Direct Trusted Agents
The Background of the Direct Trusted Agent Accreditation Program (DTAAP)
Launched in March 2010 as a part of the Nationwide Health Information Network (“NwHIN”), the Direct Project was created to specify a simple, secure, scalable, and standards-based way for participants to send authenticated, encrypted health information directly to known, trusted recipients over the Internet, enabling interoperable, secure messaging in the healthcare industry (“Industry”). Those Direct Project specifications and protocols are now known as the Direct standard, which meets a federal requirement for Meaningful Use Stage 2 as laid out by ONC and CMS in recently promulgated regulations and rules; “Directed exchange” is the term used for this secure communication.
For health care professionals, patients, and others to take advantage of Directed exchange of health information, Health Information Service Providers (HISPs), must coordinate the roles of Certificate Authorities (CAs), and Registration Authorities (RAs), while carrying out the responsibility for managing the intricate parts of the deployment of digital certificates and of managing public and private keys, which are necessary for Directed exchange subscribers to be assured of consistent privacy, security, and trust. Together, HISPs, CAs, and RAs are known as Trust Agents for the deployment and adoption of Directed exchange.
As of April 4, 2013, ONC announced the exemplar cooperative award to DirectTrust with its partnership with EHNAC for the promulgation and launch of the national accreditation program for HISPs, CAs and RAs and will work collaboratively with the organization to achieve compliance and adoption.
The EHNAC/DirectTrust HISP, CA, or RA Accreditation Program
- Validates the technical, security, trust, and business practice conformance of Trust Agents involved in Direct.
- Assures HISP-to-HISP interoperability among accredited Trust Agents and other Direct participants.
- Facilitates security, interoperability and trust among Direct exchange participants; fosters public confidence; and otherwise promotes the adoption and success of Directed exchange through the promotion of policies and best practices for security and trust, consistent with state and federal law, for the purpose of improving the quality of health care through secure electronic exchange of health information. DirectTrust has developed and is continuing to develop specific standards and policies for Directed exchange Trust Agents, which enjoy widespread recognition in the Directed exchange community.
- Reduces risk to PHI and operations through the demonstration of a risk management program with effective controls that appropriately minimize threats.
- Prepares your organization for implementing secure communications in support of Meaningful Use requirements by ONC including secure, scalable, standards-based ways for participants to send authenticated, encrypted health information directly to known, trusted recipients over the internet.
We recognize the unique business and technical requirements of this niche and have developed three distinct accreditation programs that interested stakeholders can make application to pursue. They are:
DTAAP HISP: A Health Information Service Provider (HISP) is an organization that provides services on the Internet to facilitate use of Direct. A HISP is a logical concept that encompasses certain services that are required for Direct-mediated exchange, such as the management of trust between senders and receivers. It may be a separate business or technical entity from the sender or receiver, depending on the deployment option chosen by the implementation. A user typically agrees to allow the HISP to maintain a digital certificate on his/her/its behalf. Using this digital certificate, the HISP can securely send or receive Direct messages for the entity. The user initiates outgoing messages, and accesses incoming messages, through facilities provided by the HISP (often through a secure e-mail portal or client).
DTAAP CA: An authority trusted by one or more users to create and assign certificates. The CA performs the following general functions:
- Binds identities to cryptographic keys;
- Creates and signs certificates;
- Distributes certificates appropriately;
- Revokes certificates;
- Distributes certificate status information in the form of Certificate Revocation Lists (CRLs) or other mechanisms and;
- Provides a repository where certificates and certificate status information is stored and made available (if applicable).
DTAAP RA: An entity whose primary function is to reliably authenticate identities of individuals, organizations, representatives of organizations and their services, and administrators of services and devices. They are responsible for identification and authentication of certificate subjects. RAs evaluate and either approve or reject subscriber certificate management transactions (including certificate requests, renewal and re-key requests, and revocation requests).
* A HISP must complete the CA and RA sections of the self-assessment (SA); however, it is designated as a HISP only if it does not provide its own CA and RA services. The CA and RA, if contracted by the HISP, and not owned, must either already be EHNAC accredited or must be required to have a site visit/audit.
* A CA must also complete the RA sections of the self-assessment.
* An RA can stand alone without needing to complete any other sections of the self-assessment.
To begin the application process for the Direct Trusted Agent Accreditation Program (DTAAP), please complete the application form through our website. Program criteria are located on the criteria page.
Here’s what a couple Direct Trusted Agent accredited organizations recently said about the program:
-Andy Heeren, Director, CERN Network IP, Cerner Networks
-Bruce Schreiber, Chief Technology Officer, MaxMD