Healthcare Information Security

Cybersecurity News

DirectTrust Accreditation Agreement with EHNAC Extended

Healthcare could have more options for data security with the EHNAC and DirectTrust accreditation agreement being extended through 2018.

directtrust accreditation agreement extended through 2018

Source: Thinkstock

By Elizabeth Snell

- DirectTrust recently announced that it extended its accreditation agreement with the Electronic Healthcare Network Accreditation Commission (EHNAC) through 2018. The DirectTrust accreditation agreement helps DirectTrust administer its DTAAP accreditation and audit for Certificate Authorities and Registration Authorities.

“This agreement extends the ability for EHNAC and DirectTrust to work together to ensure a secure and unyielding trust framework for all health care stakeholders by providing significant flexibility to Direct Exchange Network participants,” EHNAC Executive Director Lee Barrett said in a statement.

DirectTrust works to facilitate secure HIE through the Direct Protocol and forms secure HIE policies and standards.

DirectTrust added in its statement that it is offering a new accreditation program in 2018 for DirectTrust Healthcare Information Service Providers (HISPs) of Direct messaging and exchange.  DirectTrust HISPs will be able to obtain their HIPAA Privacy and Security accreditation and audit through either DirectTrust DTAAP or HITRUST CSF Assurance.

“In addition to managing the Privacy and Security requirements of these accreditation programs, EHNAC’s role as an Approved HITRUST CSF™ Assessor adds a new dimension to our relationship with DirectTrust, as we continue our partnership to support the secure and interoperable exchange of PHI for some of the highest respected brands in our industry,” Barrett stated.

DirectTrust President and CEO David C. Kibbe, MD, MBA explained that working with EHNAC and accepting HITRUST CSF certification will help ensure HIPAA best practices in the healthcare industry.

“Much recent attention has been focused on the trust frameworks and agreements used in support of health information exchanges in and between networks,” Kibbe noted. “The ONC’s rulemaking in this area is coming very soon, with a first draft for public comment expected by the end of December.”

“As such, accreditation, and on-site audit of privacy, security, and trust-in-identity controls and practices remains a central component of our Trust Framework, and the agreements and contracts that depend upon such accreditation and audit being performed regularly.” 

In 2016, EHNAC and HITRUST announced that the two organizations were working together to streamline their accreditation and certification programs, respectively.

EHNAC replaced its HIPAA-related privacy and security criteria with the HITRUST CSF provisions and controls. With the collaboration though, EHNAC did maintain its stakeholder-specific benefits to the accreditation process.

Furthermore, CSF certified organizations were able “to leverage that assessment in obtaining accreditation for one of EHNAC’s 18 stakeholder-specific accreditation programs,” the organizations explained in a statement. EHNAC accredited entities were also not affected.

“The healthcare industry is plagued by well-meaning yet inefficient processes, standards and protocols,” HITRUST CEO Daniel Nutkis said at the time. “It is through this partnership with EHNAC, and potentially other like-minded standards organizations, that we are growing our vision of helping the industry eliminate the complexity relating to information protection and compliance.”

EHNAC’s Barrett explained that the partnership also made sense because there was a high percentage of overlap between the EHNAC HIPAA-related privacy and security criteria and the HITRUST CSF.

“It is an incredible win for the industry that our organizations partner together to, most importantly, ensure the security and compliance of the healthcare industry, but to also do so in a way that offers more leadership and efficiency, and less complexity, redundancy and costs,” Barrett said.

He explained in an interview with that EHNAC had heard from many organizations that going through different types of certification (i.e., EHNAC, HITRUST) often came with a high internal cost.

Additionally, the entities had to answer similar types of questions, responses, or self-assessments.

“We started working with HITRUST and having discussions with them as far as the collaboration over a year ago,” Barret said. “EHNAC’s accreditation looks at not only privacy and security, but we go beyond that into a review of the technical and operational aspects of a platform and infrastructure.”

“We look at best practices and we look at the resources that the organization has to support their product or service,” he continued. “We have a lot of stakeholder specific criteria that we've also developed in our programs.”


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...