Confidentiality Measures

DirectTrust often receives questions from applicants regarding accreditation and the protections that the organization has implemented to assure the security of their confidential and proprietary information. DirectTrust has a long-standing policy regarding the confidentiality of applicant information, as outlined below.

  1. Document Management System: All sensitive information obtained from and shared with EHNAC applicants is exclusively communicated through and archived by NetDocuments (,  a leading cloud-based document and email management (DMS) platform. DirectTrust selected NetDocuments based on its world-class security and privacy features, as well as its international customer base of law firms and corporate legal departments. NetDocuments undergoes annual Type 2 SOC 2 and SOC 2+ audits, and demonstrates ongoing compliance with HIPAA, SEC, FINRA, and other regulations and authoritative bodies.
  2. Document Retention: Accreditation records are securely stored for 7 years, after which they are scheduled to be automatically destroyed. DirectTrust Operations controls access to the secure documents and employees are required to sign a confidentiality agreement as a condition of their employment.
  3. Site Reviewers: Each site reviewer signs a confidentiality agreement with DirectTrust intended to assure protection of applicant information. The following security measures have previously been implemented outlining site reviewer handling of candidate information:
    – Only the site reviewer(s) assigned to the applicant has/have access to that applicant’s information. All other site reviewers are restricted from viewing or accessing the applicant mailbox;
    – Site reviewers are required to utilize full-disk encryption for laptops containing applicant self-assessments;
    – Site reviewers are required to have anti-virus installed on laptops with current virus rules updated;
    – Site reviewers are required to maintain confidentiality of applicant information as well as the information pertaining to the business partners/business associates of the applicant;
    – Once the final site visit report is uploaded and sent to the Commission for their accreditation vote, the site reviewer’s access is removed to the applicant mailbox until the site reviewer may be re-assigned to the organization in the future;
  4. Commissioners: EHNAC Commissioners review the final reports issued by EHNAC Site Reviewers, but do not have direct access to the information submitted by the applicants. Access to such information would only be provided based on specific questions raised regarding a final report, and that access would be granted for a temporary period with oversight by DirectTrust management. Each commissioner must sign a confidentiality agreement with EHNAC as a condition of their participation on the commission. EHNAC has never experienced a breach of confidentiality since its inception in 1995. As required by the confidentiality agreement, commissioners destroy any materials in their possession after an accreditation is completed. EHNAC maintains in a secure manner a single copy of the documentation and report for its historical records.
  5. Non-Disclosure: EHNAC utilizes a Mutual Non-Disclosure Agreement (NDA) when requested to insure appropriate protection of submitted information.
  6. PHI: EHNAC requires that PHI not be submitted within the self-assessments.  The issue of confidentiality of all information is taken very seriously however, we understand it may be incidentally viewed during site visits
  7. Applicant Awareness: EHNAC recognizes that applicants often have concerns regarding submission of certain types of information (e.g., details of disaster recovery plans). We remain flexible with applicants who choose to retain documentation for verification to be reviewed only during our site reviews.

Applicants with a significant concern that a site reviewer may view information that is confidential for competitive reasons should address their concerns to Susan Flynn, who will coordinate an appropriate response from DirectTrust.