If you cannot find the answer to your question below or elsewhere on our web site, please contact us.

What is EHNAC Healthcare Network Accreditation?

EHNAC Healthcare Network Accreditation is a national standard that indicates that healthcare stakeholders including: electronic healthcare networks, financial services organizations, medical billers, third party administrators, outsourcers, ePrescribing networks, Healthcare Information Service Providers (HISP), Practice Management Systems vendors and others have met or exceeded EHNAC’s criteria.  The criteria includes conformance with federal healthcare reform legislation including HIPAA, HITECH/ARRA, ACA, 21st Century Cures Act, Omnibus Rule and other applicable state legislation.  Further, the criteria encompass the areas of privacy, security and confidentiality; technical performance; business practices; and resources. EHNAC accreditation is based on independent peer evaluation of an entity’s ability to perform at levels based on industry-established criteria. The accrediting process permits applicants to review their existing performance levels and to bring those levels into accordance with industry-established minimums, best practices and conformance with applicable federal and state healthcare reform legislation

What entities can become accredited?

EHNAC provides accreditation to the following healthcare stakeholders: electronic healthcare networks (EHN), ePrescribing networks, third party administrators (TPA), financial services organizations, managed service organizations (MSO), medical billers, health information exchanges (HIE/HIO/ACO), outsourcers (data center, co-lo, printing, scanning etc.) Practice Management Systems vendors and HISPs including registration and certificate authorities (CA & RA) in support of the direct message exchange protocol. Additional healthcare stakeholder accreditation programs continue to be evaluated and added to the comprehensive list of stakeholders that EHNAC supports.

Back to Top


Why should we consider becoming EHNAC accredited?

EHNAC is an independent 501c6 not-for-profit organization that is federally recognized as a standards development organization (SDO) and follows a very structured and transparent criteria development and public comment review process.  It is recognized by the industry for its quality of process, conformance with federal and key state healthcare reform legislative mandates, best practices, and value of its consultative on-site review/audits and recommendations. The Maryland Healthcare Access Commission (MHCC) and New Jersey Department of Banking & Insurance (DOBI) recognize EHNAC and its accreditation programs.  Other states monitor EHNAC’s accreditation program and process and may adopt similar model legislation in the future.

EHNAC accreditation benefits organizations by:

  • Providing a foundation for current and reusable policies and procedures
  • Assisting with HIPAA compliance
  • Helping to improve performances, quality metrics and measurements
  • Promoting industry best practices in healthcare EDI
  • Identifying security and business risks/exposures
  • Facilitating business discipline and organizational planning
  • Improving customer satisfaction
  • Helping to identify areas to reduce operational costs

Back to Top


What is the value proposition for an organization considering EHNAC accreditation?

EHNAC has developed a sample return-on-investment (ROI) model for organizations to use in assisting with the determination of the value proposition of EHNAC accreditation. This spread sheet is a ‘sample’ sheet to provide an example of how the model can be used and a ‘template’ sheet to determine the ROI for a specific organization.  However, the real value proposition of EHNAC accreditation is due to the fact that it is an independent, objective third party review of an organization’s ability to meet legislative conformance with healthcare reform legislation especially focusing on privacy, security and confidentiality of data for covered entities and business associates. Additionally, it is the assessment of technical performance, business practices and resources to support the services that the entity advertises that it provides.

Back to Top


How does my organization become accredited?

Our accreditation process is outlined in full detail in our accreditation guidelines, which provide the steps that an organization takes to apply for accreditation.  The first step is to answer the questions in the Application form located on the EHNAC Web site.

Back to Top


How do I know which accreditation program(s) to apply for?

To learn which EHNAC Program(s) is right for your organization, please refer to the Program Selection Guide.

Back to Top



EHNAC provides 18+ specific healthcare programs which include but are not limited to HIE’s, ePrescribers, clearinghouses and billing organizations. Each program contains many stakeholder specific requirements (unique to each program and their data handling responsibilities).  In addition to these requirements, EHNAC and HITRUST have worked together to align privacy and security requirements to benefit those candidates who choose to combine their programs.

