If you cannot find the answer to your question below or elsewhere on our web site, please contact us.
Why should we gain EHNAC Accreditation?
Attaining EHNAC Accreditation demonstrates to the healthcare industry that your organization can be “trusted” to handle sensitive information in a secure manner. The review process offers an independent, objective third party review of an organization’s ability to comply with privacy, security, cybersecurity, breach and other related federal and state requirements. Additionally, every program is designed to “raise the healthcare operational/management bar” for that specific business niche. Additionally, all of EHNAC’s Reviewers and Practitioners are experienced 20+ year healthcare Subject Matter Experts.
Under the recent HITECH Amendment PL 116-321 (HIPAA Safe Harbor Law), EHNAC qualifies as a “Recognized Security Practice” as the rule states and includes the NIST cyber-security framework which is embedded within its programs, it has been involved with the HHS 405(d) Cybersecurity Information Sharing Act (CISA) initiative since its inception and has served the industry as a federally recognized standards development organization (SDO) for more than 26 years. EHNAC follows a structured and transparent criteria development and public comment review process and is recognized by the industry for its quality of process, conformance with federal and key state healthcare reform legislative mandates, best practices, and provides the value of its consultative on-site review/audits and recommendations. The Maryland Healthcare Access Commission (MHCC) and New Jersey Department of Banking & Insurance (DOBI) regulatorily recognize EHNAC and its accreditation programs. Many health plans and health systems as well as healthcare vendors and stakeholders recognize and accept EHNAC accreditation to meet their Third Party Assurance (TPA) requirements. Some state Health Information Exchange Programs require EHNAC Accreditation prior to onboarding. The CMS Data At-the-Point-of-Care Pilot Project recognizes many of EHNACs programs as part of the connection establishment process. Other states monitor EHNAC’s accreditation program and process and may adopt similar model legislation in the future.
What entities can become accredited?
EHNAC provides accreditation to all types of stakeholder entities handling health care data. Any entity subject to HIPAA/HITECH as a Covered Entity or Business Associate can align with our many programs based on the type of data handled and the business purpose followed. Some programs are specific to those handling data which are not HIPAA covered entities or business associates, such as Technical Application Developers. EHNAC stakeholders include, but are not limited to electronic healthcare networks (EHN), Health Information Networks, ePrescribing networks, third party administrators (TPA), financial services organizations, managed service organizations (MSO), medical billers, health information exchanges (HIE/HIO/ACO), outsourcers (data center, co-lo, printing, scanning etc.) Practice Management Systems vendors and HISPs in support of the direct message exchange protocol. Some programs also qualify under other authorities and standards for certification such as the Trusted Network Accreditation Program (jointly administered by EHNAC and HITRUST); the Electronic Prescriptions Controlled Substances (EPCS) as administered by the DEA and the Trusted Dynamic Registration and Authentication Accreditation Program TDRAAP- which includes a technical framework using Unified Data Access Profiles. Additional healthcare stakeholder accreditation programs continue to be evaluated and added to the comprehensive list of stakeholders that EHNAC supports.
How do I know which accreditation program(s) to apply for?
EHNAC and HITRUST?
EHNAC provides 20+ specific healthcare programs which include but are not limited to HIE’s, ePrescribers, clearinghouses and billing organizations. Each program contains many stakeholder specific requirements (unique to each program and their data handling responsibilities). In addition to these requirements, EHNAC and HITRUST have worked together to align privacy and security requirements to benefit those candidates who choose to combine their programs.
What factors should be considered when deciding if my organization should gain EHNAC or HITRUST or both programs?
How should I choose between the EHNAC or HITRUST related privacy and security options?
Accreditation Costs Section
What are the costs associated with becoming accredited?
Organization fees are determined by revenue except for government, not-for-profit and outsource entities. The revenue from an organization is defined as any services performed either electronically or on paper that supports the program. This includes all electronic transactions, messages, patient statements, customer service, infrastructure, technical performance, business practice, privacy and security, resources, etc.
Each year, Accredited Organizations must submit Annual Revenue Verification to EHNAC. For new organizations, this is submitted as part of the applicant process.
Below are the costs for both initial and additional programs:
|Size||Revenue Amount||Annual Fee||Multiple Program Fee||Site Visit Fee/Site/Day|
|Very Small||Under $3M||$3250||$1625||$5000|
|Small & Outsourced Orgs||Greater Than $3 Less Than $8M||$4250||$2125||$5000|
|Medium||Greater Than $8 Less Than $20M||$8500||$4250||$8000|
|Med/Large||Greater Than $20 Less Than $50M||$13000||$6500||$8000|
|Large||Greater Than $50M Less Than $75M||$20000||$10000||$8000|
|Very Large||Greater Than $75M||$26500||$13250||$8000|
Note: Federal, state, and non-profit organizations are included in the Small Size above. Each site visit fee is considered one day.
