If you cannot find the answer to your question below or elsewhere on our web site, please contact us.

Attaining EHNAC Accreditation from DirectTrust demonstrates to the healthcare industry that your organization can be “trusted” to handle sensitive information in a secure manner. The review process offers an independent, objective third party review of an organization’s ability to comply with privacy, security, cybersecurity, breach and other related federal and state requirements. Additionally, every program is designed to “raise the healthcare operational/management bar” for that specific business niche. Additionally, all of EHNAC’s Reviewers and Practitioners are experienced 20+ year healthcare Subject Matter Experts.

Under the recent HITECH Amendment PL 116-321 (HIPAA Safe Harbor Law), EHNAC qualifies as a “Recognized Security Practice” as the rule states and includes the NIST cyber-security framework which is embedded within its programs, it has been involved with the HHS 405(d) Cybersecurity Information Sharing Act (CISA) initiative since its inception and has served the industry as a federally recognized standards development organization (SDO) for more than 26 years. EHNAC follows a structured and transparent criteria development and public comment review process and is recognized by the industry for its quality of process, conformance with federal and key state healthcare reform legislative mandates, best practices, and provides the value of its consultative on-site review/audits and recommendations. The Maryland Healthcare Access Commission (MHCC) and New Jersey Department of Banking & Insurance (DOBI) regulatorily recognize EHNAC and its accreditation programs. Many health plans and health systems as well as healthcare vendors and stakeholders recognize and accept EHNAC accreditation to meet their Third Party Assurance (TPA) requirements. Some state Health Information Exchange Programs require EHNAC Accreditation prior to onboarding. The CMS Data At-the-Point-of-Care Pilot Project recognizes many of EHNACs programs as part of the connection establishment process. Other states monitor EHNAC’s accreditation program and process and may adopt similar model legislation in the future.

Back to Top

DirectTrust provides EHNAC accreditation to all types of stakeholder entities handling health care data. Any entity subject to HIPAA/HITECH as a Covered Entity or Business Associate can align with our many programs based on the type of data handled and the business purpose followed. Some programs are specific to those handling data which are not HIPAA covered entities or business associates, such as Technical Application Developers. Stakeholders include, but are not limited to electronic healthcare networks (EHN), Health Information Networks, ePrescribing networks, third party administrators (TPA), financial services organizations, managed service organizations (MSO), medical billers, health information exchanges (HIE/HIO/ACO), outsourcers (data center, co-lo, printing, scanning etc.) Practice Management Systems vendors and HISPs in support of the direct message exchange protocol. Some programs also qualify under other authorities and standards for certification such as the Trusted Network Accreditation Program (jointly administered by EHNAC and HITRUST); the Electronic Prescriptions Controlled Substances (EPCS) as administered by the DEA and the Trusted Dynamic Registration and Authentication Accreditation Program TDRAAP- which includes a technical framework using Unified Data Access Profiles. Additional healthcare stakeholder accreditation programs continue to be evaluated and added to the comprehensive list of stakeholders that EHNAC supports.

Back to Top

To learn which DirectTrust Program(s) is right for your organization, please refer to the Program Selection Guide.

Back to Top

EHNAC provides 20+ specific healthcare programs which include but are not limited to HIE’s, ePrescribers, clearinghouses and billing organizations. Each program contains many stakeholder specific requirements (unique to each program and their data handling responsibilities).  In addition to these requirements, EHNAC and HITRUST have worked together to align privacy and security requirements to benefit those candidates who choose to combine their programs.

Back to Top

EHNAC has developed a comparative analysis and video tutorial to assist you in determining the best option for your organization.  The Comparative Analysis/Tutorial can be found under the “Why EHNAC” tab on our Home Page.

Back to Top

To determine which Privacy and Security option to choose, please review the Privacy and Security Option Comparison tutorial which can also be found on our home page under “Start Here”.

