What is the difference between business associate agreements and chain of trust partner agreements?
HIPAA Weekly Advisor, December 27, 2002
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Q: What is the difference between business associate agreements and chain of trust partner agreements?
A: These two HIPAA rules were written by different teams and came out at different times. One of the reasons given for the delay in publication of the final security rule is the work required to synchronize it with the privacy rule-for example, so that terms are used consistently. The proposed security rule was published in 1998; the proposed privacy rule came later. The chain of trust agreement as described in the proposed security rule was little more than a gentlemen's handshake, whereas the later privacy rule's business associate agreement delineates specific responsibilities.
Note that the August 14, 2002, Federal Register contains sample agreement language from HHS. A business associate agreement or contract must contain statements such as:
- The business associate will not use or disclose the entity's PHI for other than the purpose(s) of the business association or contract, or as required by law.
- The business associate will not use or disclose PHI in any way that would be a violation of HIPAA if the covered entity were to do it.
- The business associate agrees to use appropriate safeguards to protect PHI from unauthorized use or disclosure.
- The business associate agrees to report inappropriate uses or disclosures to the entity.
- If applicable, the business associate must provide access to PHI for inspection and copying by the patient, and to PHI by the Secretary of HHS.
It is likely that the final security rule will eliminate the chain of trust agreement and simply require additional provisions in the business associate agreement. Covered entities may be able to simply add a statement or two expanding on the security safeguards for security rule compliance to their privacy-compliant business associate agreements.
Editor's note: Answered by Kate Borten, CISSP, president of The Marblehead Group, in Marblehead, MA, and excerpted from the December 2002 issue of Briefings on HIPAA.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- HIPAA Q&A: Flu shot requirement for hospital employees
- Running an effective peer review committee meeting
- HealthDataInsights posts new issues for medical necessity claims
- Sneak Peek: Effort underway to establish caseload benchmarks
- Q/A: Coding for telescopic intraocular lens
- New FAQ posted on storing laryngoscope blades
- Tip: Perform your own internal investigation prior to government audit
- HIPAA 5010 deadline extended, but threat remains, says AMA
- HHS task force: Consider privacy, security with text messages
- What does case-mix index mean to you?
- E-mailed
-
- Running an effective peer review committee meeting
- HIPAA Q&A: Flu shot requirement for hospital employees
- HHS task force: Consider privacy, security with text messages
- What does case-mix index mean to you?
- Q/A: Coding for telescopic intraocular lens
- Q/A: Correct use of modifier -PT
- Tip: Correctly code bilateral pain management procedures
- "Wall fountains" may be spreading Legionnaires to patients, visitors
- 2012 CPT code changes for ASCs: Shoulder and knee scopes and pain management
- Case Management Monthly, March 2012
- Searched