§ 164.314(a)(1): The contract or other arrangement between the covered entity and its business associate required by § 164.308(b)(3) must meet the requirements of paragraph (a)(2)(i) or (a)(2)(ii) of this section, as applicable.
Does the entity have policies and procedures in place regarding its contractual arrangements with contractors or other entities to which it discloses ePHI for use on its behalf?
Elements to review may include but are not limited to:
• Does the entity use a standard business associate contract with contractors or other entities to which it discloses ePHI
• What is the approval process for deviations of standard business associate contracts
Obtain and review the entity’s standard business associate contract template(s). Evaluate and determine that the entity’s standard business associate contract template(s) meet the requirements of 45 CFR § 164.314(a)(2)(i), § 164.314(a)(2)(ii), or § 164.314(a)(2)(iii), as applicable.
Obtain and review documentation demonstrating the entity’s approval process when deviations affecting the implementation of safeguards to protect ePHI are considered. Evaluate and determine if the entity’s policies for approving deviations affecting safeguards to protect ePHI are appropriate.