Login Get Started

Business Associate Contracts or Other Arrangements

164.314(a)(1) Organizational Requirements High Risk Moderate

A covered entity may permit a business associate to create, receive, maintain, or transmit ePHI on the covered entity's behalf only if the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information.

Implementation Guidance

Develop and implement business associate agreement procedures including contract requirements, risk assessments, and monitoring procedures.

NIST References

NIST SP 800-66 Rev. 2: Section 3.4.1

Best Practices

Comprehensive business associate agreements, regular risk assessments, effective monitoring procedures, contract management.

Testing Procedures

Review business associate agreements, test risk assessment procedures, verify monitoring procedures, review contract management.

Frequently Asked Questions

Q: What is a business associate? A: A business associate is a person or entity that performs functions or activities on behalf of a covered entity involving ePHI.

Control Information

Control ID:
164.314(a)(1)
Category:
Organizational Requirements
Subcategory:
Business Associate Agreements
Risk Level:
High
Implementation Difficulty:
Moderate
Estimated Cost:
Medium
Implementation Timeframe:
2-4 months
Views:
3
Last Updated:
Oct 1, 2025

Related Controls

164.308(a)(1) - Security Officer, 164.308(a)(7) - Evaluation, 164.312(a)(2) - Audit Controls

Additional Resources

NIST SP 800-66 Rev. 2: Business Associate Guidance, HHS Business Associate Guidance, Business Associate Agreement Templates