The Business Associate Contracts and Other Arrangements Standard has as single implementation specification, that of a Written Contract or Other Arrangement , which is a required standard.
A covered entity may permit a business associate to create, receive, maintain, or transmit EPHI on the covered entity's behalf only if the covered entity has satisfactory assurance that the business associate will appropriately safeguard the data. This specification is very similar to the Privacy Rule requirements and any contract written between a covered entity and a business associate should take both the Privacy Rule and Security Rule requirements into consideration.
Standards | Sections | Implementation Specifications (R)=Required, (A)=Addressable | |
---|---|---|---|
Security Management Process | 164.308(a)(1) | Risk Analysis | (R) |
Risk Management | (R) | ||
Sanction Policy | (R) | ||
Information Systems Activity Review | (R) | ||
Assigned Security Responsibility | 164.308(a)(2) | (R) | |
Workforce Security | 164.308(a)(3) | Authorization and/or Supervision | (A) |
Workforce Clearance Procedure | (A) | ||
Termination Procedures | (A) | ||
Information Access Management | 164.308(a)(4) | Isolating Health care Clearinghouse Function | (R) |
Access Authorization | (A) | ||
Access Establishment and Modification | (A) | ||
Security Awareness and Training | 164.308(a)(5) | Security Reminders | (A) |
Protection from Malicious Software | (A) | ||
Log-in Monitoring | (A) | ||
Password Management | (A) | ||
Security Incident Procedures | 164.308(a)(6) | Response and Reporting | (R) |
Contingency Plan | 164.308(a)(7) | Data Backup Plan | (R) |
Disaster Recovery Plan | (R) | ||
Emergency Mode Operation Plan | (R) | ||
Testing and Revision Procedure | (A) | ||
Applications and Data Criticality Analysis | (A) | ||
Evaluation | 164.308(a)(8) | (R) | |
Business Associate Contracts And Other Arrangement | 164.308(b)(1) | Written Contract or Other Arrangement | (R) |