The HIPAA final rule, effective since 2013, explicitly extended compliance obligations to subcontractors who handle protected health information (PHI) on behalf of business associates. Public Health Reports study on the topic titled ‘The HIPAA Omnibus Rule: Implications for Public Health Policy and Practice’ notes that, “The Omnibus Rule clarifies that the definition of a business associate also includes relevant subcontractors, ensuring that a covered entity's or business associate's security requirements encompass outsourced operations.”
Which means that yes, HIPAA does apply to subcontractors. Specifically, it means subcontractors who create, receive, maintain, or transmit PHI on behalf of a business associate must safeguard that information in accordance with HIPAA. HIPAA further requires that organizations sign a business associate agreement outlining how they will uphold their HIPAA requirements.
According to the above-mentioned study, “The Omnibus Rule clarifies that the definition of a business associate also includes relevant subcontractors, ensuring that a covered entity's or business associate's security requirements encompass outsourced operations.”
Subcontractors are entities or individuals who perform functions or activities on behalf of a business associate that involve the use or disclosure of protected health information (PHI). They are third parties hired by business associates to carry out specific tasks that require access to PHI.
For instance, a medical testing company contracted by a state insurance plan to perform health screenings acts as a subcontractor. These subcontractors may include vendors providing IT services, billing, data analysis, or other healthcare-related services that involve PHI.
A special report published in Wiggin and Dana called ‘Special HIPAA Business Associate Issues For Health Care Contractors’ provides, “The contract requires the business associate to use appropriate information safeguards, report any privacy violations, and ensure that its agents and subcontractors agree to the same restrictions and conditions to which it has agreed in the contract.”
The contractual relationship and obligations of subcontractors exist primarily with the business associate that hires them. Under HIPAA, covered entities contract with business associates to perform services involving PHI. Business associates, in turn, may subcontract some of these services to subcontractors. The subcontractor’s legal and contractual obligations are with the business associate, not directly with the covered entity.
The business associate is responsible for managing its subcontractors’ compliance and for any breaches caused by subcontractors. This is why OCR enforcement actions often extend to business associates when subcontractors fail to protect PHI adequately.
The HIPAA omnibus rule requires that business associates obtain satisfactory assurances from subcontractors through a BAA before disclosing PHI. 45 C.F.R. § 164.502(e)(1)(i) is the specific section that provides for this, stating, “A covered entity may disclose protected health information to a business associate and may allow a business associate to create, receive, maintain, or transmit protected health information on its behalf, if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.”
This agreement specifies how PHI will be used, safeguarded, and reported in case of a breach. It also outlines the subcontractor’s obligations to comply with HIPAA’s Privacy, Security, and Breach Notification Rules. Failure to have a BAA in place with subcontractors can lead to penalties.
Onsite Health Diagnostics, a subcontractor for Tennessee’s state insurance plans, suffered a breach exposing PHI of over 60,000 individuals due to unauthorized access by hackers. The breach shows the vulnerabilities subcontractors can introduce and the need for timely breach notification, which in this case was delayed by several months.
Another breach involved Perry Johnson & Associates, a medical transcription service subcontractor, which disclosed a breach affecting millions of individuals. Unauthorized access to their systems exposed sensitive PHI, including Social Security numbers and clinical information. This breach led to the termination of contracts by affected healthcare organizations and drew regulatory scrutiny.
Once a subcontractor handles PHI, they have to comply fully with HIPAA requirements, including signing a BAA. The HIPAA omnibus rule eliminated earlier ambiguities by making subcontractors directly liable for compliance, thereby narrowing exceptions.
Subcontractors need to sign the BAA with the business associate who contracts them for healthcare-related services. This agreement is a legal requirement under HIPAA. The BAA outlines the responsibilities and obligations regarding the protection of PHI. By signing the BAA, subcontractors commit to safeguarding patient data and adhering to HIPAA regulations in their dealings with PHI.
See also: How HIPAA defines subcontractors
Official Penalty Amounts for 2023 are as follows:
Minimum Penalty per Violation: $137
Maximum Penalty per Violation: $34,464
Annual Penalty Cap: $34,464
Minimum Penalty per Violation: $1,379
Maximum Penalty per Violation: $68,928
Annual Penalty Cap: $137,886
Minimum Penalty per Violation: $13,785
Maximum Penalty per Violation: $68,928
Annual Penalty Cap: $344,369
Minimum Penalty per Violation: $68,928
Maximum Penalty per Violation: $68,928
Annual Penalty Cap: $2,067,813
See also: 2023 HIPAA civil monetary penalty adjustments
An exception includes entities often referred to as "conduits" for PHI. For example, entities like internet service providers, the US Postal Service, and other courier services are generally not considered business associates or business associate subcontractors under HIPAA, and therefore, they may not require a separate BAA.
Contractors who are working exclusively for a healthcare provider and do not have access to PHI for their own purposes may also be considered exceptions. In such cases, these contractors are not classified as business associates, and a separate BAA may not be necessary.
Yes. The HIPAA Omnibus Rule makes subcontractors directly liable for compliance with certain HIPAA provisions, including breach notification and security requirements. This direct liability enhances accountability across the healthcare data handling chain.
Yes. If a subcontractor does not create, receive, maintain, or transmit PHI, HIPAA does not apply to them. However, if they have access to PHI in any form, they must comply fully with HIPAA rules and sign a BAA.
If a subcontractor discovers a breach of unsecured PHI, they must notify the business associate promptly. The business associate, in turn, must notify the covered entity and comply with HIPAA breach notification requirements, including notifying affected individuals and the OCR when required.