Back to Top

Accreditation Costs

Organization fees are determined by revenue except for government, not-for-profit and outsource entities. The revenue from an organization is defined as any services performed either electronically or on paper that supports the program.  This includes all electronic transactions, messages, patient statements, customer service, infrastructure, technical performance, business practice, privacy and security, resources, etc.

Each year, Accredited Organizations must submit Annual Revenue Verification.  For new organizations, this is submitted as part of the applicant process.

Below are the costs for both initial and additional programs:

Fee Categories for All Programs
Size Revenue Amount Annual Fee Multiple Program Fee Site Visit Fee/Site/Day
CCCAP* NA $3250 NA $4000
EPCS** NA $3250 $1625 $4000
Very Small Under $3M $3250 $1625 $5000
Small Greater Than $3 Less Than $8M $4250 $2125 $5000
OSAP*** NA $4250 NA $5000
Medium Greater Than $8 Less Than $20M $8500 $4250 $8000
Med/Large Greater Than $20 Less Than $50M $13000 $6500 $8000
Large Greater Than $50M Less Than $75M $20000 $10000 $8000
Very Large Greater Than $75M $26500 $13250 $8000

Federal, state, and non-profit organizations are included in the Small Size above.

Note:  If an organization selects the HITRUST version of the criteria and the organization does not currently have HITRUST certification there is an additional Site Visit Day Fee.

Each site visit fee is considered one day.  Site Visits can be either virtual or at the site.

+ Annual Fee

For Accredited organizations, the Annual Fee is due every year prior to the anniversary of the accreditation date.  For new organizations, this is paid as part of the applicant process.

+ Site Visit Fee

For new applicants, the Site Visit Fee must be paid along with the Annual Fee as part of the application process. For reaccreditations, the Site Visit Fee is due no later than 8 months prior to the accreditation expiration date, as part of the application process.

+ Midterm Accreditation Fee

DirectTrust offers a Midterm Accreditation review for organizations wishing to pursue this.  The fee is $4,000 per program.

+ Multiple Program Fee

The Multiple Program Fee occurs when an organization applies for accreditation for more than one program. The Multiple Program Fee applies to each additional program(s) applied for and is based on the organization’s combined program revenues. This fee (or fees) is paid on the organization’s accreditation year (the same time schedule as the site visit fee).  The Following programs are not applicable for the Multiple Program Fee: CCCAP, OSAP, and TDRAAP-Basic.

+ *Carin Code of Conduct (CCCAP)

The Annual Fee is $3,250 for all organizations regardless of the revenue.  The Review Fee is $4,000 regardless of the revenue.  Multiple Program Fee not applicable

+ **EPCSCP-Pharmacy and EPCSCP-Prescribing Fees

ECPSCP Annual Fee $3,250 is paid annually, and the Review Fee $4,000 is paid every 2 years with the certification.  There is no site visit required for ECPSCP.  The Annual Fee is $3,250 per organization regardless of revenue.  If an organization wishes to certify both EPCSCP-Pharmacy and EPCSCP-Prescribing as a second Certification program or has multiple versions there is a EPCS Multiple Program Fee of $1,625 every two years and an additional Review Fee of $4,000.  The Multiple Program Fee does not apply to other accreditation programs.

+ ***Outsourced Program (OSAP)

The Annual Fee is for this program is $4,250 per organization regardless of revenue. The Site Visit Fee is $5,000 per site regardless of the revenue.  Multiple Program Fee not applicable.

+ TDRAAP-Basic Certification Fees

This $1,200 fee is paid annually for the 1-year certification.  Multiple Program Fee not applicable.

+ Re-accreditation Fees

The fee categories are the same for each accreditation program. The Annual Fee is paid each year and all other fees are due every other year on the accreditation date.

+ Site Visit Fees for Sites Outside the US

Site Visit Fees for sites that are Outside of the US are $4000 per day in addition to the standard Review per day Fees (plus travel expenses).  See International Travel Process for additional fee details.  See International Accreditation page for definitions and details.  Travel expenses are not included and will be invoiced after the site visit(s).

