§164.314 Organizational requirements
(a)(1) Standard: Business associate contracts or other arrangements.
(i) The contract or other arrangement between the covered entity and its
business associate required by Sec. 164.308(b) must meet the
requirements of paragraph (a)(2)(i) or (a)(2)(ii) of this section, as
applicable.
(ii) A covered entity is not in compliance with the standards in
Sec. 164.502(e) and paragraph (a) of this section if the covered entity
knew of a pattern of an activity or practice of the business associate
that constituted a material breach or violation of the business
associate’s obligation under the contract or other arrangement, unless
the covered entity took reasonable steps to cure the breach or end the
violation, as applicable, and, if such steps were unsuccessful–
(A) Terminated the contract or arrangement, if feasible; or
(B) If termination is not feasible, reported the problem to the
Secretary.
(2) Implementation specifications (Required).
(i) Business associate contracts. The contract between a covered
entity and a business associate must provide that the business associate
will–
(A) Implement administrative, physical, and technical safeguards
that reasonably and appropriately protect the confidentiality,
integrity, and availability of the electronic protected health
information that it creates, receives, maintains, or transmits on behalf
of the covered entity as required by this subpart;
(B) Ensure that any agent, including a subcontractor, to whom it
provides such information agrees to implement reasonable and appropriate
safeguards to protect it;
(C) Report to the covered entity any security incident of which it
becomes aware;
(D) Authorize termination of the contract by the covered entity, if
the covered entity determines that the business associate has violated a
material term of the contract.
(ii) Other arrangements. (A) When a covered entity and its business
associate are both governmental entities, the covered entity is in
compliance with paragraph (a)(1) of this section, if–
(1) It enters into a memorandum of understanding with the business
associate that contains terms that accomplish the objectives of
paragraph (a)(2)(i) of this section; or
(2) Other law (including regulations adopted by the covered entity
or its business associate) contains requirements applicable to the
business associate that accomplish the objectives of paragraph (a)(2)(i)
of this section.
(B) If a business associate is required by law to perform a function
or activity on behalf of a covered entity or to provide a service
described in the definition of business associate as specified in Sec.
160.103 of this subchapter to a covered entity, the covered entity may
permit the business associate to create, receive, maintain, or transmit
electronic protected health information on its behalf to the extent
necessary to comply with the legal mandate without meeting the
requirements of paragraph (a)(2)(i) of this section, provided that the
covered entity attempts in good faith to obtain satisfactory assurances
as required by paragraph (a)(2)(ii)(A) of this section, and documents
the attempt and the reasons that these assurances cannot be obtained.
(C) The covered entity may omit from its other arrangements
authorization of the termination of the contract by the covered entity,
as required by paragraph (a)(2)(i)(D) of this section if such
authorization is inconsistent with the statutory obligations of the
covered entity or its business associate.
(b)(1) Standard: Requirements for group health plans. Except when
the only electronic protected health information disclosed to a plan
sponsor is disclosed pursuant to Sec. 164.504(f)(1)(ii) or (iii), or as
authorized under Sec. 164.508, a group health plan must ensure that its
plan documents provide that the plan sponsor will reasonably and
appropriately safeguard electronic protected health information created,
received, maintained, or transmitted to or by the plan sponsor on behalf
of the group health plan.
(2) Implementation specifications (Required). The plan documents of
the group health plan must be amended to incorporate provisions to
require the plan sponsor to–
(i) Implement administrative, physical, and technical safeguards
that reasonably and appropriately protect the confidentiality,
integrity, and availability of the electronic protected health
information that it creates, receives, maintains, or transmits on behalf
of the group health plan;
(ii) Ensure that the adequate separation required by Sec.
164.504(f)(2)(iii) is supported by reasonable and appropriate security
measures;
(iii) Ensure that any agent, including a subcontractor, to whom it
provides this information agrees to implement reasonable and appropriate
security measures to protect the information; and
(iv) Report to the group health plan any security incident of which
it becomes aware.