HIPAA Business Associate Subcontractor Agreement

Summary

This template business associate subcontractor agreement is for use by a service provider to an entity covered by the Health Insurance Portability and Accountability Act (HIPAA) and a subcontractor of the service provider that will handle the covered entity's protected health information (PHI). This template includes practical guidance, drafting notes, and alternate and optional clauses. Almost all service providers of a HIPAA-covered entity that are anticipated to create, receive, maintain, or transmit any PHI of the covered entity (so-called business associates) must enter into and operate in accordance with a business associate agreement (BAA) meeting requirements under both HIPAA's Privacy Rule (regarding PHI generally) and Security Rule (regarding electronic PHI (ePHI)). See (45 C.F.R. § 164.504(e)) and 45 C.F.R. §§ 164.314(a), respectively. A subcontractor of a business associate that handles the covered entity's PHI is also considered a business associate under HIPAA. 45 C.F.R. § 160.103 (definition of "business associate"). The HIPAA regulations pass along responsibility of obtaining BAAs with subcontractors to the business associate that retains the subcontractor. That is, a business associate must (and must represent in its BAA that it will) procure a BAA with any subcontractor that it retains to assure that subcontractor's compliance with HIPAA to protect the covered entity's PHI. See 45 C.F.R. §§ 164.502(e)(1), 164.504(e)(2)(ii)(D). That is the purpose of this template. The rules for BAAs between a business associate and its subcontractor mirror the principal obligations to protect and facilitate appropriate access to PHI that a primary business associate must commit to in its BAA with the HIPAA covered entity. See § 45 C.F.R. §§ 164.314(a)(2)(iii), 164.504(e)(5). A significant change to HIPAA enforcement under the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act was to render business associates (including subcontractor business associates) directly subject to all aspects of the Security Rule, specified provisions of the Privacy Rule (including the minimum necessary standard), and new Breach Notification Rule requirements. Previously, their obligations were predominately contractual under the BAA, and are therefore subject to compliance audits and potentially liable for civil money penalties and other enforcement measures for noncompliance. 45 C.F.R. §§ 164.104(b), 164.302, 164.500(c). For more information, see 78 Fed. Reg. 5,566 (Jan. 25, 2013) and Department of Health and Human Services, Direct Liability of Business Associates. For extensive coverage of important topics in the healthcare industry, see Healthcare Fundamentals Resource Kit. For more information on business associate agreements and HIPAA generally, see HIPAA Privacy, Security, Breach Notification, and Other Administrative Simplification Rules. For a BAA between a covered entity and a business associate, see HIPAA Business Associate Agreement. For a business associate policy designed for use by HIPAA covered entities, see HIPAA Business Associate Policy. For other HIPAA-related materials, see the HIPAA Resource Kit. For more on health information privacy and security, see Health Information Privacy and Security Resource Kit.