164.314(a)(1) Organizational Requirements

Business Associate Contracts or Other Arrangements

High Risk Moderate Medium

A covered entity may permit a business associate to create, receive, maintain, or transmit ePHI on the covered entity's behalf only if the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information.

Implementation Guidance

Develop and implement business associate agreement procedures including contract requirements, risk assessments, and monitoring procedures.

Required Documentation

Business associate agreement templates, risk assessment procedures, monitoring procedures, contract management procedures.

Best Practices

Comprehensive business associate agreements, regular risk assessments, effective monitoring procedures, contract management.

Common Violations

Lack of business associate agreements, inadequate risk assessments, insufficient monitoring of business associates.

Testing Procedures

Review business associate agreements, test risk assessment procedures, verify monitoring procedures, review contract management.

Implementation Resources

Download expert-developed templates and checklists to implement this control:

Implementation Checklist

Policy Template

Quick Facts

Control ID 164.314(a)(1)

Category Organizational Requirements

Risk Level High

Difficulty Moderate

Est. Cost Medium

Timeframe 2-4 months

Last Updated Mar 6, 2026

Get Expert Help Free Assessment

Related Controls

Explore other controls in the Organizational Requirements category.

164.314(a)(2) High

Requirements for Group Health Plans

Except when the only ePHI disclosed to a plan sponsor is disclosed pursuant to 164.504(f)(1)(ii) or (iii), or as permitted under 164.508(a)(3)(i), a g...

Need Help Implementing This Control?

Our certified HIPAA experts can help you implement this control correctly and efficiently.

Contact Our Experts View All Controls