Back to Top


How can I determine if an organization is accredited or is a candidate?

Parties with an interest in the current status of EHNAC candidates and accredited entities are directed to the Accredited Organizations section of the EHNAC web site. EHNAC endeavors to publish current status of organizations on the Web site, in a timely manner. EHNAC does not provide, in response to inquiries, individual reports on additions to accredited entities and changes in accreditation status. EHNAC protects the specific information provided by its candidates and accredited organizations and as such will not disclose any detail provided by those entities to any organizational inquiry.  Organizations seeking candidate or accredited organization information should periodically check the EHNAC Web site for the latest updates.

Back to Top


Which functions in an accreditation are measured by EHNAC’s criteria?

The criteria provide a specific and detailed measurement of many aspects of an organization’s ability to meet federal and state healthcare reform mandates such as HIPAA, Omnibus, ARRA/HITECH, ACA and other mandates for covered entities and BAs focusing on the areas of privacy, security, confidentiality, best practices, procedures, and assets. Other functional areas addressed include technical performance, business practices and resources.

The criteria consider the candidate’s fixed assets for the handling and processing of electronic data and exchange of information as well as disaster recovery, business continuity and backup/hot-site or co-lo capacity. The candidate must have sufficient asset capability to comply with the vigorous standards and best practices demanded by EHNAC’s criteria. EHNAC also examines the candidate’s procedures for training its staff on all technical requirements including the privacy and security aspects of HIPAA. Existence of the appropriate trading partner, business associate agreements and personnel manuals are reviewed and validated. Finally, an EHNAC site reviewer/auditor visits the candidate’s site(s) to verify the accuracy of the reporting and to develop any recommendations for improvement.

Back to Top


How will the proprietary information we submit to EHNAC be kept confidential?

EHNAC goes to great lengths to ensure that confidential information remains private, and has never had a breach of confidentiality since becoming established in 1993. The Confidentiality Measures section contains the details of how EHNAC works to protect the confidential and proprietary information submitted.

Back to Top


How does EHNAC develop criteria?

The recognition and adoption of EHNAC’s criteria is conducted in a public, transparent and structured methodology pursuant to EHNAC’s criteria development process. Certain industry benchmarks are recognized to represent a dynamic and timely compilation of those privacy and security practices, employee training programs, fixed assets, disaster recovery and business continuity, as well as contingency planning and other performance factors that should be achieved by any entity that functions as an exchange or medical information electronic health network. These benchmarks are memorialized in EHNAC’s criteria, and a candidate’s performance and capacity are measured against those standards. EHNAC has committees to review, revise and monitor its conformance to its structured methodology as a federally recognized SDO and also incorporates any federal and state healthcare reform legislative mandates into its criteria to assure its programs are compliant for its candidates and accredited entities.

Back to Top


How are the criteria adopted?

The proposed criteria appear on EHNAC’s web site and are emailed to all interested parties including all accredited entities; candidates for accreditation; persons and entities requesting information on the criteria; and all government and private institutions and agencies that have been identified by EHNAC as having an interest in the electronic transmission of healthcare information by and/or through its accredited entities. This includes: United States Department of Health and Human Services (HHS), Centers for Medicare & Medicaid Services (CMS), Office for Civil Rights (OCR), National Committee on Vital and Health Statistics (NCVHS), National Uniform Billing Committee, National Uniform Claim Committee, American Dental Association (ADA), National Council of Prescription Drug Programs (NCPDP), Workgroup for Electronic Data Interchange (WEDI), and other applicable committees and organizations.

Prior to adoption of any criteria, EHNAC has a 60-day public comment period. During this period, all interested parties are encouraged to review, assess and comment on the proposed criteria. After the comment period has closed, public comments are reviewed and revisions to the criteria will be made as deemed appropriate. Throughout the entire process, public participation is invited and encouraged. EHNAC seeks to recognize and adopt those standards that represent the essential facility practices and standards that are often typically achieved by well-functioning and reputable healthcare electronic networks and exchanges that comply with appropriate state and federal obligations.

