Direct Trusted Agents
The Background of the Direct Trusted Agent Accreditation Program (DTAAP)
Launched in March 2010 as a part of the Nationwide Health Information Network (“NwHIN”), the Direct Project was created to specify a simple, secure, scalable, and standards-based way for participants to send authenticated, encrypted health information directly to known, trusted recipients over the Internet, enabling interoperable, secure messaging in the healthcare industry (“Industry”). Those Direct Project specifications and protocols are now known as the Direct standard, which meets a federal requirement for Meaningful Use Stage 2 as laid out by ONC and CMS in promulgated regulations and rules. “Directed exchange” is the term used for this secure communication.
For health care professionals, patients, and others to take advantage of Directed exchange of health information, Health Information Service Providers (HISPs), must coordinate the roles of Certificate Authorities (CAs), and Registration Authorities (RAs), while carrying out the responsibility for managing the intricate parts of the deployment of digital certificates and of managing public and private keys, which are necessary for Directed exchange subscribers to be assured of consistent privacy, security, and trust. Together, HISPs, CAs, and RAs are known as Trust Agents for the deployment and adoption of Directed exchange.
As of April 4, 2013, ONC announced the exemplar cooperative award to DirectTrust with its partnership with EHNAC for the promulgation and launch of the national accreditation program for HISPs, CAs and RAs and will work collaboratively with the organization to achieve compliance and adoption.
For 2018, DirectTrust developed its own HISP-specific accreditation program. Together with the EHNAC HISP P&S (Privacy and Security only) Accreditation program, organizations can become eligible for the DirectTrust HISP program
The EHNAC/DirectTrust HISP, CA, and RA Accreditation Programs
- Validates the technical, security, trust, and business practice conformance of Trust Agents involved in Direct.
- Assures HISP-to-HISP interoperability among accredited Trust Agents and other Direct participants.
- Facilitates security, interoperability and trust among Direct exchange participants; fosters public confidence; and otherwise promotes the adoption and success of Directed exchange through the promotion of policies and best practices for security and trust, consistent with state and federal law, for the purpose of improving the quality of health care through secure electronic exchange of health information. DirectTrust has developed and is continuing to develop specific standards and policies for Directed exchange Trust Agents, which enjoy widespread recognition in the Directed exchange community.
- Reduces risk to PHI and operations through the demonstration of a risk management program with effective controls that appropriately minimize threats.
- Prepares your organization for implementing secure communications in support of Meaningful Use requirements by ONC including secure, scalable, standards-based ways for participants to send authenticated, encrypted health information directly to known, trusted recipients over the internet.
We recognize the unique business and technical requirements of this niche and have developed four distinct accreditation programs that interested stakeholders can make application to pursue. They are:
HISP: A Health Information Service Provider (HISP) is an organization that provides services on the Internet to facilitate use of Direct. A HISP is a logical concept that encompasses certain services that are required for Direct-mediated exchange, such as the management of trust between senders and receivers. It may be a separate business or technical entity from the sender or receiver, depending on the deployment option chosen by the implementation. A HISP maintains the digital certificate on the user’s behalf. Using this digital certificate, the HISP can securely send or receive Direct messages for the entity. The user initiates outgoing messages, and accesses incoming messages, through facilities provided by the HISP (often through a secure e-mail portal or client). This program is offered through DirectTrust and must be successfully completed along with the EHNAC HISP P&S Accreditation program**.
EHNAC HISP Privacy & Security (P&S): This program accredits the HISP for HIPAA Privacy and Security which is a requirement when an Organization is accredited for the HISP specific requirements by Direct Trust. Please also see HISP above. The Direct Trust HISP program is a new initiative by Direct Trust in 2018 for all member HISPs**.
DTAAP CA: An authority trusted by one or more users to create and assign certificates. The CA performs the following general functions:
- Binds identities to cryptographic keys;
- Creates and signs certificates;
- Distributes certificates appropriately;
- Revokes certificates;
- Distributes certificate status information in the form of Certificate Revocation Lists (CRLs) or other mechanisms and;
- Provides a repository where certificates and certificate status information is stored and made available (if applicable).
DTAAP RA: An entity whose primary function is to reliably authenticate identities of individuals, organizations, representatives of organizations and their services, and administrators of services and devices. They are responsible for identification and authentication of certificate subjects. RAs evaluate and either approve or reject subscriber certificate management transactions (including certificate requests, renewal and re-key requests, and revocation requests).
* HISPs must apply for and become accredited through DirectTrust’s HISP program and the EHNAC HISP P&S Program. HISPs that provide their own CA and/or RA services must also apply for and become accredited for DTAAP-CA and DTAAP-RA in addition to HISP. If a HISP does not provide either of these services, they only need to apply for HISP (through Direct Trust) and HISP P&S (through EHNAC) but show evidence that they are using only EHNAC accredited CAs and RAs for their HISP services.
* CAs must apply for and become accredited through the DTAAP-CA program.
* RAs must apply for and become accredited through the DTAAP-RA program.
To begin the application process for the Direct Trusted Agent Accreditation Program (DTAAP) for CA and RA, or the EHNAC HISP P&S accreditation please complete the application form through our website. Program criteria are located on the criteria page. Please contact DirectTrust for information on the HISP program specific Accreditation Program.
**DirectTrust HISP will also support an appropriately-scoped HITRUST Security and Privacy Assessment with certification. EHNAC is a certified HITRUST Assessor and can conduct this assessment.
Also, are you looking for hands-on support to help you through the pre-assessment steps, readiness planning process and more? Learn about EHNAC’s Consulting and Advisory Services which have been designed to support the Direct Trusted Agent Accreditation Programs.
-Andy Heeren, Director, CERN Network IP, Cerner Networks
-Bruce Schreiber, Chief Technology Officer, MaxMD