The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 extended direct HIPAA liability to "business associates" which is any person or company that creates, receives, maintains, or transmits PHI on behalf of a covered entity. The definition of "business associate" and the scope of covered PHI are set out in the general administrative provisions at 45 CFR Part 160. When a covered entity uses a freelance medical transcriptionist, that individual becomes a business associate, and the healthcare organization remains responsible for ensuring the relationship is properly structured and monitored.

This means a healthcare organization is legally required to execute a business associate agreement (BAA) with any freelancer or agency that it provides with dictation files before any PHI changes hands. The specific requirement to execute a BAA, along with the mandatory contract terms it must contain, comes from 45 CFR §164.502(e) and §164.504(e). These sections govern how the safeguards must be documented, what happens in the event of a breach, and what protections an organization must confirm are in place before work begins.

 

When subcontracting chains break down

In "Assessing Privacy Risk in Outsourcing," healthcare attorney Margaret Davino documented a case that shows what can go wrong when a covered entity loses visibility into who is actually handling its patients' data.

In 2003, the University of California at San Francisco Medical Center sent transcription work to a vendor it had used for years. That vendor distributed the work across more than a dozen subcontractors nationwide. One of those subcontractors, in turn, subcontracted the work again until the files reached a transcriptionist in Pakistan, several layers removed from UCSF's original contract and, by the author's account, unknown to the parties above her in the chain. When a payment dispute arose between the subcontractors, the Pakistani transcriptionist emailed UCSF directly, attaching two patients' dictation reports as proof she had the data, and threatening to "expose all the voice files and patient records of UCSF … on the Internet" if she wasn't paid.

The situation was resolved when one of the parties in the chain paid the transcriptionist and she withdrew her threat. However, the problem was a chain of subcontractors that led to no party being able to say who held the data, how it was stored, or where it physically was. Davino's point was that HIPAA doesn't reach vendors directly, it works by obligating covered entities to secure contractual assurances from their business associates, and to ensure those obligations flow down to every subcontractor in the chain, not just the first link.

The lesson healthcare organizations should take is that a signed BAA with a primary contractor isn't enough if that contractor is free to redistribute the files to unvetted subcontractors of their own. Freelancer agreements should prohibit further subcontracting without the institution's knowledge and consent, or at minimum require that any subcontractor be disclosed and bound by the same confidentiality and security terms, a requirement Davino notes is already built into HIPAA's business associate rules, which require that "any agents, including a subcontractor," receiving the data agree to the same restrictions that bind the business associate itself.

 

The three HIPAA safeguards your vendors must meet

Administrative safeguards cover the freelancer's policies and training. Before onboarding, an organization should confirm the contractor understands what counts as PHI as defined under the Privacy Rule, understands their BAA obligations, and has a written plan for what they'll do if they suspect a breach.

Physical safeguards protect the actual devices and spaces where a freelancer works. Your vetting process should ask how the contractor secures their workstation, whether their computer locks automatically, and how they handle printed materials.

Technical safeguards are where freelancers should be able to demonstrate encryption for data at rest and in transit, secure and unique login credentials, automatic logoff on their systems, and audit controls that track who accessed what.

Learn more: What are administrative, physical and technical safeguards?

 

Requiring HIPAA compliant tools from your freelancer

The software stack a freelancer uses is often a compliance risk an organization inherits. Free consumer-grade tools rarely meet the technical safeguard requirements of Subpart C, so institutions should specify, and audit, the tools freelancers are permitted to use.

  • File transfer: Freelancers should not be allowed to send audio files, drafts, or finished transcripts through regular email, personal cloud drives, or consumer messaging apps. Organizations should provide, or require, a HIPAA compliant file transfer system or secure client portal that offers encryption.
  • Storage: Contracts and onboarding materials should prohibit freelancers from storing PHI locally on personal laptops or personal cloud storage unless that storage is specifically configured and covered under a BAA.
  • Transcription software: If a freelancer uses speech-to-text tools or AI transcription assistants, the healthcare organization should confirm that the vendor behind that tool is willing to sign a BAA and that PHI isn't being used to train public models.

Healthcare organizations should remember that HIPAA compliance and transcription accuracy are two separate things, a tool can check the compliance box and still perform inconsistently depending on context. A 2023 pilot study, Using HIPAA (Health Insurance Portability and Accountability Act)–Compliant Transcription Services for Virtual Psychiatric Interviews: Pilot Comparison Study, compared several HIPAA compliant automatic speech recognition tools against human transcription in a clinical mental health setting and found differences in word error rates between services. The researchers also found that certain categories of words were disproportionately prone to being dropped or mistranscribed, which matters in clinical or psychiatric contexts where those word choices can carry diagnostic importance. As the study's authors noted,HIPAA compliant services establish a regulatory baseline for protecting patient identity but compliance alone doesn't guarantee the transcript is clinically or contextually reliable.

Read also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

 

Building institutional habits that protect your organization

  • Confirm that freelancers keep their operating systems and antivirus software updated, and build this into compliance check-ins.
  • Set clear expectations that freelancers log out and lock their screens any time they step away from their workstation.
  • Require freelancers to delete completed files promptly rather than allowing a backlog of sensitive audio and transcripts to accumulate on personal hardware.
  • Prohibit PHI-related work over public Wi-Fi, or require a trusted VPN if a freelancer must work outside a secured network.
  • Maintain a written incident response plan so everyone knows exactly who to notify and what steps to take if a device is lost, stolen, or compromised.
  • Prohibit subcontracting without your institution's knowledge and consent, and require full disclosure of any subcontracting chain a freelancer or agency intends to use.

 

FAQs

What happens if a freelancer refuses to sign a BAA?

You cannot legally share PHI with them, so the engagement should not proceed until a compliant BAA is in place.

 

Are freelance transcriptionists based outside the US subject to HIPAA?

Yes, HIPAA's obligations flow through the business associate agreement regardless of where the contractor is physically located.

 

Can a healthcare organization be held liable even if the freelancer caused the breach?

Yes, covered entities can face liability for a business associate's HIPAA violations, especially if they failed to exercise reasonable diligence in vetting or monitoring the relationship.

 

Should freelancers undergo background checks before handling PHI?

Many healthcare organizations require some form of background screening as part of due diligence, though HIPAA itself does not mandate a specific check.