Chain of Trust (COT)

Description: The chain of trust (COT) is described as a process of secure information management between associates. One entity develops, receives, or maintains a set of protected health information (PHI) that allows the entity to create a contract that provides services or performs functions with regards to the PHI between the first entity and the second. This establishes the two entities as business associates (Christiansen, 2013). As a part of the modifications to HIPAA privacy under the HITECH act, business associates are made directly liable for HIPAA privacy compliance. Chain of trust will also aid in the development of tools to further increase information security. Malware is becoming more and more dynamic. It can come from many different perspectives--from a highly developed phishing email to a simple social media scam. The COT process can help prevent cyber-crime by creating information management standards that reduce risk of data loss / loss of data integrity. After a COT is established, data can be flexibly transferred/managed within the secure process.

Applications: The COT is used to ensure patient data integrity and protect both a health organization's and an individual's health records. These measures help define who is responsible for information security. In the healthcare industry, COT can be used to safely transfer patient data to another health organization via digitally signed electronic records. This secure electronic data would be transferred through existing EHR systems that are conterminous with the meaningful use guidelines. The application of COT works in conjunction with the HIPAA security rule, which requires administrative, physical, and technical safeguards for optimum PHI management (Wimalasiri, 2005). COT is in effect when a business associates security levels matches or exceeds that of the original business associate while managing PHI. The interaction between healthcare organizations must be regulated by a contractual agreement--a chain of trust agreement (COTA)--in order to enforce the data security and integrity standards established through the COT.

Web Resources:
HITECH Revisions (2013): Department of Human & Health Services
Cybersecurity Groups Launch 'Chain of Trust' Initiative to Combat Malware
Business Associates under the HITECH Megarule: A Chain of Trust with Teeth

Related Terminology:
COTA (Chain of Trust Agreement)
PHI (Protected health information)
HITECH (Health Information Technology for Economic and Clinical Health Act)
HIPAA (Health Insurance Portability and Accountability Act of 1996)
TPA (Trading Partner Agreement)
NCSA (National Cyber Security Alliance)

Christiansen, J. (2013). Business associates under the HITECH megarule: a chain of trust with teeth.

Ray, P., & Wimalasiri, J. (2006). The need for technical solutions for maintaining the privacy of EHR, Engineering in Medicine and Biology Society, 4686-4689, doi: 10.1109/IEMBS.2006.260862

Wimalasiri, J.S.; Ray, P.; Wilson, C.S. (2005). Security of electronic health records based on Web services, Enterprise networking and Computing in Healthcare Industry, 91-95, 23-25, doi: 10.1109/HEALTH.2005.1500401

Cybersecurity groups launch 'chain of trust' initiative to combat malware (2009). NewsRX LLC.