Back to Top


How can my organization participate in establishing criteria?

EHNAC welcomes the participation of all parties interested in the healthcare transactions industry. A permanent criteria committee meets periodically to review and update EHNAC criteria. If you are interested in participating on the criteria committee, contact the committee chair.

Back to Top


How can I give feedback on criteria?

The EHNAC Criteria Comment Form can be filled out and delivered via the email address at the top of the comment form with your comments.

Back to Top

Is a unanimous vote of the commissioners required for accreditation?

No. A simple majority vote of the commission is required for approval of all accreditation issues.

Back to Top


Is there a representative assigned during the accreditation process?

A site reviewer/auditor is assigned after the application process has been completed. Questions can be submitted to the site reviewer/auditor while the Self-assessment process is being completed.

You may email questions to the site reviewer/auditor prior to the site visit/audit. Please include the entire text of the criteria in any question(s), including the statement of the criteria and the detail from the link. This detail is important to properly address questions in their entirety and to minimize any lack of clarity in responding appropriately.

Back to Top


Must an organization use the Disaster Recovery Plan template provided in the Self-assessment?

No, the provided Disaster Recovery Plan template is meant to be a sample only for those who are seeking clarification regarding the categories necessary for development of a disaster recovery plan (DRP). We understand that different organizations may approach this differently, and this is provided as a template for planning purposes. Each organization needs to determine the scope it requires.

Back to Top


What are the costs associated with becoming accredited?

Organization fees are determined by revenue except for government, not-for-profit and outsource entities. The revenue from an organization is defined as any services performed either electronically or on paper that supports the program.  This includes all electronic transactions, messages, patient statements, customer service, infrastructure, technical performance, business practice, privacy and security, resources, etc.

Each year, Accredited Organizations must submit Annual Revenue Verification to EHNAC.  For new organizations, this is submitted as part of the applicant process.

Below are the costs for both initial and additional programs:


Fee Categories for All Programs
Size Revenue Amount Annual Fee Multiple Program Fee Site Visit Fee/Site/Day
Very Small Under $3M $3250 $1625 $5000
Small & Outsourced Orgs Greater Than $3 Less Than $8M $4250 $2125 $5000
Medium Greater Than $8 Less Than $20M $8500 $4250 $8000
Med/Large Greater Than $20 Less Than $50M $13000 $6500 $8000
Large Greater Than $50M Less Than $75M $20000 $10000 $8000
Very Large Greater Than $75M $26500 $13250 $8000

Note: Federal, state, and non-profit organizations are included in the Small Size above.  Each site visit fee is considered one day.

For Accredited organizations, the Annual Fee is due every year prior to the accreditation date.  For New organizations, this is paid as part of the applicant process.

The Multiple Program Fee occurs when an organization applies for accreditation in more than one program.  The Multiple Program Fee applies to each additional program(s) applied for and is based on the organization’s combined program revenues.  This fee (or fees) is paid like the Site Visit Fee on the accreditation year.

ECPSCP fees are two part; a Biennial (every two year) fee and a review fee.  There is no site visit required for ECPSCP.  The Biennial Fee is $8,500 per organization regardless of revenue.  The Review Fee is $5,000 for the first certification and discounted to $4,000 for each re-certification.  If an organization wishes to certify both EPCSCP-Pharmacy and EPCSCP-Prescribing, there is a Multiple Program Fee, also biennial, for the second program of $4,250, as well as an additional Review Fee of $5,000 for the first certification and discounted to $4,000 for each re-certification.

TDRAAP-Basic Certification Fees – This $1,200 fee is paid annually for the 1-year certification

If an organization included privacy and security with their HITRUST Certification, and the scope followed the PHI, there is a $1,000 discount on the Site Visit fee.

Site Visit Fees for sites that are outside the US are $4000 per day in addition to the standard Site Visit per day Fees (plus travel expenses).  See International Travel Process for additional fee details.  See International Accreditation page for definitions and details

Travel expenses are not included and will be submitted to your organization after the site visit(s).

The fee categories are the same for each accreditation.  The annual Fee is paid each year and all other fees are due every other year on the accreditation date.

