EHNAC Announces Finalized 2021 Accreditation Criteria Versions for All Accreditation Programs

Important updates include new program criteria designed to help payers and providers meet CMS Interoperability and Patient Access final rule requirements

 FARMINGTON, Conn. – January 4, 2021 – The Electronic Healthcare Network Accreditation Commission (EHNAC), a non-profit standards development organization and accrediting body for organizations that electronically exchange healthcare data, today announced the release of new criteria versions for its 20 accreditation programs for use, starting January 1, 2021.

Significant updates to the 2021 criteria include requirements from HITRUST CSF® V9.4 and the finalization of three new programs: Trusted Dynamic Registration & Authentication Accreditation Programs (TDRAAP-Basic and TDRAAP-Comprehensive) and EHNAC P&S Comprehensive. TDRAAP Basic-Certification and TDRAAP Comprehensive are designed to help healthcare organizations demonstrate their ability to use trusted digital certificates for endpoint identity, registration, authentication, and attribute discovery for electronic healthcare transactions in real-time. The EHNAC Privacy and Security Option (EHNAC P&S), which is available for most EHNAC accreditation programs, is ideal for many healthcare stakeholders and addresses EHNAC Privacy and Security, customer service, business practices, personnel requirements, third-party cloud service providers and more.

“As we reflect on the last year, it’s shown to be more important than ever that our industry continues to focus on security, confidentiality, accountability and efficiency when electronically exchanging healthcare data,” said Lee Barrett, Executive Director and CEO of EHNAC. “EHNAC’s new and enhanced accreditation programs demonstrate the dedication of our criteria committee and commission, who work tirelessly to address the ongoing best practices and legislative and regulatory revisions to ensure organizations are compliant and ahead of potential risk.”

Following the standard, 60-day public comment period, EHNAC’s Criteria Committee and Commission have incorporated public feedback to finalize and adopt the enhanced and final criteria versions for the following 20 accreditation programs:

  1. ACOAP – Accountable Care Organization Accreditation Program (V4.0)*
  2. DRAP – Data Registry Accreditation Program (V4.0)*
  3. DT P&S – DirectTrust Privacy & Security (V2.0)*
  4. EHNAC P&S – EHNAC Privacy & Security (V2.0)*
  5. ePAP-EHN – e-Prescribing Accreditation Program (V9.0)*
  6. EPCSCP-Pharmacy – Electronic Prescription of Controlled Substances Certification Program – Pharmacy Vendor (V4.1)
  7. EPCSCP-Prescribing – Electronic Prescription of Controlled Substances Certification Program – Prescribing Vendor (V4.1)
  8. FSAP-EHN – Financial Services Accreditation Program for Electronic Health Networks (V5.0)*
  9. FSAP-Lockbox – Financial Services Accreditation Program for Lockbox Services (V5.0)*
  10. HIEAP – Health Information Exchange Accreditation Program (V4.0)*
  11. HNAP-EHN – Healthcare Network Accreditation Program for Electronic Health Networks [Includes Payer] (V13.0)*
  12. HNAP-Medical Biller – Healthcare Network Accreditation Program for Medical Billers (V4.0)*
  13. HNAP-TPA – Healthcare Network Accreditation Program for Third Party Administrators (V4.0)*
  14. MSOAP – Management Service Organization Accreditation Program (V4.0)*
  15. OSAP – Outsourced Services Accreditation Program1 (V4.0)*
  16. PMSAP – Practice Management System Accreditation Program (V4.0)*
  17. TDRAAP – Trusted Dynamic Registration & Authentication Accreditation Program-Basic (V1.0)
  18. TDRAAP – Trusted Dynamic Registration & Authentication Accreditation Program-Comprehensive (V1.0)*
  19. TNAP– Trusted Network Accreditation Program – Participant/Participant Member (V1.2)
  20. TNAP-QHIN – Trusted Network Accreditation Program – QHIN (V1.2)

The EHNAC criteria for each of its accreditation programs sets the foundational requirements for measuring an organization’s ability to meet/align with federal and state healthcare reform mandates such as HIPAA/HITECH, 21st Century Cures Act, TEFCA, NIST 171 (including elements of 800-53 and 800-66), NIST Cybersecurity Framework, GDPR and other mandates and best practices like NIST, for health care organizations focusing on the areas of privacy, security, cybersecurity, breach handling, confidentiality, best practices, procedures and assets.

The H.R. 7898  bill, nicknamed the HIPAA Safe Harbor Law, passed by both the House of Representatives and U.S. Senate recently and awaiting the President’s signature, amends HITECH and directs the U.S. Department of Health & Human Services to incentivize best practices for meeting HIPAA security requirements by requiring the Department to take into consideration whether a covered entity or business associate has met recognized security practices, including cybersecurity practices, when making certain determinations, such as enforcement actions, or for other regulatory purposes. Recognized security practices refer to standards, guidelines, best practices, methodologies, procedures and processes developed by NIST and other programs that adequately address cybersecurity and recognized by other statutory authorities. Therefore, the bill provides an incentive for healthcare entities to achieve accreditations by EHNAC and others as defined under “recognized security practices.”

Healthcare industry stakeholders are encouraged to regularly visit to download and review the latest EHNAC criteria versions in full detail. Applicant candidates commencing the accreditation or re-accreditation process in 2021 will be required to adhere to these updated criteria versions.

* Indicates program includes HITRUST CSF Criteria

1OSAP includes 10 different accreditation programs tailored for Accountable Care Organization Technology Service Providers; Call Centers; Data Centers; DRP Facilities; Health Information Exchange Technology Service Providers; Media Storage; Network Administrators; Printing; Product Development; and Scanning.

The Electronic Healthcare Network Accreditation Commission (EHNAC) is a voluntary, self-governing standards development organization (SDO) established to develop standard criteria and accredit organizations that electronically exchange healthcare data. These entities include accountable care organizations, data registries, electronic health networks, EPCS vendors, e-prescribing solution providers, financial services firms, health information exchanges, health information service providers, management service organizations, medical billers, outsourced service providers, payers, practice management system vendors, third-party administrators and trusted networks. The Commission is an authorized HITRUST External Assessor, making it the only organization able to provide both EHNAC accreditation as well as to conduct HITRUST CSF assessment services.

EHNAC was founded in 1995 and is a tax-exempt 501(c)(6) nonprofit organization. Guided by peer evaluation, the EHNAC accreditation process promotes quality service, innovation, cooperation and open competition in healthcare. To learn more, visit, contact, or follow us on TwitterLinkedIn and YouTube.