This article will explore section §164.308(b) of HIPAA, which deals with the business associate contracts and their protection of electronic protected health information (ePHI).

Business Associate Contract and Other Arrangements

“A covered entity, in accordance with § 164.306, may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with §164.314(a) that the business associate will appropriately safeguard the information.” [§164.308(b)(1)]

HIPAA Business Associate Contract being signedWhile section §164.314(a) covers the organizational requirements in more depth, this requirement covers the security requirements that apply to dealing with business associates. This portion of the security rule requires a covered entity to have a contract or other formal arrangement with any individual or organization that qualifies as a business associate. A full definition of what constitutes a business associate can be found in section §160.103 of the HIPAA law.  In simple terms, a business associate is any entity that is not employed directly by the covered entity but engages in activities on behalf of the covered entity that are subject to HIPAA requirements.

This particular requirement is only applicable for business associates who handle ePHI as part of their relationship with the covered entity. The covered entity must ensure that the business associate will safeguard ePHI in accordance with all requirements of the HIPAA law.

Implementation Specification

The business associate contract rule has one implementation specification:

“Document the satisfactory assurances required by paragraph (b)(1) of this section through a written  contract or other arrangement with the business associate that meets the applicable requirements of §164.314(a).” [§164.308(b)(4)]

This specification is fairly straightforward – it simply requires that the business associate contract containing the security assurances required by HIPAA is formally documented.

An auditor will verify this by inquiring whether there is a process to ensure that business associate contracts sufficiently address the security of ePHI. The auditor will review the documentation of the process of establishing business associate contracts, and will also determine that these documents are sufficiently reviewed. The auditor will also review whether the business associate contract process differentiates between private sector and public sector business associates in compliance with section §164.314.

This implementation specification is required.

Changes in the 2013 HIPAA Update

Several major changes were implemented to the business associate contract requirement in the 2013 HIPAA Omnibus Rule.  First, in the previous version of HIPAA, this requirement presented several exceptions to the business associate contract requirement. These exceptions have been removed, and instead the definition of “business associate” has been updated to remove those exceptions from qualifying as business associates.

Second, the language of the rule has been modified to clarify that a covered entity does not need to enter into business associate relationships with subcontractors of a business associate. It is the responsibility of the business associate to secure the proper agreement with the subcontractor. This is not a change in the law, but a clarification of an existing rule.

Finally, the update removes the provision that a covered entity would be in violation of the rule if the assurances provided in in a business associate contract with another covered entity were not upheld. This is due to a change in the law that now holds the covered entity (which is also a business associate) directly responsible for compliance with the security rule.

For example, say Company A and Company B are both considered covered entities, and Company B acts as business associate with Company A. Under the old law, if Company B did not uphold the assurances it gave Company A in the business associate contract, it would be considered in violation of this rule. Under the new law, this is no longer the case, as Company B will be directly responsible for compliance with the HIPAA security rule outside of the context of the business associate contract.


The 2013 HIPAA Omnibus Rule simplifies the business associate contract requirement by removing the exceptions and making many business associates directly responsible for compliance with the security rule. Covered entities are still responsible for formalizing contracts with business associates who are not covered entities, though. These contracts must sufficiently protect the confidentiality, integrity and availability of ePHI that is shared with the business associate.