Programs and Criteria
DirectTrust program criteria are developed to ensure consistent, transparent evaluation across all accreditation and certification programs. Each year, the Criteria Council reviews and enhances the criteria across all programs to keep pace with evolving industry requirements, emerging trends, and regulatory expectations, including the increasing focus on cybersecurity.
Below, under Our Programs, you can explore each program and review detailed descriptions.
● Request the current version of the criteria by completing this form.
● Request historical versions of the criteria by completing this form.
Draft Criteria for Public Review:
DirectTrust invites public comment on the AI Program Draft Criteria.
Please submit your feedback using the Criteria Comment Form by May 5, 2026.
To request a draft version of the criteria, please complete this form.
Our Programs
We’re proud to offer a wide variety of accreditation and certification programs! Learn more about each program through the links below.
Today’s Accountable Care Organizations (ACOs) have taken the lead in driving the value-based care model and placing the importance of improving patient outcomes above all else.
This program supports organizations who handle sensitive data in developing policies and procedures that establish trust in their Artificial Intelligence (AI) products and systems, demonstrating their commitment to maintaining a secure environment for data exchange.
This program, developed in collaboration with the CARIN Alliance, is for consumer-facing apps desiring to enable patient and data holder confidence in app developers’ ability to safeguard sensitive consumer health data.
This program recognizes that an organization operates at a very high level of privacy, security, and trust in identity, and signals to users/subscribers that it is a trustworthy agent and service provider for issuing certificates for Direct Secure Messaging. Accreditation also means that its anchor certificates may be included in the DirectTrust Network, and for use by relying parties in Direct exchange.
This program assesses health information and oversight for meeting privacy and security, HIPAA, HITECH, 21st Century Cures Act, Omnibus Rule and ACA requirements, as well as technical performance, business processes and resource management.
The Digital Therapeutic program is an add on to the Health App accreditation. Specifically, the program is for those who desire to demonstrate compliance with efficacy, data privacy and security requirements for digital therapeutics applications and platforms (DTx).
The Emergency Preparedness program is designed to enhance the resilience and readiness of healthcare providers, ensuring they meet the stringent requirements of the CMS Emergency Preparedness Rule. Developed through a strategic partnership with CAIPHI, the program consists of emergency preparedness policies, procedures, and guidance for hospitals, critical access hospitals, rural emergency hospitals, long term care, and hospice.
These programs assess electronic prescribing transactions for compliance with industry standards and government regulations and provide an organization’s existing and prospective customers with confidence that appropriate risk-based security and privacy controls are in place and key performance metrics are being met on an ongoing basis.
These programs ensure that your organization follows HIPAA security and privacy rules, supports ASC X12N 835 for electronic remittance advice transactions, and meets a range of criteria applicable specifically to financial electronic health networks. In addition, achieving accreditation assures your customers that their business partner follows industry-established standards for processing payment and other transactions involving protected health information.
The Health App Accreditation Program is designed for smartphone and web health apps and platforms to demonstrate compliance with HIPAA Privacy and Security, cybersecurity, and secure cloud use criteria. It also includes criteria for systems outside HIPAA, like FTC’s Health Breach Notification Rule. The program can be augmented with the CARIN Code of Conduct, Digital Therapeutics, and UDAP™️ accreditations.
This program assesses technical performance, business processes, and resource management.
This program recognizes that an organization operates at a very high level of privacy, security, and trust in identity, and signals to users/subscribers that it is a trustworthy agent and service provider for Direct Secure Messaging.
These accreditation programs indicate that industry-established standards are exceeded, and that your organization complies with HIPAA regulations in areas such as privacy, security and cyber security, and confidentiality measures, level-of-service and escalation procedures, transaction response times, and systems availability.
The Identity Provider Program establishes a baseline of trust by validating adherence to industry standards and best practices for identity assurance and authenticator usage. Participants become part of a trusted community of identity providers, creating a unified ecosystem for secure online identity verification.
This program assesses organizations that offer centralized administrative and hosted technology services. This includes organizations that provide electronic health record systems for healthcare providers, ensuring that protected health information (PHI) is stored, accessed and/or transmitted in a private and secure manner. Other areas of focus for this program include privacy and confidentiality, technical performance, business processes, resources, and security.
These programs assess an organization in areas such as privacy and confidentiality measures, level-of-service and escalation procedures, transaction response times, and systems availability. It also assesses the security infrastructure and data integrity measures including disaster recovery, business continuity, contingency plans, and intrusion detection and response.
The program provides a comprehensive review of Practice Management System vendors in the areas of privacy, security, mandated standards, and operating rules, as well as key operational functions.
This program accredits organizations against our core criteria including privacy and security, customer service, business practices, personnel requirements, third-party cloud service providers, and more.
This program recognizes that an organization operates at a very high level of privacy, security, and trust in identity, and signals to users/subscribers that it is a trustworthy agent and service provider for Direct Secure Messaging. Accreditation also means that its anchor certificates may be included in the DirectTrust Network, and for use by relying parties in Direct exchange.
This program provides third-party review with accreditation for Trusted Exchange participants, rights management, as well as compliance with TEFCA regulatory requirements.
This program is designed to help healthcare organizations demonstrate their ability to use trusted digital certificates for endpoint identity, registration, authentication, and attribute discovery for electronic healthcare transactions in real-time.