164.308(b)(1) - A covered entity, in accordance with 164.306 [the Security Standards: General Rules], may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with 164.314(a) [the Organizational Requirements] that the business associate will appropriately safeguard the information (Emphasis added).

Covered entities must enter into a contract or other arrangement with persons that meet the definition of business associate in § 160.103. This standard is comparable to the Business Associate Contract standard in the Privacy Rule, but is specific to business associates that create, receive, maintain or transmit EPHI. To comply with this standard, covered entities must obtain satisfactory assurances from the business associate that it will appropriately safeguard EPHI.