Written Contract or Other Arrangement

To meet HIPAA’s “Written Contract or Other Arrangement” requirement, you must keep documented, satisfactory assurances from each business associate in a written contract or other arrangement that meets the Business Associate Agreement requirements in 45 CFR § 164.314(a). Operationally, this means no business associate access to ePHI until the executed agreement is in place and retrievable on demand. (45 CFR Parts 160, 162, 164)

Key takeaways:

• You need written, retained documentation of business associate assurances; verbal or implied understandings are not enough. (45 CFR Parts 160, 162, 164)
• The document must meet the applicable requirements for a Business Associate Agreement under § 164.314(a). (45 CFR Parts 160, 162, 164)
• Build a gate: contracting must happen before ePHI access, and evidence must be easy to produce in an audit. (45 CFR Parts 160, 162, 164)

This requirement is deceptively simple: document your business associate assurances through a written contract or other arrangement that satisfies HIPAA’s Business Associate Agreement (BAA) requirements. The operational difficulty is not the clause drafting; it’s controlling the workflow so the organization never “accidentally” allows a third party to create, receive, maintain, or transmit ePHI before the paperwork is executed and filed.

For a Compliance Officer, CCO, or GRC lead, the fastest path to compliance is to treat this as an access-control and procurement control as much as a legal control. You want a repeatable method to (1) identify which third parties are business associates in your environment, (2) route them through the correct agreement template, (3) ensure signature completion before any data exchange, and (4) retain the executed agreement and related evidence so you can produce it quickly during an OCR inquiry, customer audit, or internal review.

The core deliverable is straightforward: a complete, signed, and retrievable written contract or other arrangement with each business associate, aligned to § 164.314(a). Your program deliverable is stronger: a system that makes it hard to violate this requirement by accident. (45 CFR Parts 160, 162, 164)

Regulatory text

Regulatory requirement (excerpt): “Document the satisfactory assurances required by paragraph (b)(1) or (b)(2) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of § 164.314(a).” (45 CFR Parts 160, 162, 164)

Operator interpretation: You must (1) obtain “satisfactory assurances” from your business associate and (2) document those assurances in a written contract or other arrangement that meets the applicable BAA requirements in § 164.314(a). Put plainly: if the third party is a business associate and touches ePHI, you need a compliant written agreement in place and you must be able to prove it on demand. (45 CFR Parts 160, 162, 164)

Plain-English interpretation of the requirement

This is a documentation and contracting control. It requires that your organization:

• Makes the relationship formal in writing (a contract or other arrangement), not informally via email threads or purchase orders alone, and
• Uses language that satisfies HIPAA’s BAA requirements in the applicable section, and
• Keeps the evidence that the assurances exist (executed agreement and related contracting records). (45 CFR Parts 160, 162, 164)

In practice, regulators and auditors test two things:

1. Coverage: Did you correctly identify the third parties that are business associates?
2. Execution and retention: Do you have a signed, compliant agreement and can you retrieve it quickly? (45 CFR Parts 160, 162, 164)

Who it applies to (entity and operational context)

This requirement applies to:

• Covered Entities that engage business associates, and
• Business Associates that engage subcontractors that are business associates (downstream). (45 CFR Parts 160, 162, 164)

Operational contexts where this pops up fast:

• Cloud hosting, managed services, EHR/EMR platforms, billing and revenue cycle, transcription, patient engagement tools, analytics platforms, incident response firms, consultants with system access, and any third party that handles support tickets containing ePHI.
• “Shadow” channels: departmental purchases, pilots, free trials, integrations turned on by IT without procurement review, and data sent for troubleshooting. Your risk is rarely the main vendor; it’s the quick exception that bypasses contracting.

What you actually need to do (step-by-step)

1) Define the trigger: “BA + ePHI = written agreement required”

Write a short internal rule your teams can follow:

• If a third party will create, receive, maintain, or transmit ePHI, treat them as a potential business associate and route them through the BAA workflow before any ePHI exchange. (45 CFR Parts 160, 162, 164)

Implementation tip: Put this trigger in intake forms used by Procurement, IT, Security, and Privacy. If the intake never asks about ePHI, you will miss business associates.

