When are subcontractors business associates under HIPAA?

Subcontractors are considered business associates under HIPAA when they directly handle, manage, or can access protected health information (PHI) as part of the services they provide to a covered entity or another business associate. Functionally, they are business associates whenever they create, receive, maintain, or transmit PHI, even if the involvement with PHI is incidental or indirect.

Defining subcontractors and business associates

Subcontractors in healthcare often provide specialized services that support the operations of healthcare providers, including IT support, data storage, billing, and administrative tasks. According to the Department of Health and Human Services, a business associate is a “person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity."

The HHS clarifies that "the types of functions or activities that may make a person or entity a business associate include payment or health care operations activities, as well as other functions or activities regulated by the Administrative Simplification Rules.". If a subcontractor performs functions that involve the use, disclosure, creation, or maintenance of PHI, they are classified as a business associate under HIPAA. 

Read more: How to know if you’re a business associate

Criteria for subcontractors to be considered business associates

• Direct handling of PHI: A subcontractor is classified as a business associate if they directly handle PHI as part of their services, including creating, receiving, maintaining, or transmitting PHI on behalf of a business associate.
• Nature of services provided: If a subcontractor provides services that inherently involve the management of PHI (e.g., cloud storage, data processing, IT support), they are considered a business associate. The specific tasks and responsibilities assigned to the subcontractor will determine their status under HIPAA.
• Involvement with PHI in indirect roles: Subcontractors who perform indirect roles that involve PHI (e.g., data backup services) are also subject to HIPAA regulations as business associates. Even occasional or one-time interactions with PHI qualify subcontractors as business associates.
• Broader scope of work: Healthcare organizations must assess whether subcontractors might interact with PHI during their duties.

HIPAA compliance implications

Once a subcontractor is considered a business associate, they must enter into a business associate agreement (BAA) with the business associate they serve. This legal contract outlines the subcontractor's responsibilities regarding PHI protection and compliance with HIPAA’s Privacy and Security Rules. The BAA must include specific provisions related to securing PHI, reporting breaches, and complying with HIPAA standards.

How to manage subcontractors under HIPAA

• Conduct thorough vetting processes: Assess whether a subcontractor’s role involves handling or accessing PHI. Review the scope of work to determine if HIPAA regulations apply.
• Implement strong contractual protections: Draft and enforce comprehensive BAAs that outline the subcontractor’s HIPAA obligations. Regularly review and update BAAs to reflect any changes in the subcontractor’s role or services provided.
• Ongoing monitoring and auditing: Review subcontractors’ security practices to confirm they are HIPAA compliant. Conduct audits to verify that subcontractors stick to the terms of the BAA and address any compliance issues.
• Provide training and support: Give subcontractors HIPAA training to understand their responsibilities regarding PHI fully. Establish clear communication channels for identifying and resolving any compliance issues promptly.

FAQs

How often should a healthcare organization review the BAAs with subcontractors?

Healthcare organizations should review BAAs at least annually or whenever there is a significant change in the subcontractor’s services or role involving PHI.

Can subcontractors be liable for HIPAA violations?

Yes, subcontractors classified as business associates are directly liable for HIPAA violations and can face penalties if they fail to comply with HIPAA regulations.

How should healthcare organizations handle subcontractor breaches of PHI?

Healthcare organizations should have protocols to promptly address subcontractor breaches, including breach notification, remediation steps, and reporting to the Department of Health and Human Services (HHS) if required.

Related: HIPAA Compliant Email: The Definitive Guide.