Health Information Service Providers (HISPs), Certificate Authorities (CAs), and Registration Authorities (RAs). Entities accredited by DirectTrust have demonstrated best practices, met HIPAA, privacy, and security compliance standards, and validated policy requirements. By becoming accredited, organizations can prove interoperability with other accredited entities, avoid one-off agreements with others, and can become part of the DirectTrust Trust Bundle to participate in the network.
Why is the accreditation of HISPs, CAs, and RAs Necessary?
Establishes Trust within Network
Demonstrates Policy Adherence
Ensures Uniform Security Compliance
Mitigates Risk of PHI Exchange
Verifies HIPAA and Privacy Compliance
Business Process Oversight
Illustrates Best Practices
Requirements for Accreditation
- Maintenance of a HIPAA Privacy and Security Accreditation or Certification. DirectTrust has approved and will accept HIPAA Privacy and Security Accreditation or Certification from the following vendors:
- Operation within the security, trust and business practice guidelines of the DirectTrust Security and Trust Framework
- Demonstrated ability to mitigate risk when handling Protected Health Information (PHI) through the implementation of effective management controls and practices
* Note: For those HISP Applicants that choose HITRUST, please contact DirectTrust to discuss the HITRUST CSF Tool Scope settings in the CSF Tool. For version 9.0 or higher, HISP Applicants at a minimum MUST select Privacy and Security and include in the Regulatory Factor setting: Subject to EHNAC Accreditation.
Additional Criteria for CA Accreditation
- All Certificate and Identity Proofing Policies and Procedures meet DirectTrust’s Certificate Policy
Additional Criteria for HISP Accreditation
- Conformance with all aspects of the Direct Standard™ Exchange Protocol Ability to securely interoperate with other HISPs in the DirectTrust Network
The DirectTrust Accreditation Fee Schedule may be changed at DirectTrust’s sole discretion. Once an Applicant executes and submits the Accreditation Package, the Accreditation Fee will not change.
HISP, CA, and RA Fees
Fees are based on an applicant’s gross revenue and are assessed in a revenue-based tiered structure. See additional notes on what fees include below. Any additional time required to complete the Review that is not attributable to delays caused by DirectTrust will be billed on a Time and Materials basis at a rate of $200.00 per hour.
- HISP fee includes 20 Hours of Reviewer time to complete the Review.
- CA fee includes 40 Hours of Reviewer Time to complete the Review.
- RA fee includes 32 Hours of Reviewer Time to complete the Review.
- RA Site Review fee includes 8 Hours of Reviewer Time per Site to complete the Review. Any expenses incurred by the Reviewer associated with travel to and from the RA Site location will be billed to the Applicant.
Cloud Service Provider Hosting Facility Accreditation Fees
For those Applicants that use a Cloud Service Provider (CSP), a separate appendix is provided in each Accreditation Questionnaire that contains Criteria that relate to the Cloud Service Provider environment.
DirectTrust assesses a flat fee of $1,000.00 per Cloud Service Provider instance.
The Fee for the Cloud Service Provider Hosting Review includes 3 Hours of Reviewer Time per Site to complete the Review. Any additional time required to complete the Cloud Service Provider Hosting Review that is not attributable to delays caused by DirectTrust will be billed on a Time and Materials basis at a rate of $200.00 per hour.
Level 1 Review Failure Fee
Level 1 Review Failure Fees are charged when an Applicant’s Self Attestation Questionnaire and or Evidence (response) is not in good order. A response is considered to be not in good order due to the following reasons:
- One or more Criterion are not answered i.e. left blank when a response is expected
- The rules for labeling Evidence and other artifacts as defined in the Accreditation Companion Guide are not followed
- A Criteria Response is not relevant
The Accreditation Program Reviewer performs an initial review of the Response to determine if the Response is in good order. For those Responses that are found to not be in good order the Reviewer will provide an explanation for each Criterion that is found to be either missing or not in good order.
$200.00 per hour for the time that it takes to provide the explanation for the failure. Subsequent Responses will be evaluated, and a Level 1 Review Failure Fee will be charged every time the Response fails the Level 1 Review.
Accreditation Late Fees
Late Fees are assessed each month. Please note Late Fees are cumulative.