Content library
Agreements and monitoring
Disclosure of PHI to business associates and subcontractors
Partner management
Agreements and monitoring

Disclosure of PHI to business associates and subcontractors

Start free trial

Task description

Disclosure of PHI to business associates and subcontractors

The data processing agreement between the organization and its business associates must explicitly authorize the business associate to create, receive, maintain, or transmit PHI on behalf of the organization and must include documented technical, administrative, and physical safeguards to protect that data.

Similarly, agreements between business associates and their subcontractors must contain the same authorization for PHI handling and detailed documentation of all required safeguards.

Requirements connected to the task

No items found.

Other tasks from the same security theme

Task name
Priority
Policy
Other requirements
Data processing partner listing and owner assignment
Critical
High
Normal
Low
Agreements and monitoring
65
requirements

Examples of other requirements this task affects

Članak 30.1.d: Sigurnost lanca opskrbe
NIS2 Croatia
9.4 §: Toimitusketjun hallinta ja valvonta
Kyberturvallisuuslaki
1.2.4: Definition of responsibilities with service providers
TISAX
1.3.3: Use of approved external IT services
TISAX
6.1.1: Partner Information security
TISAX
See all related requirements and other information from tasks own page.
Go to >
Data processing partner listing and owner assignment
Documentation of partner contract status
Critical
High
Normal
Low
Agreements and monitoring
52
requirements

Examples of other requirements this task affects

Članak 30.1.d: Sigurnost lanca opskrbe
NIS2 Croatia
9.4 §: Toimitusketjun hallinta ja valvonta
Kyberturvallisuuslaki
30 § 3.4°: La sécurité de la chaîne d'approvisionnement
NIS2 Belgium
30 § 4°: Définir et contrôler les mesures de sécurité requises pour la chaîne d'approvisionnement
NIS2 Belgium
2.1.9: Maintain security responsibility during outsourcing
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Documentation of partner contract status
Documentation of customer groups whose information is processed by the organization
Critical
High
Normal
Low
Agreements and monitoring
8
requirements

Examples of other requirements this task affects

CLD 8.1.5: Removal of cloud service customer assets
ISO 27017
CLD 6.3: Relationship between cloud service customer and cloud service provider
ISO 27017
CLD 6.3.1: Shared roles and responsibilities within a cloud computing environment
ISO 27017
A.8.2.1: Customer agreement
ISO 27701
4.2: Interested parties
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Documentation of customer groups whose information is processed by the organization
Business associate contracts and subcontractor obligations regarding PHI
Critical
High
Normal
Low
Agreements and monitoring
2
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Business associate contracts and subcontractor obligations regarding PHI
Joint notice of privacy practices for an organized health care
Critical
High
Normal
Low
Agreements and monitoring
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Joint notice of privacy practices for an organized health care
Disclosure of PHI to business associates and subcontractors
Critical
High
Normal
Low
Agreements and monitoring
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Disclosure of PHI to business associates and subcontractors
Procedure for information exchange with authorities (Belgium)
Critical
High
Normal
Low
Agreements and monitoring
1
requirements

Examples of other requirements this task affects

Art. 19: Échange d'informations
Loi infrastructures critiques
See all related requirements and other information from tasks own page.
Go to >
Procedure for information exchange with authorities (Belgium)
Monitoring policy of personal data
Critical
High
Normal
Low
Agreements and monitoring
1
requirements

Examples of other requirements this task affects

§ 6-4.4: Håndtering av overvåkingsdata
Sikkerhetsloven
See all related requirements and other information from tasks own page.
Go to >
Monitoring policy of personal data
Appointing an authorization authority
Critical
High
Normal
Low
Agreements and monitoring
1
requirements

Examples of other requirements this task affects

§ 8-9: Autorisasjon
Sikkerhetsloven
See all related requirements and other information from tasks own page.
Go to >
Appointing an authorization authority
User notification of monitoring
Critical
High
Normal
Low
Agreements and monitoring
1
requirements

Examples of other requirements this task affects

§ 6-4.6: Informere autoriserte brukere om overvåking
Sikkerhetsloven
See all related requirements and other information from tasks own page.
Go to >
User notification of monitoring
Performing a special security protection assessment before starting sensitive procedures
Critical
High
Normal
Low
Agreements and monitoring
1
requirements

