11.11 STANDARD: BUSINESS ASSOCIATE CONTRACTS AND OTHER ARRANGEMENTS

The Business Associate Contracts and Other Arrangements Standard has as single implementation specification, that of a Written Contract or Other Arrangement , which is a required standard.

A covered entity may permit a business associate to create, receive, maintain, or transmit EPHI on the covered entity's behalf only if the covered entity has satisfactory assurance that the business associate will appropriately safeguard the data. This specification is very similar to the Privacy Rule requirements and any contract written between a covered entity and a business associate should take both the Privacy Rule and Security Rule requirements into consideration.

Table 15: Administrative and Documentation Safeguards
Standards	Sections	Implementation Specifications (R)=Required, (A)=Addressable
Security Management Process	164.308(a)(1)	Risk Analysis	(R)
		Risk Management	(R)
		Sanction Policy	(R)
		Information Systems Activity Review	(R)
Assigned Security Responsibility	164.308(a)(2)		(R)
Workforce Security	164.308(a)(3)	Authorization and/or Supervision	(A)
		Workforce Clearance Procedure	(A)
		Termination Procedures	(A)
Information Access Management	164.308(a)(4)	Isolating Health care Clearinghouse Function	(R)
		Access Authorization	(A)
		Access Establishment and Modification	(A)
Security Awareness and Training	164.308(a)(5)	Security Reminders	(A)
		Protection from Malicious Software	(A)
		Log-in Monitoring	(A)
		Password Management	(A)
Security Incident Procedures	164.308(a)(6)	Response and Reporting	(R)
Contingency Plan	164.308(a)(7)	Data Backup Plan	(R)
		Disaster Recovery Plan	(R)
		Emergency Mode Operation Plan	(R)
		Testing and Revision Procedure	(A)
		Applications and Data Criticality Analysis	(A)
Evaluation	164.308(a)(8)		(R)
Business Associate Contracts And Other Arrangement	164.308(b)(1)	Written Contract or Other Arrangement	(R)