§164.308(b)(1): A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a) that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.
§164.308(b)(2): A business associate may permit a business associate that is a subcontractor to create, receive, maintain, or transmit electronic protected health information on its behalf only if the business associate obtains satisfactory assurances, in accordance with § 164.314(a), that the subcontractor will appropriately safeguard the information.
Audit Inquiry
Does the entity have policies and procedures in place to obtain satisfactory assurances from its business associates (or business associate subcontractors if the entity is a business associate) and to review the satisfactory assurances to ensure the applicable requirements at § 164.314(a) are included in the business associate contract or other arrangement?
Obtain and review documentation identifying all business associates. Obtain and review the business associate agreements and/or contracts. Using sampling methodology, evaluate and determine whether business associate agreements/contracts exist and that security requirements are in place to address the confidentiality, integrity, and availability of ePHI.
[This inquiry is for BAs only]
Based upon the selection methodologies from the above paragraph, determine whether the business associate contract identifies if it utilizes any subcontractors. If so, review the business associate agreement to examine if (i) Omnibus provisions are required and (ii) all subcontractors who create, receive, maintain, or transmit electronic protected health information on a business associate’s behalf maintain business associate agreements equal to or greater than the business associate agreement with the original covered entity.
[This inquiry is for BAs only]
Required/Addressable
Required