Question 1

What is a HIPAA subcontractor agreement?

Accepted Answer

A HIPAA subcontractor agreement — technically a 'Business Associate subcontractor agreement' or downstream BAA — is a contract required by 45 CFR § 164.314(a)(2)(i)(B) between a HIPAA Business Associate (BA) and any downstream subcontractor (a sub-BA) that creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of the BA. It is the third level in the HIPAA contract chain: Covered Entity → Business Associate → Subcontractor. The HITECH Act of 2009 and the HIPAA Omnibus Rule of 2013 extended BA requirements down the chain, meaning the sub-BA is directly liable for HIPAA compliance and can be enforced against by the Office for Civil Rights (OCR). The agreement must contain the same substantive provisions that appear in the upstream BAA — safeguards, breach notification, restrictions on use and disclosure, and subcontractor flowdown.

Question 2

Who needs a HIPAA subcontractor agreement?

Accepted Answer

Any Business Associate that subcontracts a function involving PHI to another entity needs a subcontractor BAA with that entity. Common scenarios: a medical billing company (BA) hires a coding contractor (sub-BA); a cloud EHR vendor (BA) uses AWS/Azure as an infrastructure provider (sub-BA, unless AWS HIPAA eligible services under their BAA); a transcription service (BA) sends dictations to overseas transcribers (sub-BA); an IT MSP (BA) hires a break-fix technician who remotes into a covered entity's servers (sub-BA); a shredding company (BA) contracts out destruction to another firm (sub-BA). The key trigger is whether the subcontractor will create, receive, maintain, or transmit PHI on behalf of the BA. Conduit-only services (ISPs, USPS) are exempt under the HHS conduit exception, but the exception is narrow and does not apply to most cloud/SaaS vendors.

Question 3

What must the subcontractor BAA include?

Accepted Answer

Per 45 CFR § 164.504(e) and § 164.314(a)(2), the subcontractor BAA must include: (1) permitted and required uses and disclosures of PHI; (2) prohibition on further use or disclosure except as permitted by the agreement or required by law; (3) implementation of administrative, physical, and technical safeguards under the Security Rule (45 CFR §§ 164.308-164.312); (4) reporting of any use or disclosure not permitted by the agreement and any security incident or breach of unsecured PHI; (5) obligation to flow down equivalent BAA terms to any further subcontractor the sub-BA engages; (6) access, amendment, and accounting-of-disclosures rights for individuals; (7) return or destruction of PHI at contract termination, or if infeasible, continued protection of the PHI; (8) make internal practices available to the Secretary of HHS upon request; and (9) a termination clause for material breach of the agreement.

Question 4

How does breach notification work in the subcontractor chain?

Accepted Answer

Under the HIPAA Breach Notification Rule (45 CFR §§ 164.400-164.414), the subcontractor (sub-BA) must notify its upstream Business Associate of any breach of unsecured PHI. The BAA should specify a short reporting timeline — typically 5-10 business days is standard, compared to the 60-day outer limit in the rule — to give the upstream BA time to meet its own 60-day obligation to notify the Covered Entity, which in turn has a 60-day obligation to notify affected individuals. The subcontractor BAA should require the sub-BA to provide all breach details needed for notification: identification of affected individuals, PHI categories involved, date of breach, date of discovery, remediation steps, and a statement of whether the presumption of breach has been rebutted by a low-probability-of-compromise analysis. Willful neglect of breach notification carries penalties up to $1.5M per identical violation per year under HITECH.

Question 5

What penalties apply for HIPAA violations by subcontractors?

Accepted Answer

Since the Omnibus Rule (effective September 2013), Business Associates and their subcontractors are directly liable to OCR for civil monetary penalties under HITECH. Penalties are tiered: Tier 1 (did not know and would not have known with reasonable diligence): $137 minimum - $68,928 maximum per violation, $2,067,813 annual cap per identical provision. Tier 2 (reasonable cause, not willful neglect): $1,379 - $68,928 per violation, $2,067,813 cap. Tier 3 (willful neglect, timely correction): $13,785 - $68,928 per violation, $2,067,813 cap. Tier 4 (willful neglect, no timely correction): $68,928 - $2,067,813 per violation, $2,067,813 annual cap. Amounts are adjusted annually for inflation (values current as of 2024). Criminal penalties under 42 USC § 1320d-6 range from 1 year (knowingly) to 10 years (for sale of PHI) in federal prison. OCR has imposed multi-million-dollar settlements on small sub-BAs.

Question 6

What security safeguards must a subcontractor implement?

Accepted Answer

The HIPAA Security Rule at 45 CFR §§ 164.308-164.312 applies directly to subcontractors and requires administrative safeguards (security management process, workforce training, incident response procedures, contingency planning), physical safeguards (facility access controls, device and media controls), and technical safeguards (access control, audit controls, integrity controls, transmission security). Required implementation specifications include a written risk analysis per § 164.308(a)(1)(ii)(A), designated Security Officer, workforce clearance and termination procedures, information access management policies, security awareness training, and encryption of PHI in transit (TLS 1.2+) and at rest (AES-256) where reasonable and appropriate. The BAA should require the sub-BA to complete an annual risk analysis and provide documentation upon request; failure to conduct a current risk analysis is the most common root cause of OCR enforcement actions.

Question 7

Does the sub-BA need to flow down the BAA to its own subcontractors?

