What Is a HIPAA Subcontractor Agreement?
A HIPAA subcontractor agreement is a legally mandated contract that extends HIPAA compliance obligations from a business associate to any downstream entity that creates, receives, maintains, or transmits protected health information (PHI) on the business associate's behalf. Before the 2013 HIPAA Omnibus Rule, subcontractors existed in a regulatory gray area where only covered entities and their direct business associates bore explicit HIPAA liability. The Omnibus Rule eliminated that gap by making subcontractors directly subject to the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule — and requiring that every business associate-subcontractor relationship be formalized through a written Business Associate Agreement (BAA).
The practical scope of this requirement is enormous. Any entity that touches PHI as part of a service provided to a business associate qualifies as a subcontractor requiring a BAA: cloud hosting providers storing ePHI, IT managed service providers with access to healthcare systems, medical billing companies using outsourced data entry, transcription services processing clinical notes, document shredding companies destroying paper PHI, collection agencies pursuing patient balances, and software vendors whose platforms process or store health data. Even if the subcontractor never views the actual content of the PHI — as with an encrypted cloud storage provider — a BAA is still required because the subcontractor maintains the data.
The HITECH Act of 2009 significantly strengthened the enforcement landscape for subcontractor compliance. It authorized state attorneys general to bring civil actions for HIPAA violations on behalf of their residents, created mandatory penalty tiers based on the level of culpability (unknowing, reasonable cause, willful neglect corrected, and willful neglect not corrected), and required HHS to investigate all complaints where a preliminary review indicates a violation due to willful neglect. The combination of direct subcontractor liability under the Omnibus Rule and enhanced enforcement under HITECH means that HIPAA subcontractor agreements are no longer a contractual formality — they are a front-line compliance tool with real enforcement consequences.
PHI Protection
Defines permitted uses and disclosures of protected health information with minimum necessary restrictions.
Breach Response
Establishes notification timelines and investigation procedures for security incidents.
Security Safeguards
Requires administrative, physical, and technical safeguards under the HIPAA Security Rule.
HIPAA Subcontractor Agreement Form Preview
HIPAA Business Associate Subcontractor Agreement
Subcontractor Business Associate Agreement
1. PARTIES
This Business Associate Subcontractor Agreement ("Agreement") is entered into between ("Business Associate") and ("Subcontractor").
2. PERMITTED USES AND DISCLOSURES OF PHI
Subcontractor shall use and disclose Protected Health Information only as permitted by this Agreement and as required to perform the services described in ("Underlying Services Agreement"), subject to the minimum necessary standard.
3. BREACH NOTIFICATION
Subcontractor shall report any Breach of Unsecured PHI to Business Associate within hours of discovery.
BUSINESS ASSOCIATE
SUBCONTRACTOR
Key Components
A HIPAA-compliant subcontractor agreement must contain specific provisions mandated by 45 CFR 164.504(e) and the Omnibus Rule:
| Component | Purpose | Key Details |
|---|---|---|
| Permitted Uses & Disclosures | Limits PHI access to contract scope | Specific services requiring PHI, minimum necessary standard, prohibition on unauthorized uses |
| Security Safeguards | Protects ePHI integrity and availability | Administrative, physical, and technical safeguards; encryption requirements; access controls; audit logs |
| Breach Notification | Ensures timely incident response | Discovery definition, notification timeline (24-72 hours contractual), content requirements, cooperation obligations |
| Sub-Subcontractor Flow-Down | Extends compliance downstream | Requirement for BAAs with any further downstream subcontractors; prior written consent; oversight obligations |
| Individual Rights | Supports patient access and amendment | Cooperation with access requests, amendment requests, accounting of disclosures, restriction requests |
| Termination & PHI Return | Protects PHI after contract ends | Return or destruction timeline, certification of destruction, infeasibility exception, surviving obligations |
| Audit & Monitoring Rights | Enables compliance verification | Right to audit, access to books and records, HHS Secretary access, compliance reporting requirements |
| Indemnification | Allocates financial risk | Subcontractor indemnifies for breaches, regulatory fines, notification costs, credit monitoring expenses, litigation defense |
How to Create a HIPAA Subcontractor Agreement
Map the PHI Data Flow
Before drafting the agreement, document exactly what categories of PHI the subcontractor will access (demographic data, clinical records, claims data, insurance information), the format (paper, electronic, verbal), the volume, the systems involved, and the purpose for each use. This data flow mapping directly informs the permitted uses and disclosures section and ensures the minimum necessary standard is properly implemented in the agreement.