To Compute your estimated fees, please refer to the Cost Calculation Table.  Fee information detail can be found in the Fees page, the International Travel Process and in the Accreditation Guidelines.

For organizations with multiple facilities and for OSAP applicants that have sites that perform the same function and which demonstrate adherence to the same policies and procedures, a site visit rotation will be used to accredit the candidate as shown in the following table. NOTE: The table below is provided as a guideline only, as the number of sites requiring a visit may be increased based on such factors as newly acquired sites, sites that do not currently comply with standard policies and procedures, or other factors where additional visits are determined to be required.

No. of Sites Site Visits Required No. of Sites Site Visits Required No. of Sites Site Visits Required No. of Sites Site Visits Required
1 1 11 4 21 6 31 7
2 2 12 4 22 6 32 7
3 2 13 4 23 6 33 7
4 2 14 5 24 6 34 7
5 3 15 5 25 6 35 8
6 3 16 5 26 6 36 8
7 3 17 5 27 7 37 8
8 3 18 5 28 7 38 8
9 4 19 5 29 7 39 8
10 4 20 6 30 7 40 8

In addition to the above, when the self-assessment process requires subsequent re-submissions of documentation to meet the criteria after the site visit is completed, there will be a charge of $225/hour for site reviewer/auditor time for each additional submission of documentation.

Back to Top

The Site Visit Fee and the Annual Fee can be paid separately.  In the Accreditation process, the Self-Assessment documentation package will not be provided until the Application is complete which includes payment of both the Site Visit Fee and the Annual Fee.  Delaying the application completion can limit the self-assessment time available to the organization possibly leading to additional costs such as Late Fees.

Back to Top

Accreditation Process

Our accreditation process is outlined in full detail in our accreditation guidelines, which provide the steps that an organization takes to apply for accreditation.  The first step is to answer the questions in the Application form located on the EHNAC Web site.

Back to Top

Accreditation timeframes vary depending on the size of your organization, although most organizations complete the process within 6 to 8 months. Please click here for a sample timeline for both first-time applicants and re- applicants. Applicants are given 12 months from the date of application approval to complete the accreditation process. The self-assessment must be submitted 4 months prior to the end of the 12-month time limit.

EHNAC has also developed a sample project plan outlining the steps in accreditation. This can be used by an organization as a reference for further customization.

Back to Top

We estimate the self-assessment responses and evidence for a first Accreditation could take anywhere from 2 months to 4 months, depending on a number of factors including the the level of preparation for each organization.  For example, how mature are the organizational policies, procedures, and controls?  Does your organization have to rely on many workforce members to put the material together or will one resource be able to respond to all?  If your organization has a less mature infrastructure, or if there is a lot of coordination that must occur to get responses and evidence put together, it will elongate the process.

Additionally, DirectTrust offers Consulting & Advisory Services, as well as a Privacy & Security Toolkit, which may be of interest to your organization as you prepare for the Accreditation process.

Back to Top

No. A simple majority vote of the commission is required for approval of all accreditation issues.

Back to Top

Upon receipt of your application fee and Commission approval, your organization or corporation receives Candidate Status. Once you receive this status, you will be sent the EHNAC Accreditation Candidate logo. You have the right to use the following EHNAC-approved designation:

“[Candidate] [organization or corporate] has been granted CANDIDACY STATUS by the Electronic Healthcare Network Accreditation Commission (EHNAC). This status is granted only to entities whose applications have been carefully reviewed by the Commission, who the Commission believes to be in substantial compliance with its criteria and who are likely to qualify for provisional, interim or full accreditation within one year of the granting of Candidacy Status.”

Candidacy Status is then listed on the EHNAC website on the Accreditation Status page.

The Accreditation Guidelines containing the rules of the accreditation program, Commission guidelines, approved uses of all Commission designations, and other program information are available on the EHNAC website for your reference. You will also receive the Self-Assessment guidelines and report, which explains the criteria for accreditation as well as the required supporting documentation.

