Direct Trusted Agent Accreditation Program
The DirectTrust community now offers DirectTrust HISP Accreditation and DirectTrust-EHNAC Accreditation for CA/RA’s to offer an Accreditation Program for Trusted Agents, which include Health Information Service Providers, HISPs, Certificate Authorities, CAs, and Registration Authorities, RAs. Our Accreditation Program is flexible and recognizes the diversity of combinations of these agents that exist in the market place. For example, some EHR vendors are implementing Direct, and in effect playing all three of these roles for their own customers; while other EHRs and PHRs are pairing up with full-service HISPs and CAs in order to take advantage of the special expertise in PKI management these have.
Successful accreditation leads to the recognition of those companies via the DirectTrust website and inclusion of their anchor certificates in the DirectTrust Anchor Bundle Distribution Program from DirectTrust (See https://bundles.directtrust.org for more information on DirectTrust’s anchor bundles.)
DirectTrust HISP Accreditation Program
HISP Accreditation Criteria
All Accreditation criteria for HISPs can be found at the DirectTrust Accreditation site by clicking here.
As of April 2017, there are 46 fully accredited HISPs, CAs, and RAs, and one fully accredited CA/RA. There are 4 candidate accredited HISPs, CAs, and RAs. View logos of these organizations here.
Direct Trusted Agent Accreditation Program (DTAAP-CA/RA)
The DirectTrust community has entered into a collaborative agreement with non-profit EHNAC (The Electronic Healthcare Network Accreditation Commission) to develop and offer an Accreditation Program for Trusted Agents, which include Certificate Authorities, CAs, and Registration Authorities, RAs. Our Accreditation Program is flexible and recognizes the diversity of combinations of these agents that exist in the marketplace. Successful DirectTrust HISP Accreditation and DTAAP CA/RA accreditation leads to the recognition of those companies.
CA/RA Accreditation Criteria
All Accreditation criteria for CAs, RAs and HISPs can be found at the EHNAC site by clicking here.
As of early 2017, there are 44 fully accredited HISPs, CAs, and RAs, and one fully accredited CA/RA. There are 15 candidate accredited HISPs, CAs, and RAs. View logos of these organizations here.
The Background of the DirectTrust HISP Accreditation Program and Direct Trusted Agent Accreditation Program (DTAAP-CA/RA)
Launched in March 2010 as a part of the Nationwide Health Information Network (“NwHIN”), the Direct Project was created to specify a simple, secure, scalable, and standards-based way for participants to send authenticated, encrypted health information directly to known, trusted recipients over the Internet, enabling interoperable, secure messaging in the healthcare industry (“Industry”). Those Direct Project specifications and protocols are now known as the Direct standard, which meets a federal requirement for Meaningful Use Stage 2 as laid out by ONC and CMS in recently promulgated regulations and rules; “Direct exchange” is the term used for this secure communication.
For healthcare professionals, patients, and others to take advantage of Direct exchange of health information, Health Information Service Providers (HISPs), must coordinate the roles of Certificate Authorities (CAs), and Registration Authorities (RAs), while carrying out the responsibility for managing the intricate parts of the deployment of digital certificates and of managing public and private keys, which are necessary for Direct exchange subscribers to be assured of consistent privacy, security, and trust. Together, HISPs, CAs, and RAs are known as Trust Agents for the deployment and adoption of Direct exchange.
As of April 4, 2013, ONC announced the exemplar cooperative award to DirectTrust with its partnership with EHNAC for the promulgation and launch of the national accreditation program for HISPs, CAs and RAs and will work collaboratively with the organization to achieve compliance and adoption.
In January 2017, DirectTrust and EHNAC jointly agreed to sunset the DTAAP HISP Accreditation and separate it into two parts:
- HIPAA Privacy and Security Certification
- DirectTrust HISP Accreditation will now be run and administered solely by DirectTrust
The HIPAA Privacy and Security Certification is currently being accepted from EHNAC or HITRUST. If you choose to use HITRUST, please note that certain special instruction must be provided to define the scope of the audit. The HITRUST HIPAA Privacy and Security Certification audit must be performed at Level 1 or higher with the additional special instructions. Please contact DirectTrust for the additional instructions.
The DirectTrust Accreditation Program and DirectTrust-EHNAC Direct Trusted Agent Accreditation Program (DTAAP-CA/RA)
- Validates the technical, security, trust, and business practice conformance of Trust Agents involved in Direct.
- Assures HISP-to-HISP interoperability among accredited Trust Agents and other Direct participants.
- Facilitates security, interoperability and trust among Direct exchange participants; fosters public confidence; and otherwise promotes the adoption and success of Direct exchange through the promotion of policies and best practices for security and trust, consistent with state and federal law, for the purpose of improving the quality of health care through secure electronic exchange of health information. DirectTrust has developed and is continuing to develop specific standards and policies for Direct exchange Trust Agents, which enjoy widespread recognition in the Direct exchange community.
- Reduces risk to PHI and operations through the demonstration of a risk management program with effective controls that appropriately minimize threats.
- Prepares your organization for implementing secure communications in support of Meaningful Use requirements by ONC including secure, scalable, standards-based ways for participants to send authenticated, encrypted health information directly to known, trusted recipients over the internet.
We recognize the unique business and technical requirements of this niche and have developed three distinct accreditation programs that interested stakeholders can make application to pursue. They are:
DirectTrust HISP Accreditation
DirectTrust HISP Accreditation
A Health Information Service Provider (HISP) is an organization that provides services on the Internet to facilitate use of Direct. A HISP is a logical concept that encompasses certain services that are required for Direct-mediated exchange, such as the management of trust between senders and receivers. It may be a separate business or technical entity from the sender or receiver, depending on the deployment option chosen by the implementation. A Subscriber agrees to allow the HISP to maintain a digital certificate on his/her/its behalf. Using this digital certificate, the HISP can securely send or receive Direct messages for the entity. The user initiates outgoing messages, and accesses incoming messages, through facilities provided by the HISP (often through a secure e-mail portal or client).
* A HISP is designated as a HISP only if it does not provide its own CA and RA services. If the HISP also operates as a CA/RA it must complete the DirectTrust - EHNAC CA/RA DTAAP Accreditation Programs. The CA and RA, if contracted by the HISP, and not owned, must already be DirectTrust-EHNAC accredited DTAAP CA/RA
DirectTrust-EHNAC DTAAP CA
An authority trusted by one or more users to create and assign certificates. The CA performs the following general functions:
- Binds identities to cryptographic keys;
- Creates and signs certificates;
- Distributes certificates appropriately;
- Revokes certificates;
- Distributes certificate status information in the form of Certificate Revocation Lists (CRLs) or other mechanisms and;
- Provides a repository where certificates and certificate status information is stored and made available (if applicable).
* A CA must also complete the RA sections of the self-assessment.
DirectTrust-EHNAC DTAAP RA
An entity whose primary function is to reliably authenticate identities of individuals, organizations, representatives of organizations and their services, and administrators of services and devices. They are responsible for identification and authentication of certificate subjects. RAs evaluate and either approve or reject subscriber certificate management transactions (including certificate requests, renewal and re-key requests, and revocation requests).
* An RA can stand alone without needing to complete any other sections of the self-assessment