DirectTrust recognizes that its accredited entities (“Accredited Entities”) and accreditation candidates (“Accreditation Candidates”) operate in a dynamic business environment that includes many business and legal variables ancillary to the fundamental scope of DirectTrust’s accreditation process. However, because that environment involves business and legal risks that may impact (1) DirectTrust accrediting operations; and (2) accreditation eligibility, DirectTrust has developed a collaborative process to (A) enable Accredited Entities and Accreditation Candidates to identify significant business, financial, operational and legal developments that have the potential to compromise or undermine their ability to meet the DirectTrust Accreditation Criteria (“Sentinel Events”) and (B) provide DirectTrust with written notification of such Sentinel Events.
Business risk evaluation is necessary for DirectTrust to accomplish the following objectives in a timely manner:
- Acquire timely knowledge of Sentinel Events (described in Exhibit A) that may affect the accreditation status of an Accredited Entity or Accreditation Candidate.
- Maintain credibility of DirectTrust as a nationally recognized accreditation body.
1. What is a Sentinel Event?
A Sentinel Event is any significant material impacting development, action or change in the business, financial, operational or legal status of an entity, which occurs (1) with respect to an Accredited Entity, after accreditation, or (2) with respect to an Accreditation Candidate, after the application has been submitted to DirectTrust. The material impacting change in status may be based on any one or more of the Sentinel Events indicated below or described in the Sentinel Events Exhibit A.
2. Notification Process: When should DirectTrust be notified?
An Officer of DirectTrust must be notified in writing of the occurrence of any Sentinel Event. Written notification in the manner described in Section 3 below must be received by DirectTrust no later than three (3) business days from when the Sentinel Event occurs. Failure to provide such notification could result in loss of Accreditation, loss of Candidacy status or such other action as DirectTrust may determine to be appropriate.
3. How should DirectTrust be notified?
As part of the notification process, the Accredited Entity or Accreditation Candidate shall provide an officer of DirectTrust with the “known facts,” as determined to have a material impact, and shall continue to provide DirectTrust written notice of additional relevant information as such information becomes “known facts.” The additional relevant information shall be delivered to DirectTrust by an email sent to Admin@DirectTrust.org.
“Known facts” shall include, but not be limited to, (A) any relevant data, information or circumstances regarding a Sentinel Event having a material impact which an Accredited Entity or Accreditation Candidate (i) is required by law, by a contract to which it is a party, or by any other legal obligation to report or disclose to a third party, or (ii) has disclosed in a public statement or in any non-confidential manner; (B) reports or information that must be reported to a government agency; and (C) all findings of fact in the form of an agency action by a duly authorized regulatory agency or in a judgment by a court of original jurisdiction, notwithstanding any subsequent appeals.
The written notification should include the following information:
A. Name of the individual reporting the Sentinel Event (company name, individual name, title, address, phone number, and email address
B. Description of the Sentinel Event
C. Date the Sentinel Event occurred
D. DirectTrust Accreditation impact(s) or considerations that could materially and adversely affect the company’s compliance with the Accreditation Criteria; e.g., changes in key executive management in a small company or release of a press announcement in a public company
E. Other factual information DirectTrust should consider
F. If the Sentinel Event has resulted in non-conformity with the Accreditation Criteria, a proposed plan to restore conformity, i.e., an explanation in reasonable detail of how the company will promptly reestablish conformity with all applicable DirectTrust Accreditation Criteria
G. Appropriate documentation should be submitted along with the disclosures, e.g., press releases, etc.
4. What Constitutes a Sentinel Event?
The following is an illustrative but not exhaustive topical list of Sentinel Events. Refer to the Sentinel Event Exhibit “A” document in the sidebar for detailed explanations.
- Entering into an agreement of sale to sell or otherwise directly or indirectly divest an Accredited Entity or an Accreditation Candidate
- Entering into an agreement to purchase or otherwise directly or indirectly acquire an Accredited Entity or Accreditation Candidate
- Entering into a new agreement to outsource a site that fits the definition of an In-scope Organization Site or an In-scope Outsourced Site.
- Financial impairment of an Accredited Entity or Accreditation Candidate.
- Insolvency/bankruptcy filing.
- Change in ownership or control> 25%.
- Disruption of service to customers > 8 hours for telecom, or security violation.
- A security breach that is reportable as a matter of state or federal law. DirectTrust does not warrant that its accreditation framework will prevent any breach or cyberattack. Refer to the HIPAA Breach Definition Notification Rule – 45 CFR §§ 164.400-414.
- Workforce reduction by > 15%.
- Key management changes.
- Company fine(s) of > $100K for regulatory violations, marketing or advertising practices, antitrust violations, or tax disputes.
- Adding or significantly modifying an In-scope Organization Site or an In-scope Outsourced Site.
- Significant events associated with an In-scope Organization Site or an In-scope Outsourced Site including but not limited to the addition or significant modification of physical locations.
