Both rules require CEs to establish agreements between themselves and all other entities with whom PHI is shared in order to protect the data they exchange. This is to ensure that PHI is safeguarded at all times, even when it is no longer under the CE's direct control. CEs are also expected to periodically verify that the other entities are complying with the agreements. This principle is defined as a Business Associate Contract in the Privacy Rule and a Chain of Trust Partner Agreement in the Security Rule.