What is a Trading Partner Agreement?
What is a Trading Partner Agreement?
According to the GAO, "a TPA governs the interaction between two computer systems, including data security requirements and the procedures for transmitting and receiving electronic information, such as health care claims, between the systems." Trading partner agreements ("TPAs") or interconnection security agreements ("ISAs") are supplemental agreements that interfaces with another agreement; they help establish the legal parameters for parties enrolling to participate in a transaction. While different transactional arrangements may not have TPAs, such agreements are often key in establishing the "do’s and don’ts" of the relationship. In particular, such agreements often delineate responsibilities for both parties, state ownership of information, liability limitations, cautions on system modification, and the impact of third parties on the arrangement, among other things. Recommended in the GAO report for such agreements are identifiers, such as company names, parent companies, parties addresses, and contact information .
Organizations enter into these agreements with insurers and TPAs, as well as vendors, third party administrators, financial institutions, banks, financial institutions, financial clearinghouses, and other entities. For example, some insurance organizations in Oregon, Washington, and Idaho provide regulated information to an outside data source, which is then shared among the other insurers that are the organization’s partners. These TPAs clarify the rules of the road for transmitting the regulated information as well as identify liability of various parties. A failure to enter into such an agreement can lead to disruptions in regulatory compliance, including sanctions from regulators, in addition to breach of contract and negligence claims. It is key that organizations carefully draft provisions to the TPA based on an understanding of changing regulations, business needs and performance standards, as well as changes in market behavior. Such an agreement should clearly delineate minimum standards for security and privacy and the ramifications for violation.
Essential Elements of a Trading Partner Agreement
When it comes to signing a trading partner agreement (TPA) with a health plan, we sometimes find ourselves counseling clients to consider slowing down to draft the best agreement they can, rather than rushing into a deal. Getting the TPA off the desk, signing it, and moving ahead with the joint venture may let the two companies get to work together – but it may also lead to complaints and problems arising along the way about the working relationship. Expending effort up front to make sure the TPA is as thorough as it can be, in its definitions, the details of the data exchange and treatment of sensitive data, and with procedural and enforcement provisions, could save time and effort down the road.
A TPA should include, at a minimum, the following details about each party and their roles and responsibilities (expectations should be mutual): Specific and detailed provisions should be included to define, where appropriate: In addition to these key points, a TPA should specify details of the data exchange, such as what type of data, the medium of exchange, delivery security protocols, and timing of delivery. The TPA should address the use of encryption, Secure File Transfer Protocols (SFTP), Notification of Breach, and how the data will be used on both sides. The parties should consider including a confidentiality provision as well, and mature companies will want to include specific data use and disclosure provisions, including HIPAA compliance, specifically obligations to provide Notice of a Breach by either party, and what the parties will do with and what they will not do with the data. Last, the TPA should include provisions on the following: Of course, the specific details will depend on the types of data and the particular relationship between the companies – the idea is to make sure that the terms are clear, that there are no exclusions that will come back to hurt either party down the line, and that there is a plan for handling ongoing changes and problem resolution.
Advantages of a Trading Partner Agreement
A trading partner agreement benefits consumers, businesses, and healthcare providers by fulfilling many purposes. However, the agreement primarily serves to formally document the existing relationship between two or more parties. This documentation is especially important in outsourcing agreements; the areas addressed in the contract should be as detailed as necessary to ensure no issues are present.
Because a trading partner agreement is legally binding once signed into force, there is peace of mind that all parties have responsibilities and rights spelled out clearly. Without a clear agreement, businesses may find themselves in disputes with other companies about who is responsible for specific business operations. This, in turn, can lead to poor business relationships and other issues that are problematic for a company.
Furthermore, companies can ensure that everyone involved in the relationship understands the specific details of how the agreement works, ensuring more successful transactions in the future. For example, in the healthcare industry, facilities should sign trading partner agreements with their payment providers to outline precisely how key operations, including billing practices, will work. A poorly written agreement may lead to misunderstandings between the two parties. However, with a detailed agreement, there can be a clear expectation of proper operational practices on both ends.
