I think that everyone who has responded to Beth Kranda's email has made sound points. Basically, the trading partner agreement (TPA) is a creature of the final transactions and code sets rule, the business associate (BA) agreement is a creature of the final privacy rule, and the chain of trust agreement is a creature of the security rule which has not been finalized. At the WEDI March Forum, I learned that HHS has settled upon a final security rule and a separate final electronic (or digital) signature rule, and that HHS has submitted both rules to the U.S. Office of Management and Budget for final review and approval (under the Paperwork Reduction Act) for publication in the Federal Register. If the final security rule were published in April, the general compliance date would be in June 2004 (60 days plus 2 years).
I want to add an additional 2 cents on the BA and TPA agreements. I think it is something of a misnomer to use the term business associate agreement because it inaccurately suggests that it is a brand new agreement. However, as Bill Bernath points out in the vast majority of situations written agreements for, e.g., prescription benefit management or billing services already exist between the covered entity and the business associate. In these garden variety situations, it will be necessary to incorporate the business associate requirements spelled out in the privacy rule into these agreements -- as a module as one writer in this chain pointed out. I agree that it makes sense to start incorporating those BA provisions now with a 4/14/03 effective date for multi year contracts and to include them in future contracts as they are negotiated. It likely will be necessary to create a few brand new agreements with current vendors that qualify as business associates under the privacy regulation but that will be the exception rather than the rule. Returning to the original discussion of combining agreements, it strikes me that the trading partner agreement principally will include technical EDI requirements and that the business terms in a TPA and a BA agreement generally will be common . (Of course there will be TPA agreements between covered entities that stand alone.) It also occurs to me that many BA agreements will not involve EDI relationships. For example, as a lawyer, I am a business associate to my health plan clients, but our BA agreement will not require trading partner provisions. Therefore, I think it makes sense to treat the trading partner provisions as an addendum to the BA agreement (or the agreement with BA provisions) when both are required. An addendum is a separate writing that is incorporated by reference into the main agreement. Addendum treatment will permit greater focus on the specific technical requirements and it will avoid the need to incorporate therein the business relationship provisions found in the business associate agreement. The chain of trust provisions to be mandated by the security rule could be included in this addendum or as a separate addendum. I also think that the suggestion to look into contract management software is an excellent idea. Does anyone have a recommendation on such software? Best regards, David Ermer Gordon & Barnett 1133 21st St., NW, Suite 450 Washington, DC 20036 (202) 833-3400 ext. 3009 (voice) (202) 223-0120 (fax) >>> "Bill Bernath" <[EMAIL PROTECTED]> 03/11 1:26 PM >>> Can someone tell me the status of the final rules for chain of trust agreements? If I'm not mistaken, they are covered by the yet to be finalized security regulations. That said, I would suggest that those of you with thousands of contracts might consider getting the baa out the door soon and not try to combine the efforts. Remember, there are contracts that will be up for renewal in less than a month that must have the business associate wording in place so you will be compliant in April '03. You might want to consider how much push back you will get if your vendors do not want to amend on chain of trust because it is not indeed a change due to new regulations, as is the case with BAA's - just a practical consideration - thx- b Bill Bernath Blue Cross Blue Shield of North Carolina Privacy Office (919) 765-7006 [EMAIL PROTECTED] >>> "Bradley Gross" <[EMAIL PROTECTED]> 03/09/02 11:20PM >>> While everyone's initial instinct to combine agreements may be prudent, the flip side of the coin is that by combining the agreements you risk (1) turning three fairly straight-forward contracts into one monster--and perhaps overly complicated--agreement. Personally, the thought of three contracts with your trading partners doesn't shock me. If they can be combined to make a single coherent document, then go for it. Generally, I have found that many attorneys who try to put too much information into one agreement end up covering all areas, but none in depth. The rule of thumb to keep in mind is that the contract should be able to be read (and understood) by a person with virtually no knowledge of the facts. When you start combining agreements, this rule of thumb tends to fly out the window.... If contract management becomes a problem (which it is for most people in the healthcare industry), I'd recommend that you invest in some good contract management software. That's my $0.02. Good luck. Brad Gross Bradley J. Gross, Esq. Becker & Poliakoff, P.A. email: [EMAIL PROTECTED] web: www.becker-poliakoff.com NBC6 Technology Law Correspondent web: www.nbc6.net CompTIA Best Practices & Education Committees www.comptia.org >>> "David Ermer" <[EMAIL PROTECTED]> 03/09/02 12:04AM >>> I am attorney. It is a common practice to use one contract to serve multiple purposes. Just compare this to a situation where a company buys several different products simultaneously from one manufacturer. It would defy common sense to use separate agreements in wither that situation or this one. The law should reflect common sense, and generally it does. I concur with Beth. Best regards, David Ermer, Gordon & Barnett, Wash. D.C. <<< "Beth Kranda" <[EMAIL PROTECTED]> 3/ 8 8:14p >>> Yes, I have heard CMS say that it was not the intent that you have 3 agreements with each of your trading partners. They may be combined to the extent that the trading partner is also a BA. I am no lawyer, however so let's hear what they have to say! "Street, Bunny" wrote: > Is anyone considering possibly combining these agreements? I realize they > represent separate issues but do have some similarities. Comments > appreciated. > Thanks, > Leslie Street > Privacy Specialist > Mountain States Health Alliance > 423-431-1661 > > ********************************************************************** > To be removed from this list, go to: >http://snip.wedi.org/unsubscribe.cfm?list=privacy > and enter your email address. -- M. Beth Kranda Sr. Project Consultant and Privacy Director OASYS t- (317) 614-2139 f- (317) 614-2001 e- [EMAIL PROTECTED] info- www.oasys.com CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address.
