Deborah -- Just to supplement the last reply -- Perhaps the easiest way
to appreciate the differences between the three agreement is as
follows:

Trading partner agreement is a creature of the transactions and code
sets rules. It would be used for example when two health plans want to
trade information for COB purposes. Since they are both covered
entities, the business associate agreement would not apply.

Business associate agreement is a creature of the privacy rule. You
appear to have a pretty good understanding of when to use the BA
agreement. Of course, HHS issued model business associate provisions in
the 3/27/2002 NPRM. 

The chain of trust agreement is a creature of the security rule which
HHS has not yet finalized. 

Best regards, Dave Ermer

>>> <[EMAIL PROTECTED]> 05/29/02 04:49PM >>>


Can anyone please help me to succinctly define when to use a business
agreement
vs. trading partner agreement vs. a chain of trust agreement, and when
I am most
likely going to need more than one at a time?   (or refer me to a
resource that
compares the definitions and uses of each) Last year during our initial
HIPAA
gap analysis we developed an inventory of BAs and Trading partners but
now as I
work on this list to update it and prioritize it for follow-up  I am
questioning
some of our initial assumptions and definitions.  My current
understanding is
that we will need a business associate agreement when:
1) we will be sharing PHI with a noncovered entity for treatment,
payment or
operations (TPO)  (e.g. consultants, auditors, mailing house)
2) we will be sharing PHI with a covered entity to whom we are
delegating any of
our TPO functions.  (delegated MH coverage, delegated Dental coverage)

I am less clear as to when we will need a trading partner or chain of
trust
agreement.  Am I correct in assuming that we will need trading partner
agreements with all of our providers and employers in order for them to
submit
electronic claims, referrals, enrollment transactions to us?  And
wouldn't I
then also need chain of trust agreements with each of them to ensure
security
standards are met? Oh and then some may also be business associates.

Are my assumptions near the mark? Any insight would be greatly
appreciated
because I am having difficulty distinguishing these relationships for
myself and
for others in my organization.

Deborah Fiumedora
[EMAIL PROTECTED] 
Project Manager
Neighborhood Health Plan
Boston, Massachusetts




**********************************************************************
To be removed from this list, send a message to:
[EMAIL PROTECTED]
Please note that it may take up to 72 hours to process your request.


**********************************************************************
To be removed from this list, send a message to: [EMAIL PROTECTED]
Please note that it may take up to 72 hours to process your request.

Reply via email to