Trusted Network Accreditation Program
The Trusted Network Accreditation Program (TNAP) was developed to directly align with the development of the 21st Century Cures Act required Trusted Exchange Framework and Common Agreement (TEFCA). EHNAC, in partnership with HITRUST, seeks to promote interoperability by assuring the security and privacy of trusted networks and the use of enabling technologies in the healthcare ecosystem. The TNAP program provides third-party review with accreditation for Trusted Exchange participants, rights management, as well as compliance with new TEFCA regulatory requirements and in partnership with HITRUST addressing security and privacy regulatory requirements.
TEFCA will affect a diverse group of industry stakeholders including Health Information Networks (HINs), Health Information Exchanges (HIEs), Accountable Care Organizations (ACOs), data registries, labs, providers, payers, vendors, and suppliers – and TNAP has been designed to address their needs.
TNAP Accreditation program is comprised of a third party assessment against EHNAC’s TEFCA specific requirements and the HITRUST R2 Validated Assessment. Through this process, the TNAP Program assesses an organization’s ability to comply with the TEFCA regulatory requirements and the organization’s applicable privacy and security regulatory requirement. Such regulatory requirements include, for example, HIPAA, HITECH, ACA legislative reform provisions, the NIST Cybersecurity Framework, GDPR, and others. This comprehensive third-party review provides an additional level of confidence for HINs that desire to become Qualified HINs (QHINs).
The EHNAC TNAP and HITRUST Validated Assessment with Certification ensures a consistent focus on privacy, security and other core industry requirements including a focus on organizational structure, delineation of third parties and their contractual and agency statuses, PHI data flow, business practices, and management of human and physical resources. TNAP criteria is publicly reviewed and enhanced at a minimum of once per year, and more often when necessary due to regulatory requirements, industry-promoted best practices, or other significant factors.
Developed through a coalition of industry collaborators, TNAP in conjunction with the HITRUST Validated Assessment with Certification is:
- Designed for Health Information Networks (HINs) that would like to prepare for application to the Recognized Coordinating Entity (RCE) to be considered for acceptance;
- Thorough in its presentation and assessment of TEFCA requirements as well as privacy and security requirements based on an organization’s regulatory requirements;
- Vendor and technology agnostic to support blockchain and other enabling technologies.
EHNAC follows a structured, transparent and industry-inclusive process that provides for continual improvement. Criteria for the Trusted Network Accreditation Program is available on the EHNAC Criteria Page.
Organizations seeking TNAP Accreditation must provide a copy of the full HITRUST r2 Validated Assessment with Certification Report as part of the application process. When a HITRUST Assessment is conducted by another Assessor organization, HITRUST Validated Assessment with Certification must be achieved by the EHNAC accreditation expiration date to be accepted as evidence for EHNAC Accreditation.
TNAP-HIN – for organizations that provide Health Information Network services as defined by TEFCA. According to the Office of the National Coordinator as defined within the April 2019 released materials, “A QHIN’s ability to operate successfully and efficiently is crucial to ensuring all Individuals and providers have appropriate and real-time access to EHI. Therefore, it is critical that QHINs fully understand the breadth and scope of their responsibilities as they consider making application to the RCE for QHIN Designation. Ensuring their capabilities and compliance to the Common Agreement through testing, rigorous on-boarding, and monitoring will be critical to ensure continuity of services among Participants and Participant Members. Organizations that apply to be a QHIN should do so with an understanding of the infrastructure and personnel necessary to support interoperability at a nationwide scale.”
NOTE: TNAP-HIN Accreditation doesn’t designate an organization as accepted by the RCE as a QHIN. Approval from the RCE and The Office of the National Coordinator (ONC) is still necessary and entirely separate from the TNAP-HIN accreditation process.
TNAP-Participant/Participant Member – desire to be recognized as a Participant or as a Participant Member in the ONC trust Exchange Framework. According to the Office of the National Coordinator as defined within the April 2019 released materials, “Participants may include persons or entities that have entered into a contract to participate in a QHIN. Some examples of Participants could include, but are not limited to, a HIN, a health system, a health IT developer, a payer, or a federal agency.” Likewise, ONC suggests the following: “Participant Members may include persons or entities that use the services of a Participant to send and receive EHI. For example, if a QHIN is composed of health information exchanges, the health information exchange would be the Participant, and those who use the health information exchange services, (such as health systems, ambulatory providers, health IT developers, payers, and others) are the Participant Members. Alternatively, a health IT developer could be a direct Participant of a QHIN, in which case, the Participant Members may be the provider practice that uses the health IT developer’s software or services.”
NOTE: TNAP-Participant Accreditation doesn’t designate an organization as accepted by the RCE as a Participant. Approval from the RCE and The Office of the National Coordinator (ONC) is still necessary and entirely separate from the TNAP-QHIN accreditation process.