* If an organization selects the HITRUST version of the criteria and the organization does not currently have HITRUST certification there is an additional Site Visit Day Fee.
Each site visit fee is considered one day.
For Accredited organizations, the Annual Fee is due every year prior to the accreditation date. For New organizations, this is paid as part of the applicant process.
EHNAC offers an Accreditation with Midterm review beginning January 1, 2022, for organizations wishing to pursue this. The fee is $4,000 per program.
The Multiple Program Fee occurs when an organization applies for accreditation in more than one program. The Multiple Program Fee applies to each additional program(s) applied for and is based on the organization’s combined program revenues. This fee (or fees) is paid like the Site Visit Fee on the accreditation year.
ECPSCP Annual Fee $3,250 is paid annually, and the Review Fee $4,000 is paid every 2 years with the certification. There is no site visit required for ECPSCP. The Annual Fee is $3,250 per organization regardless of revenue. If an organization wishes to certify both EPCSCP-Pharmacy and EPCSCP-Prescribing as a second Certification program or has multiple versions there is a Multiple Program Fee of $1,625 every two years and an additional Review Fee of $4,000.
TDRAAP-Basic Certification Fees – This $1,200 fee is paid annually for the 1-year certification
If an organization included privacy and security with their HITRUST Certification, and the scope followed the PHI, there is a $1,000 discount on the Site Visit fee.
Site Visit Fees for sites that are outside the US are $4000 per day in addition to the standard Site Visit per day Fees (plus travel expenses). See International Travel Process for additional fee details. See International Accreditation page for definitions and details
Travel expenses are not included and will be submitted to your organization after the site visit(s).
The fee categories are the same for each accreditation. The annual Fee is paid each year and all other fees are due every other year on the accreditation date.
For organizations with multiple facilities and for OSAP applicants that have sites that perform the same function and which demonstrate adherence to the same policies and procedures, a site visit rotation will be used to accredit the candidate as shown in the following table. NOTE: The table below is provided as a guideline only, as the number of sites requiring a visit may be increased based on such factors as newly acquired sites, sites that do not currently comply with standard policies and procedures, or other factors where additional visits are determined to be required.
|No. of Sites||Site Visits Required||No. of Sites||Site Visits Required||No. of Sites||Site Visits Required||No. of Sites||Site Visits Required|
In addition to the above, when the self-assessment process requires subsequent re-submissions of documentation to meet the criteria after the site visit is completed, there will be a charge of $225/hour for site reviewer/auditor time for each additional submission of documentation.
Back to Top
What forms of payment does EHNAC accept?
EHNAC accepts both electronic payments and checks.
EHNAC recommends electronic payments (EFT, ACH or Fedwire). Electronic payments are less expensive, more efficient, and more secure than paper checks. They can dramatically reduce the delivery time and also allow your organization to easily track payments. Kindly email your Operations Assistant with the confirmation details of the transaction when using this method of payment so we may credit your account promptly.
What is the discount agreement with CAQH CORE?
CORE-certified entities can take advantage of a one-time discount for CORE Phase I- and/or Phase II- certified entities. The partnership program discount is $400 for organizations with annual revenue below $75 million and $600 for organizations with annual revenue above $75 million. The entity will indicate that it is CORE certified when submitting its Application . (EHNAC will confirm CAQH CORE certification status independently.) View the CAQH CORE website for more information about CORE certification.
What is the discount agreement with DirectTrust.org members?
Directtrust.org members can take advantage of a one-time discount on the DT P&S accreditation program. The partnership program discount is $400 for organizations with annual revenue below $75 million and $600 for organizations with annual revenue above $75 million. The entity will indicate that it is a DirectTrust.org member when submitting its Application. (EHNAC will confirm DirectTrust.org membership status independently.)
Must an organization pay the Site Visit Fees at the time as the Annual Fee?
The Site Visit Fee and the Annual Fee can be paid separately. In the Accreditation process, the Self-Assessment documentation package will not be provided until the Application is complete which includes payment of both the Site Visit Fee and the Annual Fee. Delaying the application completion can limit the self-assessment time available to the organization possibly leading to additional costs such as Late Fees.
Accreditation Process Section
How does my organization become accredited?
What is the timeframe for the accreditation process?
Accreditation timeframes vary depending on the size of your organization, although most organizations complete the process within 6 to 8 months. Please click here for a sample timeline for both first-time applicants and re- applicants. Applicants are given 12 months from the date of application approval to complete the accreditation process. The self-assessment must be submitted 4 months prior to the end of the 12-month time limit.
