DirectTrust®, a non-profit healthcare industry alliance focused on furthering trust in healthcare technology and data exchange through standards, accreditation, and other services, today announced a 60-day public comment and review period of the draft criteria of its new DirectTrust Identity Provider (IdP) Accreditation Program and the optional UDAP Identity Provider Program.

The DirectTrust IdP Accreditation Program ensures identity providers adhere to the highest operational and security standards by covering all aspects of their operations, from identity verification, credential issuance, and authentication to endpoint security, management of personally identifiable information, and audit logging. Additionally, by establishing a common minimum bar for credential service providers, the program fosters collaboration between identity providers, relying parties such as health data holders, and companies supporting consumer-facing client applications, creating a unified ecosystem for secure, portable digital online identity management.

Applicants have the option to layer on DirectTrust's UDAP Identity Provider Accreditation Program, which is also open for the 60-day public comment period. The UDAP Identity Provider Accreditation evaluates a credential service provider's compliance with FHIR At Scale Taskforce (FAST) Security's Tiered OAuth, Dynamic Registration, and JWT-based Authentication capabilities, as well as FAST Interoperable Digital Identity and Patient Matching. The FAST Security framework leverages digital certificates to enable scalable identity assurance, authentication, and authorization across healthcare networks. By implementing FAST Security IG's Tiered OAuth framework, identity providers can automate trust establishment and scalable authentication of individuals, ensuring secure access control for healthcare data exchange. This collaboration supports federated trust, improves confidence in patient and provider identity assurance, and aligns with evolving regulatory and interoperability frameworks like TEFCA.

"As the healthcare industry continues to face evolving security threats from bad actors who seek new ways to infiltrate our systems, establishing a trusted framework for identity management has never been more critical," said Scott Stuewe, DirectTrust President and CEO. "These DirectTrust Identity Provider Accreditation Programs provide a universally recognized standard for compliance, eliminating the need for individual evaluations and ensuring organizations meet the highest security requirements. By achieving accreditation, identity services can signal trust in online transactions they enable, allowing healthcare entities to safeguard sensitive information and improve interoperability across the industry-demonstrating to their partners, customers, and patients a steadfast commitment to industry best practices in security and identity management."

IdPs that achieve DirectTrust IdP accreditation demonstrate their adherence to industry standards such as NIST SP 800-63B, ensuring they meet recognized criteria for identity assurance and authenticator usage. The IdP Program can be paired with the DirectTrust Registration Authority accreditation, which assesses a candidate's compliance with NIST SP 800-63A, to together provide a complete program for non-PKI-based credentials.

Stakeholders with an interest in participating as a Beta organization for the new Identity Provider Program(s) can contact Admin@DirectTrust.org.

DirectTrust criteria for each of its accreditation programs sets the stakeholder and program specific foundational requirements for assessing an organization's ability to meet/align with federal and state healthcare reform mandates such as HIPAA/HITECH, 21st Century Cures Act, TEFCA and other mandates and best practices like NIST SP 800-53, 800-171, and 800-63, for healthcare organizations focusing on the areas of trust, privacy, security, cybersecurity, breach handling, confidentiality, best practices, procedures, and assets.

During the 60-day public review period, all interested stakeholders are encouraged to provide DirectTrust with opinions, comments and suggestions that will prove helpful in determining the necessity, appropriateness and workability of the criteria proposed for adoption after being reviewed and approved by the Commission. The comment form can be accessed at bit.ly/DTCriteriaComment.

About DirectTrust®

DirectTrust® is a non-profit, vendor-neutral alliance dedicated to establishing trust in a connected world. The organization serves as a forum for a consensus-driven community focused on health communication and cybersecurity, an ANSI standards development organization, an accreditation and certification body governed by EHNAC, and a developer of technical trust frameworks and supportive services for secure information exchange like Direct Secure Messaging and identity-verified credentials.

The goal of DirectTrust is to develop, promote, and, as necessary, help enforce the rules and best practices necessary to maintain privacy, security, and trust for stakeholders across and beyond healthcare. In addition, DirectTrust is committed to fostering widespread public confidence in the interoperable exchange of health information while promoting quality service, innovation, cooperation, and open competition in healthcare. To learn more, visit: DirectTrust.org.

