Q: Who uses DigiCert's Direct Cert Portal?
ANSWER: Health Information Service Providers (HISPs) use DigiCert's Direct Cert Portal to request and manage certificates utilized for Direct messaging. A HISP is an organization that provides Direct \messaging services to Healthcare Organizations (HCOs). DigiCert Direct Address Certificates and Direct Organization Certificates are used to secure Direct mailboxes and to send/receive verified Direct messages for healthcare providers and their customers. Direct Device Certificates also facilitate SSL/TLS connections for infrastructure elements used in Direct messaging.
Q: Why should I choose DigiCert for my Direct implementation?
ANSWER: Since 2010, DigiCert has been an industry leader for developing and encouraging secure healthcare messaging. DigiCert is an accredited member of the DirectTrust trust bundle that can issue Federal Bridge Certification Authority (FBCA) cross-signed certificates. Many federal agencies are expected to require FBCA cross-signed certificates before accepting or sending a Direct message, so anyone who will use Direct with federal agencies should choose a provider with these capabilities. As a founding member of DirectTrust.org, DigiCert has an intimate knowledge of the standards and requirements needed to make Direct messaging a reality, and, as one of the world's largest CAs, DigiCert already provides authentication and encryption for some of the largest and most recognized brands in the world. Click here to learn more about DigiCert.
Q: Why is it important to use an FBCA cross-signed certificate for Direct messaging?
ANSWER: Most federal agencies will likely reject and refuse to send Direct messages unless they are signed and encrypted using a FBCA cross-certified Direct Certificate. The FBCA only cross signs a CA after a robust audit and mapping exercise that verifies the CA abides by stringent guidelines, best practices, and industry standards that align with the federal PKIs. When a certificate is FBCA cross-signed, federal agencies can trust that the CA has followed proper policies and has sufficiently secure practices to issue the certificate. Using a FBCA cross-signed CA for Direct provides full access to communication with both commercial and federal entities. DigiCert meets the rigorous FBCA requirements and is one of the few CAs qualified to facilitate Direct messaging with the federal government at multiple levels of assurance.
Q: What is the difference between a Direct Address Certificate and Direct Organization Certificate?
ANSWER: The current DirectTrust.org standards permit Direct messages using two different certificate configurations: a Direct Address Certificate or Direct Organization Certificate. A Direct Address contains the identity of the certificate holder and a single email address. Direct Address Certificates are used where a single endpoint of a communication is essential or where the exact identity of the communication is necessary. For example, sending a message encrypted using a Direct Address Certificate to chuck.richards@direct.healthcare.org will ensure that Chuck Richards is the recipient of the message. Other individuals and entities within direct.healthcare.org will be unable to view or receive the message. 

Direct Organization Certificates are used when knowing the endpoint of the communication is not as important as verifying the identity of the organization controlling the endpoint. A Direct Organization Certificate identifies the certificate holder and a domain where the communication will be sent. The HISP is responsible for ensuring the message ends up at the correct endpoint after the communication is received. For example, a Direct Organization Certificate for direct.healthcare.org will ensure that the communication is received by someone within the healthcare.org domain. However, the message sender must then trust the HISP to ensure that the message is delivered securely and responsibly to chuck.richard@direct.healthcare.org. The same message could be provided to any address on the same domain, such as doug.kemp@direct.healthcare.org, sibil.florence@direct.healthcare.org, or jill.mayers@direct.healthcare.org. It is also important to note that ANY address holder in the domain has the technical ability to read a message secured using an Organization Certificate if they intercept it.  

