§164.308(b)(3): Document the satisfactory assurances required by paragraph (b)(1) or (b)(2) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of § 164.314(a).

Audit Inquiry

Does the entity have policies and procedures in place to obtain satisfactory assurances from its business associates (or business associate subcontractors if entity is a business associate) and to review the satisfactory assurances to ensure the applicable requirements at § 164.314(a) is included in the written contract or other arrangement?

Obtain and review documentation of all business associates. Obtain and review the written agreements or other arrangements (i.e., a Memorandum of Understanding if the covered entity and business associate are government agencies). Using sampling methodology, evaluate and determine whether a written contract or other arrangement exist and that security requirements are in place to address the confidentiality, integrity, and availability of ePHI. (NOTE: Business associate contracts should have been updated in 2013)

[This inquiry is for BAs only]
Based upon the selection methodologies from the above paragraph, evaluate and determine whether the written contract or other arrangement identifies if there are any subcontractors. If so, review the written contract or other arrangement to examine if (i) Omnibus provisions are required and (ii) all subcontractors who create, receive, maintain, or transmit electronic protected health information on a business associate’s behalf maintain business associate agreements equal or greater than the business associate agreement with the original covered entity.
[This inquiry is for BAs only]