Direct Trust


HITRUST CSF Certified Logo

Hixny complies with New York State and federal laws governing the exchange of medical information. Hixny also complies with a wide range of voluntary safety and security protocols in an effort to retain the highest possible level of security in the industry.

These voluntary measures include:

  • HIPAA Privacy Rule
  • HIPAA Security Rule
  • HIPAA Breach Notification Rule
  • 42 CFR Part 2
  • SHIN-NY Privacy and Security Policies and Procedures for Qualified Entities and Their Participants
  • Minimum Acceptable Risk Standards for Exchanges (MARS-E)
  • NYS Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500)
  • NYS Shield Act
  • EHNAC’s Privacy and Security framework
  • HITRUST’s Common Security Framework (CSF)


In 2018, Hixny was among the first health information exchanges (HIEs) in New York to be certified by the Health Information Trust Alliance (HITRUST), a group of healthcare, business, technology and information security leaders that oversees the best practices and regulatory standards called the Common Security Framework (CSF).

The goal of the CSF is to ensure the confidentiality, integrity and availability of private data, including PHI. In fact, it could be described as a universally accepted blueprint for keeping information out of the hands of the wrong people. Achieving this certification indicates that Hixny meets the highest established security standards—including those set by HIPAA and the Centers for Medicare and Medicaid Services (CMS)—and makes the protection of private data a top priority.


HITRUST certification is a robust, two-year certification that requires an interim-year assessment.

2018 Hixny achieved HITRUST CSF® certification on Version 9.1 for patient information security
2019 Hixny attained interim-year certification
2020 Hixny achieved HITRUST CSF recertification
2021 Hixny attained interim-year certification
2022 Hixny achieved HITRUST CSF recertification
2023 Hixny attained interim-year certification


In addition to meeting all applicable CSF controls concurrently, Hixny also complies with the Office of Health Insurance Programs (OHIP) factor.

What is the OHIP factor?
OHIP has defined a Moderate-Plus Security Controls Baseline based on, and consistent with, the security provisions described in the Centers for Medicare and Medicaid Services (CMS) Acceptable Risk Safeguards (ARS) and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 at the Moderate level. Additionally, OHIP has augmented these federal standards with New York State Policies and Standards. The Moderate-Plus Security Controls Baseline includes a System Overview document and the eighteen security control families as set forth in CMS ARS and NIST 800-53.

Audit Summary

Hixny continually audits user activity to ensure compliance with state and federal regulations, as well as internal policies and procedures that have been put in place to protect and secure patient data. Request access to our user audit reports.


Self-Developer Transparency


The federal Office of the National Coordinator for Health Information Technology requires us to provide the following disclosure regarding the DIRECT messaging through the Hixny HISP that is offered as a standard service for participants:
  • Developer Name: Hixny
  • Product Name: Hixny HISP
  • Product Version: 1.0
  • Certification ID:
  • Certification Date: April 26, 2024
  • Criteria certified:
    • 170.315 (d)(1): Authentication, Access Control, Authorization
    • 170.315 (d)(2): Auditable Events and Tamper-Resistance
    • 170.315 (d)(3): Audit Report(s)
    • 170.315 (d)(5): Automatic Access Time-out
    • 170.315 (d)(6): Emergency Access
    • 170.315 (d)(7): End-User Device Encryption
    • 170.315 (d)(8): Integrity
    • 170.315 (d)(12) Encrypt authentication credentials
    • 170.315 (d)(13) Multi-factor authentication
    • 170.315 (g)(4): Quality Management System
    • 170.315 (g)(5): Accessibility-Centered Design
    • 170.315 (h)(2): Direct Project, Edge Protocol and XDR/XDM
  • Clinical Quality Measures certified: 0
  • Automated Numerator Recording certified: 0
  • Automated Measure Calculation certified: 0
  • Additional software required for certification: Microsoft Window TCP/SMTP, Direct Project, InterSystems HealthShare, Microsoft Exchange
  • Additional Costs: None

Disclaimer: This Health IT Module is compliant with the ONC Certification Criteria for Health IT and has been certified by an ONC-ACB in accordance with the applicable certification criteria adopted by the Secretary of Health and Human Services. This certification does not represent an endorsement by the U.S. Department of Health and Human Services.

ONC Certified HealthIT Logo

ONC CERTIFIED HIT® is a registered trademark of HHS

Questions and Concerns

Hixny will be performing extended maintenance beginning Thursday, December 31 through Friday, January 1. During this time, all services
will be impacted and unavailable—including access to the provider portal.