To Compute your estimated fees, please refer to the Cost Calculation Table.  Fee information detail can be found in the Fees page, the International Travel Process and in the Accreditation Guidelines.

For organizations with multiple facilities and for OSAP applicants that have sites that perform the same function and which demonstrate adherence to the same policies and procedures, a site visit rotation will be used to accredit the candidate as shown in the following table. NOTE: The table below is provided as a guideline only, as the number of sites requiring a visit may be increased based on such factors as newly acquired sites, sites that do not currently comply with standard policies and procedures, or other factors where additional visits are determined to be required.

No. of Sites Site Visits Required No. of Sites Site Visits Required No. of Sites Site Visits Required No. of Sites Site Visits Required
1 1 11 4 21 6 31 7
2 2 12 4 22 6 32 7
3 2 13 4 23 6 33 7
4 2 14 5 24 6 34 7
5 3 15 5 25 6 35 8
6 3 16 5 26 6 36 8
7 3 17 5 27 7 37 8
8 3 18 5 28 7 38 8
9 4 19 5 29 7 39 8
10 4 20 6 30 7 40 8

In addition to the above, when the self-assessment process requires subsequent re-submissions of documentation to meet the criteria after the site visit is completed, there will be a charge of $225/hour for site reviewer/auditor time for each additional submission of documentation.

Back to Top


What is the discount agreement with CAQH CORE?

CORE-certified entities can take advantage of a one-time discount for CORE Phase I- and/or Phase II- certified entities. The partnership program discount is $400 for organizations with annual revenue below $75 million and $600 for organizations with annual revenue above $75 million. The entity will indicate that it is CORE certified when submitting its Application . (EHNAC will confirm CAQH CORE certification status independently.) View the CAQH CORE website for more information about CORE certification.

Back to Top


What is the discount agreement with DirectTrust.org members?

Directtrust.org members can take advantage of a one-time discount on the DTAAP HISP, CA and RA accreditation programs. The partnership program discount is $400 for organizations with annual revenue below $75 million and $600 for organizations with annual revenue above $75 million. The entity will indicate that it is a DirectTrust.org member when submitting its Application. (EHNAC will confirm DirectTrust.org membership status independently.)

Back to Top


Must an organization pay the Site Visit Fees at the time as the Annual Fee?

The Site Visit Fee and the Annual Fee can be paid separately.  In the Accreditation process, the Self Assessment documentation package will not be provided until the Application is complete which includes payment of both the Site Visit Fee and the Annual Fee.  Delaying the application completion can limit the self-assessment time available to the organization possibly leading to additional costs such as Late Fees.

Back to Top


Can an Organization Based (headquartered) outside the US become Accredited?

Yes – EHNAC will accredit companies based outside the US after all accreditation requirements are met. All International based Organization’s In-scope sites must have Site Visits performed to be considered for EHNAC Accreditation. Please see also the Site Visit page and the Accreditation Guidelines.

Back to Top


 Can a US Based Organization that has sites outside the US become Accredited?

Yes, a US Based Organization with sites outside the US can become Accredited given one of the following:

  1. EHNAC performs site visits for all In-scope Organization Sites and In-scope Outsources Sites including those located both within and outside of the US.
  2. EHNAC performs site visits for all In-scope Organization Sites and In-scope Outsources Sites including those located within and outside of the US, with the exception of certain sites outside the US that are not required to be visited (such as certain support and development offices with no or minimum access to PHI). In such a case, EHNAC will annotate its website to disclose that the Organization has sites outside the US that were not physically reviewed.

See also the Site Visit page and the International Accreditation page for more information.

Back to Top


 What are the costs associated with a Site Visit outside the US?

For a Site Visit outside the US, the cost is $4000 plus the standard Site Visit fee per day plus travel.