Back to Top

Full Accreditation is granted for two (2) years. Organizations must re-apply and achieve re-accreditation by their accreditation expiration date to maintain active Accredited status.  Organizations may begin the reaccreditation process 1 year prior to the expiration date to allow the optimum amount of time to complete the process.  DirectTrust recommends completing the reapplication process no less than 5 months prior to the self-assessment due date (9 months prior to the expiration date).

Back to Top

EHNAC offers an Accreditation with Midterm review beginning January 1, 2022.  While EHNAC’s standard reviews (“Full Accreditations”) are biennial (2-year), the optional Midterm reviews occur in intervening years.  When Midterm reviews are conducted, their expiration date will always be the same as the Full Accreditation expiration date.  This includes notifying EHNAC of intent to pursue a Midterm review and payment of appropriate fees.  The organization must inform EHNAC of their intent to have a Midterm review before or during the first 6 months of their accreditation.  The Midterm Review examines/appraises:

  • Ongoing risk management,
  • Appropriate annual privacy and security training,
  • Quarterly vulnerability assessments,
  • Randomly selected criteria from each of the security areas (min. of 13 tests), and
  • Demonstration of progress against all recommendations noted in the previous EHNAC review.

Back to Top

The first 2 letters are Program Codes
The next four digits are the base, where base 0001 equals the number in order of accredited organizations
The next 2 places represent the number of times accredited
The next two places are the month accredited
The next 2 places are the year accredited

Program Codes:

ACOAP                                  AC
DRAP                                    DG
DT P&S                                DP
ePAP – EHN                         EP
EHNAC P&S                         PS
EPCSCP – Pharmacy          EH
EPCSCP – Prescribing        ER
FSAP – EHN                         FE
FSAP – Lockbox                  FL
HIEAP                                   HI
HNAP – EHN                       HE
HNAP – Medical Biller       HM
HNAP – Payer                     HP
HNAP – TPA                        HA
MSOAP                                MS
OSAP                                   O [Program letter]
PMSAP                                PM
TDRAAP- Basic                  TD
TDRAAP- Comprehensive  TC
TNAP – Participant           TP
TNAP – QHIN                    TQ

Back to Top

EHNAC goes to great lengths to ensure that confidential information remains private, and has never had a breach of confidentiality since becoming established in 1993. The Confidentiality Measures section contains the details of how EHNAC works to protect the confidential and proprietary information submitted.

Back to Top

site reviewer/auditor is assigned after the application process has been completed. Questions can be submitted to the site reviewer/auditor while the Self-assessment process is being completed.

You may email questions to the site reviewer/auditor prior to the site visit/audit. Please include the entire text of the criteria in any question(s), including the statement of the criteria and the detail from the link. This detail is important to properly address questions in their entirety and to minimize any lack of clarity in responding appropriately.

Back to Top

Criteria Development

The recognition and adoption of EHNAC’s criteria is conducted in a public, transparent and structured methodology pursuant to EHNAC’s criteria development process. Certain industry benchmarks are recognized to represent a dynamic and timely compilation of those privacy and security practices, employee training programs, fixed assets, disaster recovery and business continuity, as well as contingency planning and other performance factors that should be achieved by any entity that functions as an exchange or medical information electronic health network. These benchmarks are memorialized in EHNAC’s criteria, and a candidate’s performance and capacity are measured against those standards. DirectTrust has councils to review, revise and monitor its conformance to its structured methodology as a federally recognized SDO and also incorporates any federal and state healthcare reform legislative mandates into its criteria to assure its programs are compliant for its candidates and accredited entities.

