Skip to Content

HIPAA - Business Associate Contracts and Other Arrangements 164.308(b)(1)

461  Matthew Burdick September 28, 2022  Administrative Safeguards

Overview:
(1) A covered entity, in accordance with § 164.306, may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a) that the business associate will appropriately safeguard the information.
(2) This standard does not apply with respect to the following:
(i) The transmission by a covered entity of electronic protected health information to a health care provider concerning the treatment of an individual.
(ii) The transmission of electronic protected health information by a group health plan or an HMO or health insurance issuer on behalf of a group health plan to a plan sponsor, to the extent that the requirements of § 164.314(b) and § 164.504(f) apply and are met; or
(iii) The transmission of electronic protected health information from or to other agencies providing the services at § 164.502(e)(1)(ii)(C), when the covered entity is a health plan that is a government program providing public benefits, if the requirements of § 164.502(e)(1)(ii)(C) are met.
(3) A covered entity that violates the satisfactory assurances it provided as a business associate of another covered entity will be in noncompliance with the standards, implementation specifications, and requirements of this paragraph and § 164.314(a).


Action Items:
1) Obtain and review documentation identifying all business associates. Obtain and review the business associate agreements and/or contracts. Using sampling methodology, evaluate and determine whether business associate agreements/contracts exist and that security requirements are in place to address the confidentiality, integrity, and availability of EPHI.


Related Documents:
1) Documentation of all business associates.
2) Written agreements or other arrangements (i.e., a Memorandum of Understanding if the covered entity and business associate are government agencies).


Additional Guidance:
Covered entities must enter into a contract or other arrangement with persons that meet the definition of business associate in § 160.103. This standard is comparable to the Business Associate Contract standard in the Privacy Rule, but is specific to business associates that create, receive, maintain or transmit EPHI. To comply with this standard, covered entities must obtain satisfactory assurances from the business associate that it will appropriately safeguard EPHI.


This standard also addresses a few situations in which a business associate contract is not needed.


As stated at § 164.308(b)(2), the Business Associate Contracts and Other Arrangements standard does not apply with respect to:
“(i) The transmission by a covered entity of EPHI to a health care provider concerning the treatment of an individual.
(ii) The transmission of EPHI by a group health plan or an HMO or health insurance issuer on behalf of a group health plan to a plan sponsor, to the extent that the requirements of § 164.314(b) and § 164.504(f) apply and are met; or
(iii) The transmission of EPHI from or to other agencies providing the services at § 164.502(e)(1)(ii)(C), when the covered entity is a health plan that is a government program providing public benefits, if the requirements of § 164.502(e)(1)(ii)(C) are met.”


In addition, § 164.308(b)(3) states, “A covered entity that violates the satisfactory assurances it provided as a business associate of another covered entity will be in noncompliance with the standards, implementation specifications, and requirements of this paragraph and §164.314(a).”
Not Rated
Secure Code