Accepted Answer

Yes. 45 CFR § 164.504(e)(1)(ii) and § 164.308(b)(2) require a Business Associate (including a sub-BA) to obtain satisfactory assurances through a BAA with any agent or subcontractor to which the BA delegates a function involving PHI. This creates an unlimited chain: Covered Entity → BA → Sub-BA → Sub-sub-BA → etc., with each tier required to have a BAA with the next tier down. The sub-BA cannot rely on the upstream BA's BAA to cover downstream subs. The subcontractor BAA should expressly require the sub-BA to enter into written BAAs with any of its own subs handling PHI, containing substantively equivalent terms, and to keep records of such downstream BAAs available for inspection by the upstream BA on request. A cloud vendor that uses AWS/Azure for infrastructure must have a downstream BAA with AWS/Azure if the cloud vendor is a sub-BA.

Question 8

What is the HITECH Act and how did it change sub-BA liability?

Accepted Answer

The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted in 2009 as part of the American Recovery and Reinvestment Act, significantly expanded HIPAA's reach. Before HITECH, Business Associates had only contractual obligations to Covered Entities and no direct OCR liability. HITECH made BAs (and later, through Omnibus, sub-BAs) directly liable for HIPAA violations — they can be audited, investigated, and penalized by OCR regardless of whether the Covered Entity has a claim. HITECH also created breach notification requirements, strengthened individual rights (expanded access, accounting of disclosures, restriction requests), increased penalty amounts, and required annual OCR compliance audits. The HIPAA Omnibus Rule of 2013 implemented these changes and extended BA status down the subcontractor chain. Practically, this means a small sub-BA can face the same OCR scrutiny as a major health system.

Question 9

What is PHI and what is not?

Accepted Answer

Protected Health Information (PHI) under 45 CFR § 160.103 is individually identifiable health information transmitted or maintained in any form by a Covered Entity or Business Associate. It includes any of 18 specific identifiers linked to health information: names, addresses, dates (birth, admission, discharge, death), phone numbers, email addresses, SSN, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers, device identifiers, web URLs, IP addresses, biometric identifiers, full-face photographs, and any other unique identifying number or code. De-identified information (with all 18 identifiers removed under the Safe Harbor method, or expert-determined de-identification) is not PHI and is not subject to HIPAA. Employment records held by a Covered Entity in its role as employer (not as provider) are not PHI. The BAA should precisely describe which PHI categories the sub-BA will handle and the permitted purposes.

Question 10

How should cloud hosting and SaaS vendors handle HIPAA subcontractor BAAs?

Accepted Answer

Cloud and SaaS vendors are the most common sub-BAs today. AWS, Azure, Google Cloud, and most major SaaS platforms offer a HIPAA-eligible BAA covering specific services. The subcontractor BAA between the BA and the sub-BA cloud vendor must: identify which specific services are HIPAA-eligible (not all AWS/Azure services are BAA-covered); require encryption of PHI in transit (TLS 1.2+) and at rest (AES-256); specify data residency (US-only for HIPAA is prudent, though not explicitly required); require shared responsibility model documentation (the vendor handles physical security and some controls; the BA handles application-layer controls); and require breach notification within 5-10 business days. The BA must configure the cloud services correctly — an AWS S3 bucket left public is the BA's error, not AWS's. OCR has penalized many BAs for misconfigured cloud storage despite having BAAs in place.

Question 11

What documentation should the sub-BA maintain?

Accepted Answer

Per 45 CFR § 164.316, the sub-BA must maintain written documentation of policies and procedures, actions and activities required to be documented, and assessments required by the Security Rule — retained for six years from the date created or last in effect, whichever is later. Required documentation includes: the HIPAA Security Risk Analysis (45 CFR § 164.308(a)(1)(ii)(A)) updated annually; the written Security Policies and Procedures; the Designated Security Officer appointment; Workforce Clearance and Sanction Policies; the Incident Response Plan and any incident documentation; workforce training records; encryption implementation records; access control records (user provisioning, periodic reviews, terminations); audit log retention per § 164.312(b); and BAAs with downstream subcontractors. OCR requests production of these documents during audits and investigations; failure to produce them is itself a violation and will drive penalties into higher tiers.

Question 12

What happens when the BAA terminates?

Accepted Answer

45 CFR § 164.504(e)(2)(ii)(J) requires the BAA to address return or destruction of PHI at termination. The subcontractor BAA should require the sub-BA to return all PHI to the upstream BA or destroy it at contract termination, including all PHI in the possession of agents and subcontractors of the sub-BA. Where return or destruction is not feasible (for example, where the sub-BA must retain PHI for legal or regulatory compliance), the sub-BA must continue to protect the PHI under the terms of the BAA and limit further uses and disclosures to the purposes that make return/destruction infeasible. The sub-BA must certify in writing to the upstream BA that the PHI has been returned or destroyed, including any copies on backup media. Failure to return or destroy PHI at termination is a frequent audit finding and carries tier-3 or tier-4 penalties. Plan for data return during onboarding, not at termination.

HIPAA Subcontractor Agreement

What Is a HIPAA Subcontractor Agreement?

When to Use a HIPAA Subcontractor Agreement

Key Provisions

Permitted uses

Security Rule safeguards

Breach notification

Subcontractor flow-down

Individual rights

Books and records

Return or destruction

Termination for breach

Legal Considerations

HIPAA-Specific Issues

How to Fill Out the Agreement

Identify the parties

Describe the PHI and purpose

Specify Security Rule safeguards

Set breach notification timing

Require subcontractor flow-down

Address individual rights

Set return/destruction

Sign and retain for 6 years

Frequently Asked Questions

Create your HIPAA sub-BAA in under 10 minutes.