EHNAC has also developed a sample project plan outlining the steps in accreditation. This can be used by an organization as a reference for further customization.
What is the estimated time it will take to complete the Self-assessment?
We estimate the self-assessment responses and evidence for a first Accreditation could take anywhere from 2 months to 4 months, depending on a number of factors including the the level of preparation for each organization. For example, how mature are the organizational policies, procedures, and controls? Does your organization have to rely on many workforce members to put the material together or will one resource be able to respond to all? If your organization has a less mature infrastructure, or if there is a lot of coordination that must occur to get responses and evidence put together, it will elongate the process.
Is a unanimous vote of the commissioners required for accreditation?
No. A simple majority vote of the commission is required for approval of all accreditation issues.
What happens after my application is approved?
Upon receipt of your application fee and Commission approval, your organization or corporation receives Candidate Status. Once you receive this status, you will be sent the EHNAC Accreditation Candidate logo. You have the right to use the following EHNAC-approved designation:
“[Candidate] [organization or corporate] has been granted CANDIDACY STATUS by the Electronic Healthcare Network Accreditation Commission (EHNAC). This status is granted only to entities whose applications have been carefully reviewed by the Commission, who the Commission believes to be in substantial compliance with its criteria and who are likely to qualify for provisional, interim or full accreditation within one year of the granting of Candidacy Status.”
Candidacy Status is then listed on the EHNAC website on the Accreditation Status page.
The Accreditation Guidelines containing the rules of the accreditation program, Commission guidelines, approved uses of all Commission designations, and other program information are available on the EHNAC web site for your reference. You will also receive the Self-Assessment guidelines and report, which explains the criteria for accreditation as well as the required supporting documentation.
How long does Full Accreditation last?
Full Accreditation is granted for two (2) years. Organizations must re-apply and achieve re-accreditation by their accreditation expiration date to maintain active Accredited status. Organizations may begin the reaccreditation process 1 year prior to the expiration date to allow the optimum amount of time to complete the process. EHNAC recommends completing the reapplication process no less than 5 months prior to the self-assessment due date (9 months prior to the expiration date).
What is a Midterm Review or Accreditation?
EHNAC offers an Accreditation with Midterm review beginning January 1, 2022. While EHNAC’s standard reviews (“Full Accreditations”) are biennial (2-year), the optional Midterm reviews occur in intervening years. When Midterm reviews are conducted, their expiration date will always be the same as the Full Accreditation expiration date. This includes notifying EHNAC of intent to pursue a Midterm review and payment of appropriate fees. The organization must inform EHNAC of their intent to have a Midterm review before or during the first 6 months of their accreditation. The Midterm Review examines/appraises:
- Ongoing risk management,
- Appropriate annual privacy and security training,
- Quarterly vulnerability assessments,
- Randomly selected criteria from each of the security areas (min. of 13 tests), and
- Demonstration of progress against all recommendations noted in the previous EHNAC review.
What does my accreditation number mean?
The first 2 letters are Program Codes
The next four digits are the base, where base 0001 equals the number in order of accredited organizations
The next 2 places represent the number of times accredited
The next two places are the month accredited
The next 2 places are the year accredited
DT P&S DP
ePAP – EHN EP
EHNAC P&S PS
EPCSCP – Pharmacy EH
EPCSCP – Prescribing ER
FSAP – EHN FE
FSAP – Lockbox FL
HNAP – EHN HE
HNAP – Medical Biller HM
HNAP – Payer HP
HNAP – TPA HA
OSAP O [Program letter]
TDRAAP- Basic TD
TDRAAP- Comprehensive TC
TNAP – Participant TP
TNAP – QHIN TQ
How will the proprietary information we submit to EHNAC be kept confidential?
EHNAC goes to great lengths to ensure that confidential information remains private, and has never had a breach of confidentiality since becoming established in 1993. The Confidentiality Measures section contains the details of how EHNAC works to protect the confidential and proprietary information submitted.
Is there a representative assigned during the accreditation process?
A site reviewer/auditor is assigned after the application process has been completed. Questions can be submitted to the site reviewer/auditor while the Self-assessment process is being completed.
You may email questions to the site reviewer/auditor prior to the site visit/audit. Please include the entire text of the criteria in any question(s), including the statement of the criteria and the detail from the link. This detail is important to properly address questions in their entirety and to minimize any lack of clarity in responding appropriately.
Criteria Development Section
How does EHNAC develop criteria?
