DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
What is a Business Associate Subcontractor Agreement?
The HIPAA regulations require healthcare providers to enter into “business associate agreements” with their business associates. Business associates often require assistance in performing their tasks. For example, an IT services provider that fixes a provider’s network issues, may itself store that provider’s data on a cloud hosting platform of another company. When a business associate contracts with another business for that other business to create, maintain, transmit, or receive PHI that the business associate shares with the provider, that other business is called a “business associate subcontractor.” Just as business associates must enter into business associate agreements with their providers, so must subcontractors of business associates enter into business associate agreements with those business associates. The requirements of a business associate subcontractor agreement, or subcontractor BAA are outlined below.
Business Associate Subcontractor Agreement: Subcontractor BAA Basics
A business associate subcontractor agreement (referred to as a "subcontractor BAA") is a legally binding contract between (1) a business associate of a covered entity (sometimes referred to in the agreement as "Business Associate 1," or "BA 1"; and (2) a business associate of that business associate (sometimes referred to in the agreement as "Business Associate 2," or "BA 2." The latter, subcontractors of business associates, must promise to safeguard the protected health information and electronic protected health information (ePHI) it creates, receives, maintains, or transmits on behalf of the business associate.
By law, a business associate must ensure that any subcontractors it may engage on its behalf that will have access to protected health information will agree to the same restrictions and conditions that apply to the business associate with respect to such information.
So, the same restrictions and conditions in the provider/business associate agreement that apply to the business associate, must be listed in the business associate subcontractor BAA.
In other words, the business associate subcontractor, in the business associate subcontractor agreement, must agree to the following.
PHI Use and Disclosure
The business associate subcontractor may not use or disclose protected health information, other than as permitted or required by the subcontractor BAA, or as required by law. The rule here is that the subcontractor may use or disclose PHI when HIPAA allows it to, or whenever HIPAA or other law requires it to. If HIPAA forbids a specific use or disclosure of PHI without written patient authorization, the business associate contract cannot “override” HIPAA by requiring or permitting the subcontractor to use or disclose such information without written patient authorization.
Implement HIPAA Privacy and Security Rule Safeguards
The business associate subcontractor must use appropriate administrative, physical, and technical safeguards to protect the PHI and ePHI of the business associate.
Breach Notification and Security Incidents
The business associate subcontractor must report to the business associate any use or disclosure of protected health information not provided for by the business associate subcontractor agreement of which it becomes aware, including breaches of unsecured protected health information, and any security incident of which it becomes aware.
Working with Other Subcontractors
The subcontractor must ensure that any of its subcontractors that create, receive, maintain, or transmit protected health information on behalf of it, agree to the same restrictions, conditions, and requirements that apply to the subcontractor with respect to such information.
Availability of PHI
The subcontractor must make available protected health information in a designated record set to its business associate as necessary to satisfy a provider’s right of access obligations.
Accounting of Disclosures
The subcontractor must maintain and make available the information required to provide an accounting of disclosures of PHI, as necessary to satisfy a covered entity’s or business associate’s accounting obligations.
Determining HIPAA Compliance
The subcontractor must make their internal practices, books, and records available to the Secretary of the Department of Health and Human Services for purposes of determining compliance with the HIPAA Rules.
Third-Party Disclosures
Subcontractors of business associates are permitted to use or disclose PHI to third parties, under limited conditions. The business associate subcontractor agreement should therefore contain the following provisions:
The subcontractor may use or disclose protected health information as required by law. If, for example, a state law requires the subcontractor to disclose PHI for public health purposes, the subcontractor may do so.
The subcontractor business associate may use protected health information for the proper management and administration of the subcontractor business associate or to carry out the legal responsibilities of the subcontractor business associate.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article