HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > HIPAAdvisor Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

HIPAAdvisor: Q & A with Steve Fox

Chain of Trust Agreements

QUESTION #5: As the first stage in developing a plan for HIPAA compliance, my organization is in the midst of auditing internal operations. I have been asked to review our current administrative policies and assemble samples of any process maps, policy forms, or procedural outlines of HIPAA mandated administrative procedures that may be helpful to the organization as reference materials. Unfortunately, there isn't a wealth of information about Chain of Trust Partner Agreements. Can you offer some insights?

ANSWER: HIPAA requires the implementation of certain administrative procedures to guard the integrity, confidentiality and availability of data protected under the act. A Chain of Trust Agreement is such a procedure. It is essentially a Non-Disclosure Agreement that governs the transmission of data through an electronic medium. The sender and recipient agree to protect the data electronically transmitted between them.

Chain of Trust Agreements are required when data is processed through a third party. Their purpose is to ensure that a uniform level of security is applied at every "link" in the chain where information passes from one party to another. Verification of uniformity at each link is necessary for optimal protection of transmitted data.

It would be extremely onerous, and defeat the purpose of electronic transacting, to require that parties personally confirm use of appropriate security measures before and after each and every transmittal. A Chain of Trust Agreement is a proxy for actual physical confirmation. Therefore, it is very important that the parties to these contracts agree to security mechanisms that:

(1) ensure that all transmissions of data are authorized;
(2) protect the integrity and confidentiality of patient information; and
(3) protect business records and data from improper access.

The Agreement should obligate each party to adopt some form of electronic identification (electronic signatures are an example) that unequivocally attributes data transmissions and to agree upon procedures for acknowledging the proper receipt of data. Without these contractual obligations, the parties can't assume any reasonable level of comfort regarding the integrity of transmitted data.

Likewise, without a mechanism to authenticate the origin of transmitted data, it is impossible to establish that the data has not been compromised.

Finally, in order to maintain the integrity of the data passed along this chain, the Agreement should state that the parties will take reasonable measures to maintain equipment, software and other materials that have the potential to negatively impact data and/or the ability to transmit data. Remember the love bug? There are any number of avenues for disabling code or viruses to gain access to an information system. Part of any organization's HIPAA due diligence involves asking software and hardware vendors what procedures they use to protect against these types of intrusions. The potential for data corruption extends beyond the boundaries of two links in a chain.

Read past HIPAA Legal Q/A articles.

Steve Fox, Esq., is a partner in the Washington, D.C. office of Pepper Hamilton LLP. Pepper Hamilton LLP is a multi-practice law firm with more than 400 lawyers in ten offices. A specialist in healthcare, Steve is a frequent writer and speaker on healthcare information management and technology issues. www.pepperlaw.com/

This article was co-authored by Rachel H. Wilson, Esq., an associate at Pepper Hamilton.

Disclaimer: Steve's responses offer information that is general in nature and should not be relied upon as legal advice. Only your attorney is qualified to evaluate your specific situation and provide you with customized advice.

Have a question you'd like Steve to discuss in HIPAAlert? Send it to and he'll be glad to consider using it in a future column, with or without attribution.