The difference between a subcontractor and a business associate

Business associates are directly engaged by covered entities to perform specific functions or services relating to protected health information (PHI). Subcontractors, in turn, are entities engaged by business associates to perform tasks related to PHI. 

Distinguishing between these two categories allows HIPAA to establish a privacy and security responsibility chain.

How HIPAA differentiates between business associates and subcontractors 

HIPAA defines a business associate as an entity or individual, such as billing and coding companies, EHR vendors, medical transcription services, and cloud storage providers. Even a lawyer or accountant could be considered a business associate if contracted by a covered entity and given access to PHI. 

Business associates play a direct role in handling PHI and are legally obligated to safeguard it. HIPAA recognizes that these entities may also engage subcontractors to assist them in their functions.

A subcontractor is an entity or person to whom a business associate delegates a function, activity, or service. Subcontractors, therefore, have a more indirect relationship with the covered entity, as their engagement stems from their association with a business associate.

See also: How HIPAA defines subcontractors

Specific requirements for subcontractors and business associates 

Specific requirements for business associates

1. Business associate agreement (BAA): Business associates are required to establish and maintain a BAA with covered entities. The BAA is a legal contract that outlines the terms and conditions for PHI protection. It specifies each party's responsibilities and commitments, including how PHI will be handled and safeguarded.
2. Satisfactory assurances: Business associates must provide "satisfactory assurances" to covered entities that they will appropriately safeguard PHI. 
3. HIPAA compliance: Business associates must comply with all applicable HIPAA regulations, including the Security Rule, Privacy Rule, and Breach Notification Rule. This includes implementing specific measures such as access controls when handling PHI and implementing secure communication like HIPAA compliant email to communicate with patients. 
4. Documentation: Business associates are required to maintain detailed records of their HIPAA compliance efforts. This includes documenting risk assessments, security measures, policies and procedures, and incident response plans.
5. Breach notification: If a breach of PHI occurs, business associates must promptly notify the covered entity. The covered entity is responsible for notifying affected individuals and, in certain cases, reporting the breach to regulatory authorities.
6. Cooperation with investigations: Business associates must cooperate fully with any investigations or audits conducted by the Department of Health and Human Services (HHS) or the Office for Civil Rights (OCR). This includes providing documentation and information to demonstrate HIPAA compliance.

See also: How to know if you're a business associate

Specific requirements for subcontractors

1. Contractual obligations: Subcontractors are typically engaged by business associates to assist in functions that involve PHI. They are bound by contractual obligations to the business associates, as outlined in the contracts between the two parties. These contracts specify the subcontractor's responsibilities for PHI protection and HIPAA compliance.
2. Security measures: While subcontractors are not directly regulated by HIPAA, they are indirectly required to implement appropriate security measures to protect PHI. This is primarily enforced through the contractual relationship with the business associate, which should include security requirements.
3. Business associate assurance: Subcontractors should be aware that their business associate is obligated to ensure their compliance with HIPAA. The business associate, in turn, is contractually obligated to the covered entity. Subcontractors may be subject to the same audit and assurance requirements as their business associates.
4. Chain of responsibility: Subcontractors play a vital role in the chain of responsibility for PHI protection. They must follow the requirements set forth by their business associates, as non-compliance by subcontractors may have consequences for the business associate and, ultimately, the covered entity.

See also: Does a subcontractor have to sign a BAA?