The standards at 45 CFR § 164.314, Organizational Requirements, and § 164.316, Policies and Procedures and Documentation Requirements, immediately follow the Technical Safeguards standards. They are not included in Appendix A the “Security Standards: Matrix” that is found at the end of the Security Rule, but must not be overlooked by covered entities. These requirements must be implemented to achieve compliance.
Business Associate Contracts or other Arrangements 45 CFR § 164.314(a)(1). The Business Associate Contracts and Other Arrangements standard found at § 164.308(b)(1) requires a covered entity to have contracts or other arrangements with business associates that will have access to the covered entity’s electronic protected health information (ePHI). This standard, at § 164.314(a)(1), provides the specific criteria required for written contracts or other arrangements between a covered entity and its business associates. The actual language used to address the requirements can be tailored to the needs of each organization, as long as the requirements are addressed.
Business Associate Contracts 45 CFR § 164.314(a)(2)(i) The content of your Business Associate Agreement (BAA) will determine if you have adequately covered all the required elements. This includes specifying the BA have Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and available of ePHI that it creates, receives, maintains, or transmits on behalf of the Covered Entity (CE). They must also ensure that all Subcontractors or agents have the same protections in place. The BA must be advised how and when to notify the CE in the event of a data breach. They must also specify in the contract the authorization of termination in the event the BA has violated a material term in the contract.
Other Arrangements 45 CFR § 164.314(a)(2)(ii) This only applies when both the Covered Entity and the Business Associate are Government Entities. The covered entity may comply with this standard in either of two alternative ways.
Requirements for Group Health Plans 45 CFR § 164.314(b)(1) This standard requires a group health plan ensures that its plan documents require the plan sponsor to reasonably and appropriately safeguard ePHI that it creates, receives, maintains, or transmits on behalf of the group health plan.
Implementation Specifications for Group Health Plans 45 CFR § 164.314(b)(2) The Security Rule generally requires that if the plan sponsor of a group health plan has access to ePHI beyond summary information and enrollment information or to ePHI other than that which has been authorized under § 164.508, the plan documents must contain language similar to that already required by the Privacy Rule.
Let Aris work with you for an easy online path to HIPAA compliance