Business Associate Contracts
The final task under the Administrative Rule is Business Associate Contracts and Other Arrangements. This section states that a covered entity (your agency) may permit a business associate to create, receive, maintain or transmit EPHI on the covered entities behalf only if the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information.
There is one required task under this section. Agencies must document the satisfactory assurances required through a written contract or other arrangement with the business associate.
This means contracts and this means attorneys. This is not the same contract as required by the Privacy Rule although it could probably be fitted in to an existing contract. The object with this contract is to insure the business associate agrees to safeguard the security of EPHI data. If there is no contract and the business associate breaches the Security Rule your agency could be liable.