In addition to the three safeguards there are two requirements. One addresses business associate contracts and arrangements. The other addresses policy and procedure documentation requirements
A covered entities responsibility does not end because they have a contract with a business arrangement to handle ePHI. Covered entities need to ensure their business associates implement controls to maintain the confidentiality, integrity, and availability of ePHI. Business contracts with associates must include provisions to secure ePHI and authorize termination with the associate if possible. In some instances it will not be possible for covered entities to terminate contracts or other arrangements such as Memorandums of Understanding between government agencies. Covered entities are required to notify the Secretary of Health and Human Services if their business associate does not maintain the requirements of the Security Rule.
All policies and procedures implemented to safeguard ePHI must be documented. Any changes to policies and procedures must be documented. All documentation must be kept on file for six years and open for review upon request.