We are entering into business associate agreements with any entity that fits
the business associate definition.   We aren't making any distinction
between BAs that are covered entities and those that are not. 

We are entering into trading partner agreements with providers with which we
swap standard transactions.  We are putting no restrictions on how our
providers use the PHI we send them, since they are not our business
associates and we do not want to give any impression that we are responsible
for their use or misuse of PHI.  

"Chain of trust" agreements, in our view, contain language governing the
security standards that apply to any particular electronic exchange of data.
By definition, our trading partner agreements will contain chain of trust
language.  So will our business associate agreements, if there is any PHI
exchanged electronically.  We will also have stand-alone chain of trust
agreements with those entities which are neither trading partners nor
business associates, but with which we exchange data electronically. 

Hope you find this helpful.  

Deb Drexler
Privacy and Security Officer
Division of Medical Assistance

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, May 29, 2002 3:49 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: when to use business associate agrmt vs trading partner agrmt vs
chain of trust



Can anyone please help me to succinctly define when to use a business
agreement
vs. trading partner agreement vs. a chain of trust agreement, and when I am
most
likely going to need more than one at a time?   (or refer me to a resource
that
compares the definitions and uses of each) Last year during our initial
HIPAA
gap analysis we developed an inventory of BAs and Trading partners but now
as I
work on this list to update it and prioritize it for follow-up  I am
questioning
some of our initial assumptions and definitions.  My current understanding
is
that we will need a business associate agreement when:
1) we will be sharing PHI with a noncovered entity for treatment, payment or
operations (TPO)  (e.g. consultants, auditors, mailing house)
2) we will be sharing PHI with a covered entity to whom we are delegating
any of
our TPO functions.  (delegated MH coverage, delegated Dental coverage)

I am less clear as to when we will need a trading partner or chain of trust
agreement.  Am I correct in assuming that we will need trading partner
agreements with all of our providers and employers in order for them to
submit
electronic claims, referrals, enrollment transactions to us?  And wouldn't I
then also need chain of trust agreements with each of them to ensure
security
standards are met? Oh and then some may also be business associates.

Are my assumptions near the mark? Any insight would be greatly appreciated
because I am having difficulty distinguishing these relationships for myself
and
for others in my organization.

Deborah Fiumedora
[EMAIL PROTECTED]
Project Manager
Neighborhood Health Plan
Boston, Massachusetts




**********************************************************************
To be removed from this list, go to:
http://snip.wedi.org/unsubscribe.cfm?list=privacy
and enter your email address.

**********************************************************************
To be removed from this list, send a message to: [EMAIL PROTECTED]
Please note that it may take up to 72 hours to process your request.

Reply via email to