2) Build a business associate inventory (or tag within your third-party inventory)

You need a living list of:

• Third party legal name and any relevant affiliates
• Service description and where ePHI could appear (systems, integrations, support channels)
• Business owner and contracting owner
• Contract status: draft, sent, executed, expired
• Storage location of the executed agreement (repository link or record ID)

This inventory is what you will use to prove completeness: “Here are our business associates, and here are the agreements.”

3) Standardize the paper: approved templates and clause sets

Work with counsel to create:

• A standard BAA template aligned to § 164.314(a) requirements
• A fallback clause set for when the third party insists on using their paper (your minimum required addendum)

Operational rule: no redlines that remove required BAA concepts. If exceptions are allowed, require written approval from the Privacy Officer and Security Officer, and record the rationale.

4) Enforce the gate: no access until executed

Make the contracting milestone a prerequisite for:

• Provisioning accounts, SSO, VPN access, API keys
• Data exports or interface enablement
• Production go-live, including “limited pilots” that use real data
• Support escalation that shares logs or screenshots that might contain ePHI

This is where programs fail: teams treat the BAA as an administrative follow-up. Treat it as an access requirement.

5) Store it so you can produce it quickly

Pick a system of record for executed agreements:

• Contract lifecycle management tool, GRC repository, or a controlled document repository with permissions and retention
• Record indexing: vendor name, effective date, expiration/renewal, products covered

Daydream fit (earned mention): if you already manage third-party risk and due diligence workflows in Daydream, store the executed BAA as a required artifact on the third-party record and configure a “no BAA, no onboarding” control gate. That links contract evidence to risk acceptance and onboarding approvals without chasing email attachments.

6) Monitor renewals, changes, and subcontractor flows

You need a mechanism to catch:

• Contract renewals and renegotiations that could break BAA terms
• Material scope changes (new integration, new data types, new regions)
• Business associate subcontractors, when your counterparty passes ePHI downstream

Even if Legal “owns” the contract, Compliance must own the control: identify when a new arrangement needs a new or updated written assurance.

Required evidence and artifacts to retain

Keep evidence that proves both existence and governance of the arrangement:

Core artifacts ¹:

• Executed written contract or other arrangement meeting § 164.314(a) requirements (signed BAA or equivalent arrangement) (45 CFR Parts 160, 162, 164)
• Contract metadata: effective date, term, renewal terms, entities covered
• Version history or redline log showing what changed (especially if exceptions approved)
• Repository record showing where the executed agreement is stored and who can access it

Program artifacts (cross-cutting):

• Business associate identification criteria (internal procedure)
• Third-party intake questionnaire or decision tree that triggers BAA routing
• Onboarding workflow evidence showing the “BAA executed” gate (tickets, approvals, change records)
• Exception register (if any), approvals, and compensating controls

Common exam/audit questions and hangups

Expect examiners, internal audit, or customers to ask:

• “Show me your complete list of business associates and the executed agreements for each.”
• “Pick these samples: where is the signed BAA, and when was it executed relative to access/go-live?”
• “How do you prevent a department from sending ePHI to a new third party before contracting is done?”
• “Do your agreements cover the exact services in scope, or are you relying on a generic corporate BAA that doesn’t match reality?”
• “Where are your ‘other arrangements’ documented, and how do you confirm they meet § 164.314(a)?” (45 CFR Parts 160, 162, 164)

Hangup that causes delays: You can’t find the executed copy quickly, or you find multiple versions and can’t prove which is in force.

Frequent implementation mistakes and how to avoid them

1. Treating BA determination as a one-time exercise

• Fix: Make BA status a required field in third-party intake and review it at scope changes.

