HIPAA/LAW:
Legal Q/A
March 2002
"Business Associates vs. Chain of Trust"
by Steve Fox, Esq., & Rachel Wilson, Esq.,
Pepper Hamilton LLP
QUESTION: What is the difference between a business associate
agreement and a chain of trust agreement? When does HIPAA require
the use of one as opposed to the other?
ANSWER: Both business associate and chain of trust agreements
are required under HIPAA in order to ensure the privacy of protected
health information ("PHI"). However, not all business
relationships require both a chain of trust agreement and a business
associate agreement. Under HIPAA's proposed security regulations
(the "Security Regulations"), chain of trust agreements
are required between parties that exchange or transmit PHI through
an electronic medium. In contrast, covered entities must enter into
a business associate agreement with all third parties that perform
services on their behalf.
There are two different scenarios in which a HIPAA-related business
association may arise.
First, when the right to use, disclose, create, or obtain PHI is
delegated to a third party for use on behalf of the covered entity.
For example, the provision of physician billing services creates
a business association because the billing service uses, discloses
and obtains PHI in the course of performing services on the physician's
behalf.
Second, where a third party provides certain specified services
to a covered entity and the provision of those services involves
the disclosure of PHI by the covered entity to such third party.
The specified services are legal, actuarial, accounting, consulting,
management, administrative, accreditation, data aggregation and
financial services (the "Specified Services"). It is important
to note that each and every relationship between a covered entity
and a third party does not constitute a business association that
gives rise to the requirement for a business associate agreement
as set forth under the HIPAA privacy rule. Business associate contracts
are only required in those cases in which a covered entity discloses
PHI to a third party that will use such PHI on behalf of the covered
entity, or when a third party provides Specified Services involving
the disclosure of PHI by the covered entity to such third party.
The Security Regulations require chain of trust agreements when
PHI is processed electronically through any third party or series
of third parties. Chain of trust agreements are contracts that obligate
each party in receipt of, or transmitting, PHI via electronic medium,
to maintain the integrity and confidentiality of the PHI being transmitted.
Chain of trust agreements "follow" PHI from the time it
is originally transmitted until the time such information is received
by the ultimate end-user.
The Security Regulations offer the following example: a physician's
office may contract with a clearinghouse to transmit claims to the
clearinghouse; the clearinghouse in turn, may contract with another
clearing house or with a payer for the further transmittal of those
claims. Chain of trust agreements are mandated under the Security
Regulations in order to ensure that the same level of security is
maintained at each "link" or "portal" through
which PHI is transmitted.
Keep in mind that this discussion, as it relates to chain of trust
agreements, is based on the proposed Security Regulations, which
may well be modified in their final version, which is expected to
be issued "soon."
Read past HIPAA Legal Q/A articles.
Steve Fox, Esq., is a partner at the Washington, DC office of Pepper
Hamilton LLP. This article was co-authored by Rachel H. Wilson,
Esq., of Pepper Hamilton LLP. www.pepperlaw.com/
Disclaimer: This information is general in nature and should not
be relied upon as legal advice.
|