HISPs and HCOs using a Direct Organization Certificate to secure multiple addresses must also take on part of the identity verification process. Before delivering a message, either the HISP or HCO must ensure that each person using an address in the domain is vetted in accordance with their local HIPAA-approved processes for providing access to Private Health Information (PHI). The HISP is required to provide a list of the individuals using a given Direct Organization Certificate to secure their direct addresses on an annual basis. The HISP must also be able to identify which user (from the list) is using the certificate at any given time.
Q: How do I decide between a Direct Organization Certificate and Direct Address Certificate?
ANSWER: In order to validate your account and make sure you and/or your organization is authorized to send and receive private medical information, DigiCert must confirm the information with valid identification. This ensures the security of patients and allows us to comply with HIPAA. Direct Address Certificates are vital when delivering sensitive information where you want to know the identity of the recipient or that it is ONLY being delivered to a specific user. Direct Organization Certificates are sufficient where the information may be used generally by a provider’s facility or where exact identity of the requester is less important. As stated above, ANY address holder in the domain has the technical ability to read a message secured using an Organization Certificate, so these should only be used where this risk can be tolerated. Ultimately, the risk tolerance and certificate management requirements of the organization using Direct messaging determines which certificate is appropriate.
Q: As a HISP, am I required to track all of the individuals using a Direct Organization Certificate to secure their direct mail?
ANSWER: The identity of each individual using a Direct account secured by a Direct Organization Certificate must be verified in accordance with the local HIPAA-approved processes for providing access to PHI at the HCO. For Direct Organization Certificates, the HISP and HCO are responsible for completing this verification process and retaining sufficient proof of the individual’s identity. The HISP is responsible for providing the CA or its designated representative the full list upon request and at least on an annual basis, and must be able to attest that it knows which of those users are accessing the Organization Certificate any time it is used. Sufficient proof may include a copy of the declaration of identity and corresponding photo ID.
Q: What is the cost of a Direct Certificate?
ANSWER: Pricing depends on the type of certificate, the level of assurance in identity verification, and number of certificates requested. For a free quote and more information, please contact a DigiCert Direct representative by phone at 801-701-9642 or email directassured@digicert.com.
Q: What is the EHNAC-Direct Trusted Agent Accreditation Program (DTAAP)?
ANSWER: In 2013, ONC endorsed Electronic Healthcare Network Accreditation Commission (EHNAC)-DirectTrust as the accreditation body for RAs, CAs, and HISPs involved in Direct messaging. The DTAAP is a series of compliance rules that participants must meet before exchanging trusted Direct messages. EHNAC verifies each participant’s compliance with these requirements and DirectTrust relies on this before adding the participant to the trust bundle of authorized message exchangers. EHNAC has only accredited a handful of CAs, RAs, and HISPs. Click here to visit DirectTrust's FAQ regarding accreditation.
Q: What are the different roles within DirectTrust accreditation?
ANSWER: HISPs are the organizations responsible for on-boarding healthcare organizations and facilitating the transfer of Direct messages. CAs issue certificates meeting the requirements set forth in the DirectTrust (DT) certificate policy. RAs verify the identity of participants in accordance with required Levels of Assurance (LoA); currently healthcare providers must meet DT LoA3 requirements (equivalent to NIST LOA3). Each role has its own set of guidelines and standards that must be met in order to become EHNAC-DTAAP accredited. For more information regarding the EHNAC-DTAAP accreditation please click here.
Q: Why is the EHNAC-DTAAP accreditation necessary for HISPs, CAs, and RAs?
ANSWER: Accreditation and audits ensure that participating parties adhere to a rigid set of standards. These standards are necessary to ensure the secure exchange of information to verified addresses and individuals. Prior to accrediting a participant, EHNAC evaluates whether the participant is audited in a number of categories, including privacy, security and confidentiality, technical performance, business practices, and organizational resources. EHNAC also reviews the organization's process for managing and transferring protected health information to ensure it meets ONC's guidelines. 

Accredited entities may display the EHNAC-DirectTrust seals of approval and are eligible to be included in the DirectTrust Anchor Bundle Distribution Program. Inclusion in the trust bundle provides an assurance to all other participants about the security and operation of the accredited entity. For more information regarding DirectTrust's anchor bundles click here.
Q: How is DNS involved in Direct messaging?
ANSWER: A DNS record is required to send and receive Direct messages. The DNS record points the Direct Address (e.g., james.stone@direct.healthcare.org) to a certificate (either a Direct Organization Certificate or Direct Address Certificate). This certificate is then used to encrypt the message for the recipient. HISPs typically set up the DNS records. 

Many HCOs may already own a domain (.e.g., healthcare.org). In this case, the HCO may dedicate a sub-domain to Direct (e.g., direct.healthcare.org). The HCO may then point the sub-domain to a DNS server controlled by the HISP. This way the HCO could retain control of the DNS for their day-to-day domain (healthcare.org) but delegate full control of the Direct Address entries to the HISP in the sub-domain (direct.healthcare.org).
Q: How does DigiCert appoint trusted agents to assist in the identity vetting process?
ANSWER: DigiCert appoints representatives of customer organizations as trusted agents to assist in collecting the documentation necessary to issue Direct Certificates. Before a representative can act as a trusted agent, the representative must first verify their identity with DigiCert in accordance with DT LOA3 and FBCA Medium or Basic, depending on the HISP. The representative then executes an agreement that appoints them as an agent of DigiCert for the purposes of collecting documentation, verifying identities, and providing identity information. Verified information is reviewed by DigiCert before a certificate is issued.
Q: What level of identity verification is necessary to receive a Direct Address or Direct Organization Certificate?
ANSWER: DirectTrust based its standard for identity vetting on Level of Assurance 3 (LOA3) as set forth in NIST publication 800-63. This standard requires strong authentication of identity (e.g., a certificate applicant could present a government issued ID to a verifying person, such as a notary or a DigiCert Trusted Agent) when establishing their legal identity. Each Direct Certificate typically requires verification of two different identities: an ISSO working for the HISP and either the individual named in the Certificate (for Direct Address Certificates) or a representative of the organization named in the certificate (for Direct Organization Certificates). For organizations, the representative is responsible for managing use of the Certificate and the ISSO at the HISP is responsible for ensuring security of the related private key.