Business Associate Contracts 45 CFR 164.308(b)

Before any business associate may create, receive, maintain, or transmit ePHI on your behalf, the Security Rule requires a written contract or other arrangement that obtains satisfactory assurances of compliance.

CMMC-AB RPO #1449 · BBB A+ Since 2003 · Healthcare Compliance Specialists
Call Penny → (919) 348-4912 See ComplianceArmor
Regulation

What the regulation requires

45 CFR 164.308(b)(1) A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with 164.314(a), that the business associate will appropriately safeguard the information.

This is the Security Rule's organizational requirement. The contract (Business Associate Agreement) itself must meet the content requirements at 164.314(a). Direct downstream subcontractors of business associates must be covered by their own BAA per HITECH.

Implementation specifications

Required

Written Contract or Other Arrangement

Document the satisfactory assurances required by 164.308(b)(1) through a written contract or other arrangement that meets the applicable requirements of 164.314(a). (164.308(b)(3))

Implementation

How Petronella implements this safeguard

Every Petronella HIPAA engagement maps 45 CFR 164.308(b)(1) to documented evidence in your environment. This is what that looks like in practice for the business associate contracts standard:

  • BAA inventory: every vendor that touches ePHI catalogued, with executed BAA on file, version-controlled.
  • BAA template aligned to HHS sample provisions and updated for HITECH and the 2013 Omnibus Final Rule.
  • Annual BAA review for material changes (mergers, sub-vendors, new data flows).
  • Sub-vendor cascade tracking - if your billing service uses a new clearinghouse, you find out before the data flow changes.

Built on top of ComplianceArmor for documentation, training records, and BAA inventory, with optional HIPAA managed IT services for the technical safeguard layer and vCISO services for the named Security Official role.

Common Findings

Where most practices fall short

OCR resolution agreements, HHS audit reports, and our own engagements show the same handful of gaps under 45 CFR 164.308(b)(1). We surface these before they become a finding.

  • BAA inventory missing or incomplete - no one knows the full list of vendors touching ePHI.
  • BAAs signed in 2010 never updated for HITECH - missing breach notification and subcontractor flowdown clauses.
  • Cloud platform default tenant used (no BAA) when a HIPAA-eligible variant exists. Common with Microsoft 365, Google Workspace, and AI/LLM services.
  • Sub-vendor BAAs not flowed down, leaving ePHI exposed beyond the entity's contract chain.
Related

Related HIPAA safeguards

Business Associate Contracts interacts with several other Security Rule standards. Cover them together for a defensible program.

Business Associate Agreement (BAA) Information Access Management Security Incident Procedures Back to HIPAA compliance pillar HIPAA security risk assessment HIPAA 4-pillars playbook

Need help with Business Associate Contracts?

Penny answers before the third ring, asks 3 qualifying questions, then books your free 15. Or jump straight to the platform that runs your HIPAA program.

Call Penny → (919) 348-4912 See the platform

← Back to HIPAA compliance pillar