Paubox blog: HIPAA compliant email made easy

How to handle subcontractors under HIPAA

Written by Farah Amod | April 13, 2024

Handling subcontractors under HIPAA requires a thorough understanding of the compliance obligations of covered entities and business associates. Subcontractors must meet all HIPAA requirements and establish business associate subcontractor agreements (BASAs) with the entities from which they receive and transmit PHI. 

 

What is a subcontractor?

According to the HHS “a subcontractor is a person to whom a business associate has delegated a function, activity, or service the business associate has agreed to perform for a covered entity or business associate. A subcontractor is then a business associate where that function, activity, or service involves the creation, receipt, maintenance, or transmission of protected health information.”

Read also: What does it mean to be a business associate? 

 

Types of subcontractors

  • Medical billing companies
  • Medical transcription services
  • Pharmacy benefit managers
  • Medical equipment suppliers
  • Clinical laboratories
  • Radiology services
  • Pharmaceutical contract manufacturers
  • Health Information Management companies
  • Medical waste disposal services
  • Credentialing and verification services
  • Home healthcare services

 

The need for business associate subcontractor agreements

Many businesses rely on the assistance of subcontractors who are not considered employees. When subcontractors come into contact with PHI, they must be HIPAA compliant. Therefore, when a business associate shares PHI with a subcontractor, this transfer must be outlined through a business associate subcontractor agreement (BASA). BASAs ensure that subcontractors understand their obligations to protect PHI and comply with HIPAA regulations. 

Read more: What is a business associate agreement?

 

Who does the subcontractor need to sign the BAA with?

Subcontractors must sign the BAA with the business associate who contracts them for healthcare-related services. This agreement is a legal requirement under HIPAA. The BAA outlines the responsibilities and obligations regarding the protection of PHI. By signing the BAA, subcontractors commit to safeguarding patient data and adhering to HIPAA regulations in their dealings with PHI.

 

Responsibility for HIPAA compliance 

Ultimately, the responsibility for ensuring HIPAA compliance lies with the entity that has signed the BAA or created the PHI. When a business associate has a subcontractor, they must establish a BASA, indicating that they trust the subcontractor to handle PHI securely. However, the covered entity cannot shift or reduce its responsibility for the PHI it created. Under the Common Agency Provision, any breach by a business associate becomes the covered entity's breach.

In some cases, the business associate or covered entity may offer subcontractors HIPAA training and other services, such as security assessments, to increase the likelihood of data protection. However, unless employed by a company, subcontractors are responsible for procuring their own HIPAA training and documenting their policies and procedures.

Related: Understanding the common agency provision in HIPAA 

 

Do subcontractors need HIPAA compliant email?

Yes, subcontractors handling protected health information (PHI) are required to use HIPAA compliant email systems. This ensures that the transmission of sensitive patient data remains secure and meets the standards outlined in the Health Insurance Portability and Accountability Act (HIPAA). Failure to use HIPAA compliant email may result in potential breaches of patient confidentiality and legal repercussions. Therefore, subcontractors must adhere to HIPAA regulations to safeguard the privacy and security of PHI during electronic communication.

See also: HIPAA Compliant Email: The Definitive Guide

 

FAQs

What is a business associate agreement (BAA)?

A business associate agreement (BAA) is a contract that outlines the responsibilities and requirements for a business associate in handling protected health information (PHI) on behalf of a covered entity. It ensures that both parties understand and comply with HIPAA regulations.

 

What is a business associate subcontractor agreement (BASA)?

A business associate subcontractor agreement (BASA) is a contract that outlines the responsibilities and requirements for a subcontractor in handling PHI on behalf of a business associate. It ensures that subcontractors understand their obligations to protect PHI and comply with HIPAA regulations.

 

Can subcontractors sign BASAs with covered entities directly?

No, subcontractors cannot sign BASAs with covered entities directly. Subcontractors must establish BASAs with the business associates they receive PHI from and transmit PHI to. This ensures that all parties involved understand their responsibilities and comply with HIPAA regulations.

 

What happens if a subcontractor breaches HIPAA regulations?

If a subcontractor breaches HIPAA regulations, it becomes the responsibility of the covered entity or business associate to address the breach and mitigate any potential harm. Under the Common Agency Provision, a breach by a subcontractor is considered a breach by the covered entity.

 

Can subcontractors specify how they handle the job they are contracted for?

Unless a subcontractor is employed by a company, they are not entitled to specify exactly how the job is done. However, subcontractors must ensure they meet all HIPAA requirements and develop policies and procedures to demonstrate compliance with HIPAA regulations.

Read alsoTop HIPAA compliant email services