Announcements 08-28-2014

FBCA Cross-Signing Authority Now Required for Directed Exchange

Meggie Woodfield

Safeguarding user privacy and security is key to the success of healthcare information exchange. In recognition of this fact, the federal government issued a recommendation that agencies implementing Direct are required to use Federal Bridge Certification Authority (FBCA) cross-certified certificates for non-federal organizations exchanging electronic health records (EHRs) with federal agencies.

For at least the next two years, the Federal Health Architecture agencies will require healthcare organizations and providers communicating with them via Directed Exchange (e.g. when attesting for Meaningful Use 2) to use accredited health information service providers (HISPs, e.g. via DirectTrust), with FBCA cross-certified credentials.

Federal Government Looking to Further Advance Personal Record Security

The Direct Project provides exciting opportunities to improve healthcare for individual patients and also benefit public health. Today’s federal recommendation helps advance secure protocols for records transfers to and from federal agencies and, in the process, provides additional assurances to users that their personal data is protected. It demonstrates the government’s interest in mandating key safeguards to provide strong levels of identity assurance to protect the privacy and security of patient records.

By requiring the highest identity assurance and security standards for Directed Exchange, the federal government provides protection for patient health records while maintaining momentum for Direct adoption. Three out of every four HISPs currently accredited in the DirectTrust trust bundle already have full access to EHR exchange with federal agencies through their partnership with DigiCert, the only Certification Authority (CA) both accredited by DirectTrust and FBCA cross-certified.

Companies Must Partner with a FBCA-Certified CA for Full Interoperability with Federal Agencies

In cooperation with the Electronic Healthcare Network Accreditation Commission (EHNAC), DirectTrust accredits HISPs, CAs, and Registration Authorities (RAs) to enable trusted Directed Exchange through its DirectTrust Agent Accreditation Program (DTAAP). DTAAP-accredited HISPs not yet enabled with FBCA credentials may do so by partnering with a CA that is already trusted by the FBCA.

As a founding and board member of DirectTrust, DigiCert is a DTAAP-accredited RA and CA and is cross-certified by the FBCA for full interoperability with federal agencies. DigiCert offers dual-mode certificates that are not only trusted by the FBCA but also allow complete Directed Exchange interoperability at multiple levels of assurance with any other DirectTrust-accredited HISP.

The Direct Project Vision: Scalable, Standards-Based Trust

This federal recommendation is another important step in establishing scalable, standards-based trust that can achieve the vision of the Direct Project. Together, through a collaborative effort among our member companies, federal, state, and local governments, we’re building a Direct community capable of breaking down previous barriers and silos within healthcare and improving the quality of care.

Most DirectTrust-accredited HISPs already partner with DigiCert to receive FBCA cross-certification. HISPs using DigiCert also have access to our Direct Cert Portal for managing the certificate lifecycle for their Direct accounts. For more information about our DirectAssured certificates, and how to enable fully interoperable Directed Exchange, visit this page.


3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories


Pioneering the next wave of secure digital solutions 


4 best practices for bulk email senders



Driving digital trust with SOC 2-compliant DNS