(3) Implementation specifications:  Written contract or other arrangement (Required). Document the satisfactory assurances required by paragraph (b)(1) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of § 164.314(a).

Tell Me More:

The Written Contract or Other Arrangement Implementation Specification is Required.  Both the Privacy Rule and Security Rule require covered entities to enter into Business Associate Agreements or Contracts with certain outside parties that have access to the covered entity’s ePHI. Note: The Security Rule does not extend the length of time (as did the Privacy Rule) allowed for Business Associate Agreements to be completed past the official compliance date.

The Security Rule does contain an additional requirement for the agreement to require the Business Associate to notify the covered entity if the Business Associate becomes aware of a “security incident.” Also, the Security Rule makes it clear that Business Associates must implement “administrative, physical and technical safeguards” to protect electronic confidential information, and must require subcontractors to implement “reasonable and appropriate” safeguards to protect electronic confidential information.

Although the HITECH Act will require business associates to comply directly with the HIPAA security rule, covered entities are still required to have business associate contracts with their business associates.

Questions to consider:

    • Has an inventory of all electronic data exchanges with third parties, vendors or business partners taken place?  That is, has the organization identified and documented all Business Associates?
    • Does the organization have Business Associate agreements in place with all identifed Business Associates?
    • Have Business Associate agreements been updated to reflect the changes from The HITECH Act that statutorily obligates all Business Associates to be fully compliant with the HIPAA Security (and Privacy) Laws?

Do the business associate agreements written and executed contain sufficient language to ensure that required information types will be protected?

  • Have all Business Associates that have access to ePHI and other PHI been identified? This should have been completed as part of Privacy Rule implementation.
  • Has justification for such access been documented? This also should have been completed as part of Privacy Rule implementation.
  • Is there a signed Business Associate agreement with each Business Associate that has access to ePHI? This also should have been completed as part of Privacy Rule implementation; however, language specifically pertaining to the requirements of the Security Rule may need to be added.
  • Does the agreement require the Business Associate to implement and maintain administrative, physical and technical safeguards? Does the agreement require the Business Associate to ensure subcontractors implement reasonable and appropriate safeguards to protect the Covered Entity’s ePHI? While this was required by the Privacy Rule, the organization may want to better define what is required given the specification of the Security Rule.
  • Does the agreement define “security incidents” and does it specify security incident reporting procedures? This should mirror the organization’s definition (see Standard: Security Incident Procedures).
  • Are there any new organizations or vendors that now provide a service or function on behalf of the organization?


A complete set of HIPAA Security Policies and Procedures may be purchased here.



Series Navigation<< 164.308(a)(5)(ii)(D) Standard: Security awareness and training – Password management164.308(a)(7)(ii)(E) Standard: Contingency plan – Applications and data criticality analysis >>