Direct Trust


HITRUST CSF Certified Logo

Hixny complies with New York State and federal laws governing the exchange of medical information. Hixny also complies with a wide range of voluntary safety and security protocols in an effort to retain the highest possible level of security in the industry.

These voluntary measures include:

  • HIPAA Privacy Rule
  • HIPAA Security Rule
  • HIPAA Breach Notification Rule
  • 42 CFR Part 2
  • SHIN-NY Privacy and Security Policies and Procedures for Qualified Entities and Their Participants
  • Minimum Acceptable Risk Standards for Exchanges (MARS-E)
  • NYS Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500)
  • NYS Shield Act
  • EHNAC’s Privacy and Security framework
  • HITRUST’s Common Security Framework (CSF)


In 2018, Hixny was among the first health information exchanges (HIEs) in New York to be certified by the Health Information Trust Alliance (HITRUST), a group of healthcare, business, technology and information security leaders that oversees the best practices and regulatory standards called the Common Security Framework (CSF).

The goal of the CSF is to ensure the confidentiality, integrity and availability of private data, including PHI. In fact, it could be described as a universally accepted blueprint for keeping information out of the hands of the wrong people. Achieving this certification indicates that Hixny meets the highest established security standards—including those set by HIPAA and the Centers for Medicare and Medicaid Services (CMS)—and makes the protection of private data a top priority.


HITRUST certification is a robust, two-year certification that requires an interim-year assessment.

2018 Hixny achieved HITRUST CSF® certification on Version 9.1 for patient information security
2019 Hixny attained interim-year certification
2020 Hixny achieved HITRUST CSF recertification


In addition to meeting all applicable CSF controls concurrently, Hixny chose to include assessment of two especially stringent additional controls in its certification process, in order to demonstrate its industry-leading commitment to information security:

Minimum Acceptable Risk Standards for Exchanges (MARS-E), which was established by the Centers for Medicare and Medicaid Services (CMS) to protect personal identifying information (PII), personal health information (PHI), and federal tax information used in health insurance exchanges—like the New York State of Health.

NYS Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500)

Audit Summary

Hixny continually audits user activity to ensure compliance with state and federal regulations, as well as internal policies and procedures that have been put in place to protect and secure patient data. Request access to our user audit reports.


Self-Developer Transparency


The federal Office of the National Coordinator for Health Information Technology requires us to provide the following disclosure regarding the DIRECT messaging through the Hixny HISP that is offered as a standard service for participants:
  • Developer Name: Hixny
  • Product Name: Hixny HISP
  • Product Version: 1.0
  • Certification ID:
  • Certification Date: Feb 27, 2023
  • Criteria certified:
    • 170.315 (d)(1): Authentication, Access Control, Authorization
    • 170.315 (d)(2): Cures: Auditable Events and Tamper-Resistance
    • 170.315 (d)(3): Cures: Audit Report(s)
    • 170.315 (d)(5): Automatic Access Time-out
    • 170.315 (d)(6): Emergency Access
    • 170.315 (d)(7): End-User Device Encryption
    • 170.315 (d)(8): Integrity
    • 170.315 (d)(12) Cures: Encrypt authentication credentials
    • 170.315 (d)(13) Cures: Multi-factor authentication
    • 170.315 (g)(4): Quality Management System
    • 170.315 (g)(5): Accessibility-Centered Design
    • 170.315 (h)(2): Direct Project, Edge Protocol and XDR/XDM
  • Clinical Quality Measures certified: 0
  • Automated Numerator Recording certified: 0
  • Automated Measure Calculation certified: 0
  • Additional software required for certification: Microsoft Window TCP/SMTP, Direct Project, InterSystems HealthShare, Microsoft Exchange
  • Additional Costs: None

Disclaimer: This Health IT Module is 2015 Edition compliant and has been certified by an ONC-ACB in accordance with the applicable certification criteria adopted by the Secretary of Health and Human Services. This certification does not represent an endorsement by the U.S. Department of Health and Human Services.


Questions and Concerns

Hixny will be performing extended maintenance beginning Thursday, December 31 through Friday, January 1. During this time, all services
will be impacted and unavailable—including access to the provider portal.