Common Issues and Solutions
The most typical challenges that parties confront when trying to draft and execute Trading Partner Agreements include:
- Failure to accurately define the purpose of the Trading Partner Agreement and the respective roles of each of the parties – as noted above, accurate definitions of these elements are crucially important to the enforceability of the Trading Partner Agreement; both the sender and the receiver of the data must be clearly identified, along with their respective responsibilities, obligations and limitations;
- Disagreements about the scope of the permitted use of the data exchanged – Trading Partner Agreements routinely include language permitting the exchange of data for specific purposes between specifically defined parties, but without appropriate restrictions, the parameters of this permission will inevitably be overstepped and disagreements will result concerning the degree to which the data may be used for non-permitted purposes or by non-permitted parties;
- Disputes concerning the adequacy of any required protections either from unauthorized re-disclosure or from online hacking – the latest generation of criminals now include expert computer hackers who can penetrate any HIPAA-compliant firewall, so that all health care constituent parties need to include language in Trading Partner Agreements which anticipate this possibility and provides for appropriate levels of protection, including data encryption, secure email, and/or protected disk encrypted storage, where indicated;
- Disagreements concerning the reasonableness of the fees fixed in the Trading Partner Agreement, especially in cases where there are base-line fees for access to a database, in addition to fixed charges per request for data, defined by type of data requested, size of the request, or purpose for which the data is requested – in such instances, dispute resolution, enforcement, and notice provisions will need to be carefully thought-through and spelled-out in detail in the Agreement;
- Disputes arising at the time of implementation, where the language of the Trading Partner Agreement is less than clear or is ambiguous and subject to differing interpretations – this is most likely to occur where a Trading Partner Agreement has not been negotiated, but has been drafted by one of the parties unilaterally in form-template fashion and presented for the other party’s acceptance, in the form of a "take-it-or-leave-it" approach, or without giving the other party an opportunity to discuss its concerns or suggested revisions before signing.
Legal Requirements when Drafting
Beyond the commercial terms of the agreement, the document must also address critical legal issues, including compliance with laws, dispute resolution, governing law, and a general arbitration clause. Failure to carefully draft the agreement may leave gaps for future litigation and the inability to resolve disputes versus litigation.
Compliance with the law. If any trading party is a provider of federally mandated services (e.g., Medicare or Medicaid), then two significant requirements need to be considered. The first relates to Section 1128B of the Social Security Act (the "Anti-Kickback Statute"). As such, the trading partner agreement must require the parties to comply with the Anti-Kickback Statute and related regulations. Failure to comply can lead to civil penalties of up to $50,000 and exclusion from federally-funded services.
The second issue relates to Section 6032 of the Federal Deficit Reduction Act of 2005 (the "FDR") which requires that all persons in receipt of federal health care funds adopt written policies and procedures for detecting and preventing fraud and abuse . As it relates to giving and receiving kickbacks or other remuneration, the FDR permits private right of action. The FDR also prohibits gag clauses. In addition, some state laws also require that parties take affirmative steps to prevent fraud and abuse.
Dispute Resolution. Again, failure to create a mechanism to mediate and ultimately arbitrate disputes can lead to years of potential litigation and significant costs. A well drafted trading partner agreement should include contractual provisions that cover alternative dispute resolution at binding arbitration.
Governing Law. While the governing law of the trading partner agreement should be consistent with the incorporation state of each entity, the governing law of any relevant securities for issuances should also be a draft consideration.
Jurisdiction. To that end, the trading partner agreement should consider what state and federal laws might apply.