Examples of other requirements this task affects

§ 4.7: Skyldigheter inför förfaranden som kräver säkerhetsskyddsavtal
SSL
See all related requirements and other information from tasks own page.
Go to >
Performing a special security protection assessment before starting sensitive procedures
Informing acquirers of security protection obligations during transfers
Critical
High
Normal
Low
Agreements and monitoring
1
requirements

Examples of other requirements this task affects

§ 4.20: Upplysning om säkerhetsskyldigheter
SSL
See all related requirements and other information from tasks own page.
Go to >
Informing acquirers of security protection obligations during transfers
Supplier agreement review and non-compliance actions
Critical
High
Normal
Low
Agreements and monitoring
1
requirements

Examples of other requirements this task affects

§ 4.5: Motpartens efterlevnad av säkerhetsavtal
SSL
See all related requirements and other information from tasks own page.
Go to >
Supplier agreement review and non-compliance actions
Process for consultation with the supervisory authority
Critical
High
Normal
Low
Agreements and monitoring
1
requirements

Examples of other requirements this task affects

§ 4.15: Skyldigheten att samråda
SSL
See all related requirements and other information from tasks own page.
Go to >
Process for consultation with the supervisory authority
Performing a suitability assessment
Critical
High
Normal
Low
Agreements and monitoring
2
requirements

Examples of other requirements this task affects

§ 4.7: Skyldigheter inför förfaranden som kräver säkerhetsskyddsavtal
SSL
§ 4.9: Lämplighetsprövningen
SSL
See all related requirements and other information from tasks own page.
Go to >
Performing a suitability assessment
Implementation of cyber security measures (Lithuania)
Critical
High
Normal
Low
Agreements and monitoring
2
requirements

Examples of other requirements this task affects

14.2.: Kibernetinio saugumo reikalavimų terminas
NIS2 Lithuania
14.3.: Įgyvendinimo duomenų pateikimas
NIS2 Lithuania
See all related requirements and other information from tasks own page.
Go to >
Implementation of cyber security measures (Lithuania)
Process for handling and sharing vulnerability disclosures
Critical
High
Normal
Low
Agreements and monitoring
6
requirements

Examples of other requirements this task affects

30 § 3.11°: Divulgation des vulnérabilités
NIS2 Belgium
ID.RA-08: Processes for handling vulnerability disclosures
NIST 2.0
RS.AN-5: Processes are established to receive, analyse, and respond to vulnerabilities disclosed to the organization from internal and external sources.
CyberFundamentals
14.5.6): Tinklų ir informacinių sistemų saugumą
NIS2 Lithuania
Vuln.6: Sharing information about potential vulnerabilities
CRA
See all related requirements and other information from tasks own page.
Go to >
Process for handling and sharing vulnerability disclosures
Establishing agreements with third parties to provide consultation during an incident
Critical
High
Normal
Low
Agreements and monitoring
1
requirements

Examples of other requirements this task affects

4.1.4: Establish agreements with relevant third parties
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Establishing agreements with third parties to provide consultation during an incident
Assigning of a Public Relations Officer
Critical
High
Normal
Low
Agreements and monitoring
1
requirements

Examples of other requirements this task affects

RC.CO-1: Public relations are managed.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Assigning of a Public Relations Officer
Management of procurement and use of external IT services
Critical
High
Normal
Low
Agreements and monitoring
4
requirements

Examples of other requirements this task affects

1.3.3: Use of approved external IT services
TISAX
15.4: Ensure Service Provider Contracts Include Security Requirements
CIS 18
§ 9-4.1: Myndighet til å fatte vedtak ved anskaffelser til skjermingsverdig informasjonssystem, objekt og infrastruktur
Sikkerhetsloven
See all related requirements and other information from tasks own page.
Go to >
Management of procurement and use of external IT services
Key contractual requirements for service providers supporting critical functions
Critical
High
Normal
Low
Agreements and monitoring
1
requirements

Examples of other requirements this task affects

Article 30: Key contractual provisions
DORA
See all related requirements and other information from tasks own page.
Go to >
Key contractual requirements for service providers supporting critical functions
Risk Assessment and Considerations for Contracting ICT Services Supporting Critical Functions
Critical
High
Normal
Low
Agreements and monitoring
3
requirements

Examples of other requirements this task affects

Article 29: Preliminary assessment of ICT concentration risk at entity level
DORA
2.1.9: Maintain security responsibility during outsourcing
NSM ICT-SP
Article 34: ICT operations security
DORA simplified RMF
See all related requirements and other information from tasks own page.
Go to >
Risk Assessment and Considerations for Contracting ICT Services Supporting Critical Functions
Definition of information sharing agreements and notification obligations
Critical
High
Normal
Low
Agreements and monitoring
16
requirements

