We are entering into business associate agreements with any entity that fits the business associate definition. We aren't making any distinction between BAs that are covered entities and those that are not.
We are entering into trading partner agreements with providers with which we swap standard transactions. We are putting no restrictions on how our providers use the PHI we send them, since they are not our business associates and we do not want to give any impression that we are responsible for their use or misuse of PHI. "Chain of trust" agreements, in our view, contain language governing the security standards that apply to any particular electronic exchange of data. By definition, our trading partner agreements will contain chain of trust language. So will our business associate agreements, if there is any PHI exchanged electronically. We will also have stand-alone chain of trust agreements with those entities which are neither trading partners nor business associates, but with which we exchange data electronically. Hope you find this helpful. Deb Drexler Privacy and Security Officer Division of Medical Assistance -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 29, 2002 3:49 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: when to use business associate agrmt vs trading partner agrmt vs chain of trust Can anyone please help me to succinctly define when to use a business agreement vs. trading partner agreement vs. a chain of trust agreement, and when I am most likely going to need more than one at a time? (or refer me to a resource that compares the definitions and uses of each) Last year during our initial HIPAA gap analysis we developed an inventory of BAs and Trading partners but now as I work on this list to update it and prioritize it for follow-up I am questioning some of our initial assumptions and definitions. My current understanding is that we will need a business associate agreement when: 1) we will be sharing PHI with a noncovered entity for treatment, payment or operations (TPO) (e.g. consultants, auditors, mailing house) 2) we will be sharing PHI with a covered entity to whom we are delegating any of our TPO functions. (delegated MH coverage, delegated Dental coverage) I am less clear as to when we will need a trading partner or chain of trust agreement. Am I correct in assuming that we will need trading partner agreements with all of our providers and employers in order for them to submit electronic claims, referrals, enrollment transactions to us? And wouldn't I then also need chain of trust agreements with each of them to ensure security standards are met? Oh and then some may also be business associates. Are my assumptions near the mark? Any insight would be greatly appreciated because I am having difficulty distinguishing these relationships for myself and for others in my organization. Deborah Fiumedora [EMAIL PROTECTED] Project Manager Neighborhood Health Plan Boston, Massachusetts ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ********************************************************************** To be removed from this list, send a message to: [EMAIL PROTECTED] Please note that it may take up to 72 hours to process your request.