- For those certified through an EPCSCP Program, a Sentinel Event must be reported for each significant systems upgrade, functional alteration, or when made aware of any application issue related to e-prescribing in accordance with the regulations. See Exhibit A: Sentinel Events, section F. Critical DirectTrust Accredited System Events for more information (in the downloadable file).
- For those certified/accredited through the TDRAAP Program, a Sentinel Event must be reported for each significant change to the product which has been proven via UDAP testing as part of the review process.
- For those accredited through the TNAP-HIN program, a Sentinel Event must be reported if HITRUST certification is not maintained throughout the TNAP-HIN accreditation.
- For those accredited for any program who have been certified by HITRUST and who have used a validated report to satisfy the security or privacy criteria in any DirectTrust program, a Sentinel Event must be reported if HITRUST certification is not maintained throughout the accreditation period.
5. What is the DirectTrust Review Process?
Within seventy-two (72) hours of DirectTrust’s receipt of such written notice, the President and CEO of DirectTrust, if he/she deems the Sentinel Event to be of a materially substantive nature, shall notify the Chair of the Commission and he/she shall convene a meeting of the Ad Hoc Sentinel Event Committee of DirectTrust (“Council”), consisting of three EHNAC Commissioners, to consider the matter. In determining its recommended course of action, the Council shall consider the seriousness and time-criticality of the Sentinel Event. The Council shall provide its written recommendation to the Commissioners within twenty-four (24) hours of the conclusion of its meeting, including, if recommended, the necessity for a special meeting of the Commissioners to take action on any recommendation of the Committee. Other than the publication of any change to the status of an DirectTrust Accredited Entity or an DirectTrust Accreditation Candidate on the web site, all deliberations by DirectTrust on the report of a Sentinel Event, including its evaluation and recommendations, shall be kept confidential. Accreditation by DirectTrust is awarded based upon its review of the organization for that specific “point in time” that the accreditation process occurred. DirectTrust is not responsible for any changes in policies, procedures or controls, processes or access that may occur subsequently in which it has no visibility or is unaware. It is the organization’s responsibility to report significant changes to us through our Sentinel Events policy.
6. What Action May Be Taken by DirectTrust?
The EHNAC Commissioners shall review the recommendation of the Committee on a timely basis, either at a special meeting of the Commissioners if the matter is deemed urgent by the Committee’s Report, or no later than the next regularly scheduled meeting of the Commission. Written findings and action taken by the Commission shall be communicated in writing to the affected Accredited Entity or Accreditation Candidate within two (2) business days of the conclusion of the meeting of the Commission. The written communication also shall include a description of DirectTrust’s appeal procedures.
The following are examples, illustrative but not exhaustive, of actions that may be taken by the Commission:
- No action.
- Revocation of accreditation.
- Request for further documentation. If the additional documentation is not provided, revocation of accreditation.
- Request the organization to reapply and follow the re-accreditation process if it is determined that the Sentinel Event provides a substantive change to the entity. Such other actions as are deemed appropriate.
- Change in Accreditation Status.
- Please Note: if an organization fails to respond to a high priority email from DirectTrust within 7 business days indicating their intention to proceed with the accreditation process then DirectTrust will make the determination that the organization no longer intends to maintain their accreditation status and will be removed from the website and the organization will no longer be accredited on that date.
7. Public Posting
Any change in Accreditation status pertaining to the Accredited Entity or Accreditation Candidate shall be posted on the DirectTrust and/or EHNAC web site.
8. Significant Events Other Than Sentinel Events
If one or more of the following occur(s) within 12 months of the last accreditation, a site visit must be made to the new or modified facility(ies):
- Accredited Entity enters into a new agreement with an In-scope-Outsourced Site.
- Accredited Entity adds or significantly modifies a physical location that would qualify as an In-scope Organization Site or an In-scope Outsourced Site.
- A significant event occurs associated with functions involving the creation, reception, maintenance, or transmission of PHI that are outsourced to third parties including but not limited to their addition of significant modification of physical locations.
- Increasing the level of identity or authentication assurance supported by a TDRAAP accredited program.
- A notifiable breach. (Refer to the Breach Definition and the HIPAA Breach Notification Rule – 45 CFR §§ 164.400-414).
If the Significant Event occurs after 12 months past the last accreditation, a site visit may be made to the new or modified facility(ies) if determined to be necessary by DirectTrust. If decided a site visit is necessary, the information gathered will be applied to the subsequent accreditation effort and reports accordingly.
NOTE: A change in the organization’s contact individual having responsibility to liaison with DirectTrust needs to be communicated within 10 days of a change in personnel so that there is no disruption in any notices or communications between the entities.
The Sentinel Events document along with the applicant agreement must be signed and delivered to DirectTrust by an email to admin@DirectTrust.org. or uploaded through the DirectTrust “Log an Application” portal, to which you are provided access after the Application is submitted.
Note: The complete up to date Sentinel Events Document with definitions, links and exhibits can be downloaded from the link to the left on this page.