4 min read

Do subcontractors have to sign a BAA?

Picture of Kirsten Peremore Kirsten Peremore July 02, 2025

HIPAA Compliance
Do subcontractors have to sign a BAA?

The HIPAA final rule, effective since 2013, explicitly extended compliance obligations to subcontractors who handle protected health information (PHI) on behalf of business associates. Public Health Reports study on the topic titled ‘The HIPAA Omnibus Rule: Implications for Public Health Policy and Practice’ notes that, “The Omnibus Rule clarifies that the definition of a business associate also includes relevant subcontractors, ensuring that a covered entity's or business associate's security requirements encompass outsourced operations.”

Which means that yes, HIPAA does apply to subcontractors. Specifically, it means subcontractors who create, receive, maintain, or transmit PHI on behalf of a business associate must safeguard that information in accordance with HIPAA. HIPAA further requires that organizations sign a business associate agreement outlining how they will uphold their HIPAA requirements.

 

What are subcontractors 

According to the above-mentioned study, “The Omnibus Rule clarifies that the definition of a business associate also includes relevant subcontractors, ensuring that a covered entity's or business associate's security requirements encompass outsourced operations.”

Subcontractors are entities or individuals who perform functions or activities on behalf of a business associate that involve the use or disclosure of protected health information (PHI). They are third parties hired by business associates to carry out specific tasks that require access to PHI. 

For instance, a medical testing company contracted by a state insurance plan to perform health screenings acts as a subcontractor. These subcontractors may include vendors providing IT services, billing, data analysis, or other healthcare-related services that involve PHI.

 

With whom does the contractual relationship exist?

A special report published in Wiggin and Dana called ‘Special HIPAA Business Associate Issues For Health Care Contractors’ provides, “The contract requires the business associate to use appropriate information safeguards, report any privacy violations, and ensure that its agents and subcontractors agree to the same restrictions and conditions to which it has agreed in the contract.”

The contractual relationship and obligations of subcontractors exist primarily with the business associate that hires them. Under HIPAA, covered entities contract with business associates to perform services involving PHI. Business associates, in turn, may subcontract some of these services to subcontractors. The subcontractor’s legal and contractual obligations are with the business associate, not directly with the covered entity.

The business associate is responsible for managing its subcontractors’ compliance and for any breaches caused by subcontractors. This is why OCR enforcement actions often extend to business associates when subcontractors fail to protect PHI adequately.

 

Do business associates need subcontractors to sign a BAA?

The HIPAA omnibus rule requires that business associates obtain satisfactory assurances from subcontractors through a BAA before disclosing PHI. 45 C.F.R. § 164.502(e)(1)(i) is the specific section that provides for this, stating, “A covered entity may disclose protected health information to a business associate and may allow a business associate to create, receive, maintain, or transmit protected health information on its behalf, if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.”

This agreement specifies how PHI will be used, safeguarded, and reported in case of a breach. It also outlines the subcontractor’s obligations to comply with HIPAA’s Privacy, Security, and Breach Notification Rules. Failure to have a BAA in place with subcontractors can lead to penalties. 

 

The possible challenge with employing business associates 

Onsite Health Diagnostics, a subcontractor for Tennessee’s state insurance plans, suffered a breach exposing PHI of over 60,000 individuals due to unauthorized access by hackers. The breach shows the vulnerabilities subcontractors can introduce and the need for timely breach notification, which in this case was delayed by several months.

Another breach involved Perry Johnson & Associates, a medical transcription service subcontractor, which disclosed a breach affecting millions of individuals. Unauthorized access to their systems exposed sensitive PHI, including Social Security numbers and clinical information. This breach led to the termination of contracts by affected healthcare organizations and drew regulatory scrutiny.

Once a subcontractor handles PHI, they have to comply fully with HIPAA requirements, including signing a BAA. The HIPAA omnibus rule eliminated earlier ambiguities by making subcontractors directly liable for compliance, thereby narrowing exceptions.

