HIPAA - Written Contract 164.308(b)(4)

Overview:
Document the satisfactory assurances required by paragraph (b)(1) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of § 164.314(a).

Action Items:
1) Obtain and review documentation identifying all business associates. Obtain and review the business associate agreements and/or contracts. Using sampling methodology, evaluate and determine whether business associate agreements/contracts exist and that security requirements are in place to address the confidentiality, integrity, and availability of EPHI.

Related Documents:
1) Documentation of all business associates.
2) Written agreements or other arrangements (i.e., a Memorandum of Understanding if the covered entity and business associate are government agencies).

Additional Guidance:
Sample questions covered entities may want to consider:
- Have all business associates been identified? Business associates may include clearinghouses, medical billing services, vendors of hardware and software, external consultants, lawyers, transcription contractors, or others who have access to EPHI.
- Have existing business associate contracts created and implemented for compliance with the Privacy Rule, which involve EPHI, been reviewed to determine if Security Rule requirements are addressed?
- To minimize additional work efforts, can existing business associate contracts, which involve EPHI, be modified to include Security Rule requirements?