The recognition and adoption of EHNAC’s criteria is conducted in a public, transparent and structured methodology pursuant to EHNAC’s criteria development process. Certain industry benchmarks are recognized to represent a dynamic and timely compilation of those privacy and security practices, employee training programs, fixed assets, disaster recovery and business continuity, as well as contingency planning and other performance factors that should be achieved by any entity that functions as an exchange or medical information electronic health network. These benchmarks are memorialized in EHNAC’s criteria, and a candidate’s performance and capacity are measured against those standards. EHNAC has committees to review, revise and monitor its conformance to its structured methodology as a federally recognized SDO and also incorporates any federal and state healthcare reform legislative mandates into its criteria to assure its programs are compliant for its candidates and accredited entities.
How are the criteria adopted?
The proposed criteria appear on EHNAC’s web site and are emailed to all interested parties including all accredited entities; candidates for accreditation; persons and entities requesting information on the criteria; and all government and private institutions and agencies that have been identified by EHNAC as having an interest in the electronic transmission of healthcare information by and/or through its accredited entities. This includes: United States Department of Health and Human Services (HHS), Centers for Medicare & Medicaid Services (CMS), Office for Civil Rights (OCR), National Committee on Vital and Health Statistics (NCVHS), National Uniform Billing Committee, National Uniform Claim Committee, American Dental Association (ADA), National Council of Prescription Drug Programs (NCPDP), Workgroup for Electronic Data Interchange (WEDI), and other applicable committees and organizations.
Prior to adoption of any criteria, EHNAC has a 60-day public comment period. During this period, all interested parties are encouraged to review, assess and comment on the proposed criteria. After the comment period has closed, public comments are reviewed and revisions to the criteria will be made as deemed appropriate. Throughout the entire process, public participation is invited and encouraged. EHNAC seeks to recognize and adopt those standards that represent the essential facility practices and standards that are often typically achieved by well-functioning and reputable healthcare electronic networks and exchanges that comply with appropriate state and federal obligations.
How can my organization participate in establishing criteria?
Send email to EHNAC with your interest in the Criteria Committee. Participation on the Committee involves one conference call per month lasting 30-60 minutes. Between these calls there may be email exchanges or additional calls depending on current initiatives and Committee priorities. Please visit the Criteria Development and Criteria page of the EHNAC website for more information on the Criteria development process. The EHNAC Criteria Committee is open to all EHNAC-accredited organizations as well as other interested healthcare industry professionals. Please let us know if you or a member of your organization is interested in serving as a Committee member and we will send the volunteer form.
How can I give feedback on criteria?
International Accreditation Section
Can an Organization Based (headquartered) outside the US become Accredited?
Yes – EHNAC will accredit companies based outside the US after all accreditation requirements are met. All International based Organization’s In-scope sites must have Site Visits performed to be considered for EHNAC Accreditation. Please see also the Site Visit page and the Accreditation Guidelines.
Can a US Based Organization that has sites outside the US become Accredited?
Yes, a US Based Organization with sites outside the US can become Accredited given one of the following:
- EHNAC performs site visits for all In-scope Organization Sites and In-scope Outsources Sites including those located both within and outside of the US.
- EHNAC performs site visits for all In-scope Organization Sites and In-scope Outsources Sites including those located within and outside of the US, with the exception of certain sites outside the US that are not required to be visited (such as certain support and development offices with no or minimum access to PHI). In such a case, EHNAC will annotate its website to disclose that the Organization has sites outside the US that were not physically reviewed.
What are the costs associated with a Site Visit outside the US?
For a Site Visit outside the US, the cost is $4000 plus the standard Site Visit fee per day plus travel.
- Site Reviewers will travel to sites outside the US in Business class
- The candidate organization must arrange for a car and an English-speaking driver to allow for effective transportation to/from hotels, airports, and the candidate organization’s facilities.
- If English is not the primary language as referenced here: http://en.wikipedia.org/wiki/List_of_countries_where_English_is_an_official_language then the candidate organization must make accommodations for a translator to accompany the Site Reviewer for the duration of the time in the destination country.
- If the destination countries require airport exit fees or visa fees, those fees will be reimbursed by the candidate organization.
- The candidate organization must provide a cell phone with a local number to the Site Reviewer for the entire duration of the visit. If possible, the candidate should mail the phone to the Site Reviewer prior to the travel begin date. The candidate should also pre-load contact names and phone numbers into the phone prior to providing it to the Site Reviewer.
- In the event a particular destination country is on the US Department of State’s travel warnings website (http://travel.state.gov/content/passports/english/alertswarnings.html) the candidate organization is responsible for the Site Reviewer’s security for the duration of stay in such destination country. Security detail must be paid for by the candidate organization.