How to Develop Best Practices for Your Contracts
Effective trading partner agreements are those that clearly and accurately communicate how the parties intend to exchange information with one another. As such, these agreements should not be one-size-fits all agreements that are used for all business partners, but rather should be carefully thought out and tailored to the particular relationship for which they are created. The following are some recommended practices for negotiating and drafting a robust trading partner agreement:
- Know your partner – It is critical to know how your partner intends to transmit information to you (and vice versa) prior to finalizing a trading partner agreement. (The sales representative for a trading partner can usually provide this information.) Once you gather this information, review the details with those who will be physically implementing the transmissions to ensure that the exchange can be easily implemented (e.g., adequate IT resources exist, any anticipated obstacles can be overcome).
- Negotiate and document the terms – Once you receive and review the required information from your partner, discuss and negotiate the terms of the agreement, including how long trading partner information can be maintained (and whether it needs to be destroyed) following termination of an agreement. Also confirm how changes to the agreement will be executed.
- Input from other departments – Once the agreement is drafted, ask co-workers in Information Security, IT, Operations, etc. to read over the proposed agreement and provide input. Those who are involved in making operational changes, policy changes, and actually executing the transactions should have a hand in the negotiation and drafting process to uncover any potential issues before they arise.
- Use appropriate counsel – An experienced attorney can draft a trading partner agreement that achieves the business objectives for the transactions and does not create problems when it is implemented.
Examples and Case Studies
Successful trading partner agreements (TPA) and the partnerships they govern can take many forms. However, there is one common theme they all possess: They create the framework within which businesses can operate efficiently and cost effectively, without unnecessary friction and intrusiveness.
For example, a successful TPA in healthcare between a hospital and its insurers should include provisions regarding accurate patient information exchange. Too often, errors plague third-party payer reimbursement processes, causing payment delays, loss of revenue for providers, and frustration from redundant billing efforts. The most successful TPA ensures the real-time exchange of accurate and up-to-date insurance coverage and eligibility statuses, thereby reducing payment cycles, and providing much-needed financial stability for healthcare providers as they continue to accumulate unpaid claims through the claims submission process.
Unfortunately, contracts with insufficient or no provisions, or with poorly drafted provisions, could result in an erratic revenue cycle for healthcare providers, forcing them to write off additional time and resources every time redundant billing or other problems occur. Cost recovery, if any, may take months.
Failing healthcare TPA: The Chicago-area healthcare system "X" had multiple acute-care hospitals in northern Illinois, along with long-term acute-care facilities, skilled nursing facilities and physician practices. Working with a large Business Associate (BA) vendor, the system initially constructed a TPA with a BA whose role was to aggregate and de-identify data for the purposes of better understanding population health management. The BA used its own software to aggregate and analyze data from the system’s acute care hospitals . The TPA provided for the BA to provide reporting every 2 weeks to help the hospitals to understand their patient demographics and assist them with quality improvement efforts.
However, the issue with X’s TPA was not with the BA—it was with the system not understanding that the BA was not collecting data on behalf of the hospitals. While the BA thought it was collecting data for the hospitals, the hospitals were seeing that their data was being aggregated and then de-identified to remove identifiers, which was not useful. In some cases, the patients who had consented to the study and provided data for the BA’s analysis were in geographic areas far from the hospitals. Thus, the data being aggregated by the BA did not provide meaningful strategic information for population health management for the hospitals.
When the system wholesale contracted with a larger company, it further compounded the issue, and led to the BA serving as a mere pass-through entity dealing with random data. Without the system’s understanding of its role in the data collection process, the BA was essentially doing little more than acting as a middle man.
If X had understood what its role and risk would be in working with the BA vendor, in advance of executing the TPA, the system could have protected itself as a covered entity. Unfortunately for X, it ended up with only a business associate agreement with the BA vendor—which does not require HIPAA protections for the system and did not protect the system when a HIPAA breach occurred.
The practice of healthcare systems acting as a mere pass-through entity for purposes of data aggregation with little understanding of how the data is being collected continues to cause issues. It has resulted in a lack of basic understanding of the collection, use and sharing of data more generally, leading to bad contracts, and misalignment with both business and legal needs.