Examples of other requirements this task affects

19.4.: Dalijimosi informacija susitarimai
NIS2 Lithuania
Chapter VI: Information-sharing arrangements
DORA
Article 45: Information-sharing arrangements on cyber threat information and intelligence
DORA
27 § 2°: D'accords de partage d'informations en matière de cybersécurité
NIS2 Belgium
27 § 4°: Notification de la participation à des accords d'échange d'informations
NIS2 Belgium
See all related requirements and other information from tasks own page.
Go to >
Definition of information sharing agreements and notification obligations
Monitoring suppliers' compliance with security requirements
Critical
High
Normal
Low
Agreements and monitoring
44
requirements

Examples of other requirements this task affects

Članak 30.2: Dobavljačka kibernetička sigurnost i rizici
NIS2 Croatia
1.2.4: Definition of responsibilities with service providers
TISAX
30 § 4°: Définir et contrôler les mesures de sécurité requises pour la chaîne d'approvisionnement
NIS2 Belgium
2.1.10: Review the service provider’s security when outsourcing
NSM ICT-SP
ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Monitoring suppliers' compliance with security requirements
Definition of supplier-specific responsible persons
Critical
High
Normal
Low
Agreements and monitoring
7
requirements

Examples of other requirements this task affects

15.2.2: Managing changes to supplier services
ISO 27001
8.1.2: Ownership of assets
ISO 27001
ID.SC-4: Audit suppliers and third-party partners
NIST
14.5.12): Kibernetinio saugumo prieigos ir duomenų teisių politika
NIS2 Lithuania
CC9.2: Partner risk management
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Definition of supplier-specific responsible persons
Documentation of other stakeholders
Critical
High
Normal
Low
Agreements and monitoring
36
requirements

Examples of other requirements this task affects

Članak 30.1.d: Sigurnost lanca opskrbe
NIS2 Croatia
9.4 §: Toimitusketjun hallinta ja valvonta
Kyberturvallisuuslaki
1.3.3: Use of approved external IT services
TISAX
30 § 3.4°: La sécurité de la chaîne d'approvisionnement
NIS2 Belgium
ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Documentation of other stakeholders
Maintaining contact with cloud-related special interest groups
Critical
High
Normal
Low
Agreements and monitoring
4
requirements

Examples of other requirements this task affects

6.1.4: Contact with special interest groups
ISO 27017
ID.RA-2: Cyber threat intelligence
NIST
ID.RA-02: Cyber threat intelligence from forums and sources
NIST 2.0
See all related requirements and other information from tasks own page.
Go to >
Maintaining contact with cloud-related special interest groups
Keeping contact with relevant authorities
Critical
High
Normal
Low
Agreements and monitoring
39
requirements

Examples of other requirements this task affects

Članak 37: Obavještavanje o značajnim incidentima
NIS2 Croatia
11 §: Poikkeamailmoitukset viranomaiselle
Kyberturvallisuuslaki
1.2.2: Information Security Responsibilities
TISAX
34 § 1°: Notifications d'incidents au CSIRT et aux bénéficiaires des services
NIS2 Belgium
RC.CO-1: Public relations are managed.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Keeping contact with relevant authorities
Detailed descriptions of required security measures for subcontractors on contracts related to offered cloud services
Critical
High
Normal
Low
Agreements and monitoring
3
requirements

Examples of other requirements this task affects

A.11.12: Sub-contracted PII processing
ISO 27018
15.1.3: Information and communication technology supply chain
ISO 27017
PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Detailed descriptions of required security measures for subcontractors on contracts related to offered cloud services
Communicating responsibilities to suppliers
Critical
High
Normal
Low
Agreements and monitoring
8
requirements

Examples of other requirements this task affects

PR.AT-3: Third-party stakeholders
NIST
1.2.4: Definition of responsibilities with service providers
TISAX
ID.BE-1: The organization’s role in the supply chain is identified and communicated.
CyberFundamentals
PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities.
CyberFundamentals
GV.SC-02: Establishing and communicating cybersecurity roles for suppliers, customers, and partners
NIST 2.0
See all related requirements and other information from tasks own page.
Go to >
Communicating responsibilities to suppliers
Service level requirements in contracts related to the data processing environment
Critical
High
Normal
Low
Agreements and monitoring
4
requirements