 

Who does the subcontractor need to sign the BAA with?

Subcontractors need to sign the BAA with the business associate who contracts them for healthcare-related services. This agreement is a legal requirement under HIPAA. The BAA outlines the responsibilities and obligations regarding the protection of PHI. By signing the BAA, subcontractors commit to safeguarding patient data and adhering to HIPAA regulations in their dealings with PHI.

See also: How HIPAA defines subcontractors

 

Consequences of a subcontractor not signing a contract with a business associate

  1. Legal penalties: Non-compliance with HIPAA can result in substantial legal penalties. Subcontractors may be subject to civil monetary penalties, which can range from thousands to millions of dollars, depending on the severity of the violation.
  2. Criminal charges: In extreme cases, non-compliance can lead to criminal charges. Subcontractors who knowingly and willfully disregard HIPAA regulations may face criminal charges, including fines and imprisonment.
  3. Data breaches: Without a BAA in place, there is often a lack of clear policies and safeguards for PHI. This increases the risk of data breaches and unauthorized disclosures, potentially leading to financial and reputational damage.
  4. Termination of contract: The business associate may be forced to terminate its contract with the non-compliant subcontractor to avoid legal liabilities and regulatory actions, disrupting their business relationship.
  5. Regulatory scrutiny: Non-compliance can trigger investigations and audits by the HHS Office for Civil Rights (OCR), leading to fines and corrective action plans.

 

The civil monetary penalties for HIPAA violations and breaches

Official Penalty Amounts for 2023 are as follows: 

Tier 1: Lack of knowledge

Minimum Penalty per Violation: $137

Maximum Penalty per Violation: $34,464

Annual Penalty Cap: $34,464

 

Tier 2: Reasonable cause

Minimum Penalty per Violation: $1,379

Maximum Penalty per Violation: $68,928

Annual Penalty Cap: $137,886

 

Tier 3: Willful neglect (corrected within 30 days)

Minimum Penalty per Violation: $13,785

Maximum Penalty per Violation: $68,928

Annual Penalty Cap: $344,369

 

Tier 4: Willful neglect (not corrected within 30 days)

Minimum Penalty per Violation: $68,928

Maximum Penalty per Violation: $68,928

Annual Penalty Cap: $2,067,813

See also: 2023 HIPAA civil monetary penalty adjustments

 

Exceptions to the requirement under HIPAA

An exception includes entities often referred to as "conduits" for PHI. For example, entities like internet service providers, the US Postal Service, and other courier services are generally not considered business associates or business associate subcontractors under HIPAA, and therefore, they may not require a separate BAA.

Contractors who are working exclusively for a healthcare provider and do not have access to PHI for their own purposes may also be considered exceptions. In such cases, these contractors are not classified as business associates, and a separate BAA may not be necessary.

 

FAQs

Are subcontractors directly liable for breaches?

Yes. The HIPAA Omnibus Rule makes subcontractors directly liable for compliance with certain HIPAA provisions, including breach notification and security requirements. This direct liability enhances accountability across the healthcare data handling chain.

 

Can a subcontractor be exempt from HIPAA if they do not handle PHI?

Yes. If a subcontractor does not create, receive, maintain, or transmit PHI, HIPAA does not apply to them. However, if they have access to PHI in any form, they must comply fully with HIPAA rules and sign a BAA.

 

What is the process for breach notification involving subcontractors?

If a subcontractor discovers a breach of unsecured PHI, they must notify the business associate promptly. The business associate, in turn, must notify the covered entity and comply with HIPAA breach notification requirements, including notifying affected individuals and the OCR when required.
Send PHI securely—No portals required The all-in-one email security suite for healthcare. HIPAA compliant email with Google and Microsoft.
Send PHI securely—No portals required. The all-in-one email security suite for healthcare. HIPAA compliant email with Google and Microsoft.

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.