For detail please see the International Travel Process document, The Fees Page and the Accreditation Guidelines.  Some key items related to International travel are:

  • Site Reviewers will travel to sites outside the US in Business class
  • The candidate organization must arrange for a car and an English-speaking driver to allow for effective transportation to/from hotels, airports, and the candidate organization’s facilities.
  • If English is not the primary language as referenced here: http://en.wikipedia.org/wiki/List_of_countries_where_English_is_an_official_language then the candidate organization must make accommodations for a translator to accompany the Site Reviewer for the duration of the time in the destination country.
  • If the destination countries require airport exit fees or visa fees, those fees will be reimbursed by the candidate organization.
  • The candidate organization must provide a cell phone with a local number to the Site Reviewer for the entire duration of the visit. If possible, the candidate should mail the phone to the Site Reviewer prior to the travel begin date. The candidate should also pre-load contact names and phone numbers into the phone prior to providing it to the Site Reviewer.
  • In the event a particular destination country is on the US Department of State’s travel warnings website (http://travel.state.gov/content/passports/english/alertswarnings.html) the candidate organization is responsible for the Site Reviewer’s security for the duration of stay in such destination country. Security detail must be paid for by the candidate organization.

Back to Top


What is the timeframe for the accreditation process?

Accreditation timeframes vary depending on the size of your organization, although most organizations complete the process within 6 to 8 months. Please click here for a sample timeline for both first-time applicants and re- applicants. Applicants are given 12 months from the date of application approval to complete the accreditation process. The self-assessment must be submitted 4 months prior to the end of the 12-month time limit.

EHNAC has also developed a sample project plan outlining the steps in accreditation. This can be used by an organization as a reference for further customization.

Back to Top


What is the estimated time it will take to complete the Self-assessment?

We estimate the self-assessment responses and evidence for a first Accreditation could take anywhere from 2 months to 4 months, depending on a number of factors including the the level of preparation for each organization.  For example, how mature are the organizational policies, procedures, and controls?  Does your organization have to rely on many workforce members to put the material together or will one resource be able to respond to all?  If your organization has a less mature infrastructure, or if there is a lot of coordination that must occur to get responses and evidence put together, it will elongate the process.

Additionally, EHNAC offers Consulting & Advisory Services, as well as a Privacy & Security Toolkit, which may be of interest to your organization as you prepare for the Accreditation process.

Back to Top


What happens after my application is approved?

Upon receipt of your application fee and Commission approval, your organization or corporation receives Candidate Status. Once you receive this status, you will be sent the EHNAC Accreditation Candidate logo. You have the right to use the following EHNAC-approved designation:

“[Candidate] [organization or corporate] has been granted CANDIDACY STATUS by the Electronic Healthcare Network Accreditation Commission (EHNAC). This status is granted only to entities whose applications have been carefully reviewed by the Commission, who the Commission believes to be in substantial compliance with its criteria and who are likely to qualify for provisional, interim or full accreditation within one year of the granting of Candidacy Status.”

Candidacy Status is then listed on the EHNAC website on the Accreditation Status page.

The Accreditation Guidelines containing the rules of the accreditation program, Commission guidelines, approved uses of all Commission designations, and other program information are available on the EHNAC web site for your reference. You will also receive the Self-Assessment guidelines and report, which explains the criteria for accreditation as well as the required supporting documentation.

Back to Top


How long does accreditation last?

Accreditation is granted for two (2) years. Organizations must then re-apply.

Back to Top


What does my accreditation number mean?

The first 2 letters are Program Codes
The next four digits are the base, where base 0001 equals the number in order of accredited organizations
The next 2 places represent the number of times accredited
The next two places are the month accredited
The next 2 places are the year accredited

Program Codes:

ACOAP                                  AC
DRAP                                    DG
DT P&S                                  DP
ePAP – EHN                         EP
EHNAC P&S                         PS
EPCSCP – Pharmacy          EH
EPCSCP – Prescribing        ER
FSAP – EHN                         FE
FSAP – Lockbox                  FL
HIEAP                                   HI
HNAP – EHN                       HE
HNAP – Medical Biller       HM
HNAP – TPA                        HA
MSOAP                                MS
OSAP                                   O [Program letter]
PMSAP                                PM
TNAP – QHIN                    TQ
TNAP – Participant           TP

Back to Top