Examples of other requirements this task affects

28: Palvelutasovaatimukset sopimuksissa
Digiturvan kokonaiskuvapalvelu
Article 30: Key contractual provisions
DORA
2.1.9: Maintain security responsibility during outsourcing
NSM ICT-SP
15.4: Ensure Service Provider Contracts Include Security Requirements
CIS 18
See all related requirements and other information from tasks own page.
Go to >
Service level requirements in contracts related to the data processing environment
Evaluation of data processing agreement for important data processors
Critical
High
Normal
Low
Agreements and monitoring
7
requirements

Examples of other requirements this task affects

28. Data processor
GDPR
15.1.2: Addressing security within supplier agreements
ISO 27001
TSU-04.1: Henkilötietojen käsittelijä - Sopimukset
Julkri
5.20: Addressing information security within supplier agreements
ISO 27001
P6.5: Notification of unauthorized disclosure of personal information from third parties
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Evaluation of data processing agreement for important data processors
Managing changes to supplier services
Critical
High
Normal
Low
Agreements and monitoring
7
requirements

Examples of other requirements this task affects

15.2.2: Managing changes to supplier services
ISO 27001
HAL-16.1: Hankintojen turvallisuus - sopimukset
Julkri
CC9.2: Partner risk management
SOC 2
CC3.4: Identification and assesment of changes
SOC 2
Art. 10: Dienstleister
CSV
See all related requirements and other information from tasks own page.
Go to >
Managing changes to supplier services
Terms and conditions to limit changes directly affecting customer environments
Critical
High
Normal
Low
Agreements and monitoring
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Terms and conditions to limit changes directly affecting customer environments
Contact with industry-specific interest groups
Critical
High
Normal
Low
Agreements and monitoring
20
requirements

Examples of other requirements this task affects

6.1.4: Contact with special interest groups
ISO 27001
ID.RA-2: Cyber threat intelligence
NIST
RS.CO-5: Voluntary information sharing
NIST
RC.CO-1: Public relations
NIST
14.5.13): Kitus taikomus kibernetinio saugumo reikalavimus
NIS2 Lithuania
See all related requirements and other information from tasks own page.
Go to >
Contact with industry-specific interest groups
Collection and monitoring of supplier-specific privacy commitments
Critical
High
Normal
Low
Agreements and monitoring
2
requirements

Examples of other requirements this task affects

CC9.2: Partner risk management
SOC 2
2.1.4: Reduce the risk of targeted manipulation of ICT products in the supply chain
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Collection and monitoring of supplier-specific privacy commitments

Never duplicate effort. Do it once - improve compliance across frameworks.

Reach multi-framework compliance in the simplest possible way
Security frameworks tend to share the same core requirements - like risk management, backup, malware, personnel awareness or access management.
Cyberday maps all frameworks’ requirements into shared tasks - one single plan that improves all frameworks’ compliance.
Do it once - we automatically apply it to all current and future frameworks.
Start free trial
Get to know Cyberday
Start your free trial
Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
Clear framework compliance plans
Activate relevant frameworks and turn them into actionable policies tailored to your needs.
Credible reports to proof your compliance
Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
AI-powered improvement suggestions
Focus on the most impactful improvements in your compliance with help from Cyberday AI.
Effortless compliance improvement
Widest framework library in EU
Extensive support

Start your compliance journey

Use in MS Teams or use your browser with Slack integration.
Risk free trial. No credit card required. Stop at any time.

Start free 14-day trial
Book a meeting
How it works?
SummarySecurity tasks and assuranceDocumentation workflowsEmployee guidelinesReporting templates
Use cases
By frameworkAll frameworksISO 27001NIS2 directiveNIST CSFCSA CCMISO 27701GDPRISO 27017ISO 27018
By methodCyber risk managementEmployee awarenessCompliance reportingControl managementAsset managementPrivacy managementVendor assessments
Resources
AcademyWebinarsBlogHelp articlesVideo coursesContent libraryGuidesNewsletterLeave a reviewPartner programTeamTerms of usePrivacy policy
Contact us
+358 10 231 6010
team@cyberday.ai
App works in:
Known in Finland as Digiturvamalli
© Cyberday Inc. Kalevantie 2 33100 Tampere, Finland
Cyberday.ai - Improve and certify your cyber security
No items found.