2. Allowing “pilot” access before signature

• Fix: Tie provisioning and integration change controls to an “executed BAA” requirement. No exceptions without documented approval.

3. Storing agreements in email or shared drives without indexing

• Fix: Use a controlled repository and enforce naming conventions plus metadata tagging.

4. Using the wrong contracting party

• Fix: Confirm the legal entity signing matches the entity providing the service and accessing ePHI. Mismatched entities create enforceability gaps.

5. Letting the business associate’s paper remove required assurances

• Fix: Maintain a non-negotiable minimum clause set and route deviations to Privacy/Security for sign-off with recorded compensating controls.

Enforcement context and risk implications

You don’t need a complex interpretation of this requirement to understand the risk: without a compliant written contract or arrangement, you lack documented assurances about how ePHI will be safeguarded and what happens when incidents occur. That increases operational exposure during breaches (roles and responsibilities are unclear), and it weakens your position in audits and regulatory inquiries because you cannot demonstrate required assurances were documented. The regulation explicitly requires documentation through a written contract or other arrangement meeting § 164.314(a). (45 CFR Parts 160, 162, 164)

Practical execution plan (30/60/90-day)

Use phases rather than calendar promises; adjust to procurement volume and contract complexity.

First phase: Immediate stabilization

• Identify your top business associates by ePHI volume and system criticality, then confirm each has an executed agreement on file.
• Freeze new onboarding involving ePHI unless contracting confirms the written agreement path is followed.
• Publish a one-page internal rule: “No BAA, no ePHI,” with escalation contacts.

Second phase: Near-term buildout

• Implement a BA intake step in procurement/IT request flows with a clear decision point for BAA routing.
• Standardize templates and an exception approval path; document who can approve deviations.
• Create a central repository structure and move executed agreements out of inboxes and unmanaged drives.

Third phase: Operational maturity

• Add monitoring: renewal tracking, scope-change triggers, and periodic sampling to confirm BAAs exist and match current services.
• Integrate the control gate with access provisioning and change management so the process enforces itself.
• In Daydream, map onboarding tasks (due diligence, security review, contracting, approvals) to a single third-party record so evidence collection becomes routine rather than a scramble.

Frequently Asked Questions

What counts as a “written contract or other arrangement” for this HIPAA requirement?

The rule requires you to document satisfactory assurances through a written contract or other arrangement with the business associate that meets the applicable requirements of § 164.314(a). Practically, that is an executed BAA or an equivalent written arrangement that satisfies those requirements. (45 CFR Parts 160, 162, 164)

Do we need the agreement signed before the third party touches any ePHI?

The regulation requires the assurances to be documented through a written contract or other arrangement. Operationally, you should gate access and data exchange until the executed document is in place so you can prove compliance at the time services begin. (45 CFR Parts 160, 162, 164)

We have a master services agreement (MSA). Is that enough?

An MSA alone is only sufficient if it contains the applicable BAA requirements under § 164.314(a) and clearly covers the in-scope services involving ePHI. Many organizations still use a separate BAA or addendum because it’s easier to control required HIPAA terms. (45 CFR Parts 160, 162, 164)

What evidence do auditors typically want to see?

They usually ask for the executed agreement, proof it was effective during the period the third party handled ePHI, and a way to show completeness across all business associates (inventory plus repository references). They also test whether onboarding controls prevented pre-signature access. (45 CFR Parts 160, 162, 164)

How do we handle a third party that refuses to sign our BAA template?

Start with your fallback clause set and require a documented exception process for any deviations from required assurances. If required terms can’t be met, treat it as a stop/go risk decision before any ePHI is shared. (45 CFR Parts 160, 162, 164)

Does this apply when we are the business associate hiring a subcontractor?

Yes. The applicability includes business associates, and the operational expectation is that downstream third parties that qualify as business associates are brought under a written arrangement meeting the applicable requirements. (45 CFR Parts 160, 162, 164)

Footnotes

1. 45 CFR Parts 160, 162, 164