Skip to main content

What is Electronic Healthcare Network Accreditation Commission (EHNAC) Compliance?

by Juliana De Groot on Thursday September 19, 2019

Contact Us
Free Demo

Learn about what the Electronic Healthcare Network Accreditation Commission, or EHNAC, is, its benefits, the accreditation process, and best practices in Data Protection 101, our series on the fundamentals of data security.

The Electronic Healthcare Network Accreditation Commission (EHNAC) is a non-profit, self-governing organization that develops standards and certifies organizations that electronically exchange healthcare information. Examples of such organizations are health information exchanges (HIEs), electronic health networks, e-prescribing networks, medical billing companies, and accountable care organizations.

EHNAC was founded in 1993 and started certifying organizations in 1995. It is led by a commission of at least nine stakeholders and representatives from the private and public sectors. EHNAC commissioners serve a three-year term. EHNAC’s site reviewers are veteran experts in the healthcare industry, well-versed in EHNAC’s criteria, bound by policies on confidentiality and conflict of interest, and are not employed by any EHNAC-accredited organization. EHNAC’s headquarters are in Connecticut, USA.


EHNAC’s accreditation programs are designed to improve data privacy and security, operational efficiency, and transaction quality of healthcare organizations. Once an organization becomes EHNAC-accredited, it will meet not only EHNAC’s criteria but also individual requirements of other regulations, such as:

  • HIPAA (Health Insurance Portability and Accountability Act)
  • HITECH (Health Information Technology for Economic and Clinical Health Act)
  • ARRA (American Recovery and Reinvestment Act)
  • ACA (Affordable Healthcare Act, also known as “Obamacare”)
  • Specific requirements of the states of Maryland, New Jersey, and Texas


EHNAC’s criteria are based on regulatory requirements and the healthcare industry’s best practices. Organizations applying for accreditation must undergo several stages to prove they meet the requirements of the program that applies to them, as well as the requirements of HIPAA and other related regulations.

EHNAC’s criteria and the complete list of its trusted network accreditation programs are found on its website. Some of these programs are:

  • ePAP (e-Prescribing Accreditation Program)
  • DTAAP (Direct Trusted Agent Accreditation Program)
  • FSAP (Financial Services Accreditation Program)
  • HIEAP (Health Information Exchange Accreditation Program)
  • HNAP (Healthcare Network Accreditation Program)
  • MSOAP (Management Service Organization Accreditation Program)
  • OSAP (Outsourced Services Accreditation Program)


HITRUST CSF stands for “Health Information Trust Alliance Common Security Framework.” It’s a set of privacy and security controls widely used in the U.S. healthcare industry, established by Texas-based private company HITRUST.

To be HIPAA-compliant, an organization must comply either with EHNAC or HITRUST certification criteria. In 2016, EHNAC and HITRUST collaborated to remove any redundancy in their assessments as well as reduce time and cost spent by organizations to meet both HITRUST CSF and EHNAC certification requirements. In 2017, EHNAC became an authorized HITRUST CSF assessor, the only organization so far that offers both HITRUST CSF and EHNAC services.


1. Application: The organization applying for accreditation files an application, pays the fees, and submits initial information. The applicant is given a “candidate” status.
2. Self-assessment: The candidate will perform self-assessment to gather proof to show that it complies with EHNAC’s criteria.
3. Site review: An assigned site reviewer will visit the candidate’s site and audit the information provided in the self-assessment. Results are quantified, and the candidate must meet a minimum score to get full accreditation. If the reviewer has questions or needs further evidence, the candidate must resubmit the self-assessment, and another visit will be scheduled.
4. Awarding: EHNAC will review and vote on the final report. The commission will notify the candidate if it has been granted full accreditation or not.


EHNAC assigns a status to an organization applying for accreditation.

  • Candidate: The organization’s application is accepted by EHNAC. This status is valid for one year.
  • Full: A candidate meeting the full criteria is granted full accreditation for two years. After this cycle, the organization may apply for reaccreditation.
  • Interim: An accredited organization acquires unaccredited subsidiaries or undergoes changes that may impact its full accreditation status.
  • Provisional: The candidate doesn’t meet the full criteria. However, it is given a chance to fulfill the requirements.
  • Denied: The candidate’s result falls below the minimum score. However, it can reapply for accreditation.

The current list of EHNAC accredited organizations is publicly available on EHNAC’s website.


For organizations applying for a new or continued EHNAC accreditation, they must focus on preparing documents and supporting pieces of evidence before a site review, so they should take self-assessment seriously. Organizations should develop a plan of action and stick to the timeline. While it takes a commitment from everyone – from top management to rank-and-file employees – to ensure success, it will help if there are designated company representatives tasked with ensuring everything is ready for the upcoming site review.


Through EHNAC’s Non-compliant Notification System (NSS), trading partners and business associates can report any suspected non-compliance of a candidate or accredited organization. For instance, if the organization failed to respond to a customer’s inquiry within 24 hours, the reporter must submit thorough details, including supporting evidence. Still, EHNAC urges involved parties to attempt to resolve their issues before submitting a non-compliance notification.

Once EHNAC received a notification, its executive committee will do an assessment. If the committee finds that there’s no non-compliance, the commission will notify the reporter, and the notification will be deemed resolved. However, if the committee finds that there’s indeed a non-compliance, it will recommend an investigation. The commission will decide whether to proceed with an investigation.

The organization suspected of non-compliance will be notified and asked to respond. The commission will review if the EHNAC non-compliant organization has successfully refuted the allegation or fixed its non-compliance. If not, corrective actions must be implemented within a given time frame.

EHNAC may conduct a site review to verify remediation efforts. Finally, the commission will decide whether to downgrade or restore the organization’s full accreditation status.


If the organization is already accredited, it must remain vigilant in ensuring all its systems are continuously complying with EHNAC’s criteria. Certified organizations must not wait for third parties to spot their non-compliance. Conducting internal audits and periodic reviews will help a lot in ensuring the organization is always EHNAC-compliant. However, if the organization receives a non-compliance notification, it should immediately respond and properly implement corrective actions so that it won’t lose its full accreditation status.

Tags:  Data Protection 101 Compliance

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.