Deborah -- Just to supplement the last reply -- Perhaps the easiest way to appreciate the differences between the three agreement is as follows:
Trading partner agreement is a creature of the transactions and code sets rules. It would be used for example when two health plans want to trade information for COB purposes. Since they are both covered entities, the business associate agreement would not apply. Business associate agreement is a creature of the privacy rule. You appear to have a pretty good understanding of when to use the BA agreement. Of course, HHS issued model business associate provisions in the 3/27/2002 NPRM. The chain of trust agreement is a creature of the security rule which HHS has not yet finalized. Best regards, Dave Ermer >>> <[EMAIL PROTECTED]> 05/29/02 04:49PM >>> Can anyone please help me to succinctly define when to use a business agreement vs. trading partner agreement vs. a chain of trust agreement, and when I am most likely going to need more than one at a time? (or refer me to a resource that compares the definitions and uses of each) Last year during our initial HIPAA gap analysis we developed an inventory of BAs and Trading partners but now as I work on this list to update it and prioritize it for follow-up I am questioning some of our initial assumptions and definitions. My current understanding is that we will need a business associate agreement when: 1) we will be sharing PHI with a noncovered entity for treatment, payment or operations (TPO) (e.g. consultants, auditors, mailing house) 2) we will be sharing PHI with a covered entity to whom we are delegating any of our TPO functions. (delegated MH coverage, delegated Dental coverage) I am less clear as to when we will need a trading partner or chain of trust agreement. Am I correct in assuming that we will need trading partner agreements with all of our providers and employers in order for them to submit electronic claims, referrals, enrollment transactions to us? And wouldn't I then also need chain of trust agreements with each of them to ensure security standards are met? Oh and then some may also be business associates. Are my assumptions near the mark? Any insight would be greatly appreciated because I am having difficulty distinguishing these relationships for myself and for others in my organization. Deborah Fiumedora [EMAIL PROTECTED] Project Manager Neighborhood Health Plan Boston, Massachusetts ********************************************************************** To be removed from this list, send a message to: [EMAIL PROTECTED] Please note that it may take up to 72 hours to process your request. ********************************************************************** To be removed from this list, send a message to: [EMAIL PROTECTED] Please note that it may take up to 72 hours to process your request.