Back to Top

The proposed criteria appear on EHNAC’s web site and are emailed to all interested parties including all accredited entities; candidates for accreditation; persons and entities requesting information on the criteria; and all government and private institutions and agencies that have been identified by EHNAC as having an interest in the electronic transmission of healthcare information by and/or through its accredited entities. This includes: United States Department of Health and Human Services (HHS), Centers for Medicare & Medicaid Services (CMS), Office for Civil Rights (OCR), National Committee on Vital and Health Statistics (NCVHS), National Uniform Billing Committee, National Uniform Claim Committee, American Dental Association (ADA), National Council of Prescription Drug Programs (NCPDP), Workgroup for Electronic Data Interchange (WEDI), and other applicable committees and organizations.

Prior to adoption of any criteria, EHNAC has a 60-day public comment period. During this period, all interested parties are encouraged to review, assess and comment on the proposed criteria. After the comment period has closed, public comments are reviewed and revisions to the criteria will be made as deemed appropriate. Throughout the entire process, public participation is invited and encouraged. DirectTrust seeks to recognize and adopt those standards that represent the essential facility practices and standards that are often typically achieved by well-functioning and reputable healthcare electronic networks and exchanges that comply with appropriate state and federal obligations.

Back to Top

Send email to EHNAC with your interest in the Criteria Council.  Participation on the Council involves one conference call per month lasting 30-60 minutes.  Between these calls there may be email exchanges or additional calls depending on current initiatives and Council priorities.  Please visit the Criteria Development and Criteria page of the EHNAC website for more information on the Criteria development process.  The EHNAC Criteria Council is open to all EHNAC-accredited organizations as well as other interested healthcare industry professionals.  Please let us know if you or a member of your organization is interested in serving as a Council member and we will send the volunteer form.

Back to Top

The EHNAC Criteria Comment Form can be filled out and delivered via the email address at the top of the comment form with your comments.

Back to Top

International Accreditation

Yes – EHNAC will accredit companies based outside the US after all accreditation requirements are met. All International based Organization’s In-scope sites must have Site Visits performed to be considered for EHNAC Accreditation. Please see also the Site Visit page and the Accreditation Guidelines.

Back to Top

Yes, a US Based Organization with sites outside the US can become Accredited given one of the following:

  1. EHNAC performs site visits for all In-scope Organization Sites and In-scope Outsources Sites including those located both within and outside of the US.
  2. EHNAC performs site visits for all In-scope Organization Sites and In-scope Outsources Sites including those located within and outside of the US, with the exception of certain sites outside the US that are not required to be visited (such as certain support and development offices with no or minimum access to PHI). In such a case, EHNAC will annotate its website to disclose that the Organization has sites outside the US that were not physically reviewed.

See also the Site Visit page and the International Accreditation page for more information.

Back to Top

For a Site Visit outside the US, the cost is $4000 plus the standard Site Visit fee per day plus travel.

For detail please see the International Travel Process document, The Fees Page and the Accreditation Guidelines.  Some key items related to International travel are:

  • Site Reviewers will travel to sites outside the US in Business class
  • The candidate organization must arrange for a car and an English-speaking driver to allow for effective transportation to/from hotels, airports, and the candidate organization’s facilities.
  • If English is not the primary language as referenced here: https://en.wikipedia.org/wiki/List_of_countries_where_English_is_an_official_language then the candidate organization must make accommodations for a translator to accompany the Site Reviewer for the duration of the time in the destination country.
  • If the destination countries require airport exit fees or visa fees, those fees will be reimbursed by the candidate organization.
  • The candidate organization must provide a cell phone with a local number to the Site Reviewer for the entire duration of the visit. If possible, the candidate should mail the phone to the Site Reviewer prior to the travel begin date. The candidate should also pre-load contact names and phone numbers into the phone prior to providing it to the Site Reviewer.
  • In the event a particular destination country is on the US Department of State’s travel warnings website (https://travel.state.gov/content/passports/english/alertswarnings.html) the candidate organization is responsible for the Site Reviewer’s security for the duration of stay in such destination country. Security detail must be paid for by the candidate organization.

Back to Top