Define Permitted Uses and Disclosures
Draft precise language limiting the subcontractor's use of PHI to only what is necessary to perform the contracted services. Specify prohibited uses (marketing, research, sale of PHI) and require the subcontractor to obtain written approval before any use not explicitly authorized. Include the minimum necessary standard requirement and specify how it will be operationally implemented — for example, role-based access controls that limit data visibility to specific workforce members.
Specify Security Safeguards
Require the subcontractor to implement administrative safeguards (security officer designation, risk assessments, workforce training, sanction policies), physical safeguards (facility access controls, workstation security, device and media controls), and technical safeguards (access controls, audit controls, integrity controls, transmission security). Specify encryption standards (AES-256 at rest, TLS 1.2+ in transit), require annual risk assessments per NIST SP 800-66, and mandate documentation of all safeguard implementations.
Establish Breach Notification Procedures
Set a contractual breach notification deadline shorter than the regulatory 60-day maximum — industry practice is 24 to 72 hours from discovery. Define what constitutes 'discovery' of a breach, specify the notification method and contact persons, require the subcontractor to preserve forensic evidence, and outline cooperation obligations for the investigation. Include a breach response plan template as an exhibit to the agreement.
Address Sub-Subcontractor Requirements
If the subcontractor may engage its own downstream subcontractors, require prior written consent from the business associate, mandate that the subcontractor execute compliant BAAs with all sub-subcontractors, and establish the subcontractor's responsibility for sub-subcontractor compliance. Some business associates prohibit sub-subcontracting entirely for highly sensitive PHI categories.
Draft Termination and PHI Disposition Terms
Specify the process for returning or destroying all PHI upon agreement termination, including the timeline (typically 30-90 days), method of destruction (NIST SP 800-88 for electronic media, cross-cut shredding for paper), certification of destruction requirements, and the 'infeasibility exception' with surviving obligations for any PHI that cannot be returned or destroyed. Address what happens to PHI embedded in backup systems and disaster recovery environments.
Include State-Specific Requirements
Review applicable state health data privacy laws that may impose requirements beyond HIPAA. California's Confidentiality of Medical Information Act (CMIA), Texas's HB 300, New York's SHIELD Act, and Massachusetts's data security regulation (201 CMR 17.00) all impose additional obligations on entities handling health information. The agreement should require compliance with both HIPAA and all applicable state laws, with the more stringent requirement controlling where they conflict.
Breach Notification Requirements
The HIPAA Breach Notification Rule creates a cascading notification chain that runs from subcontractor to business associate to covered entity to affected individuals and HHS. Under 45 CFR 164.410, a subcontractor must report any breach of unsecured PHI to the business associate without unreasonable delay and no later than 60 days after discovery. "Discovery" occurs when the subcontractor first knows or, by exercising reasonable diligence, would have known of the breach — which means the clock starts running even if the subcontractor has not completed its investigation.
In practice, most HIPAA subcontractor agreements impose contractual notification deadlines far shorter than the regulatory 60-day maximum. A 24-hour notification requirement is common for incidents involving large volumes of PHI or particularly sensitive data (mental health records, substance abuse treatment, HIV status), while 48-72 hours is typical for other incidents. The agreement should require the subcontractor to provide detailed breach reports including the nature and extent of the PHI involved, the individuals affected, the circumstances of the breach, steps taken to mitigate harm, and corrective actions implemented to prevent recurrence. The business associate should retain the right to participate in the investigation and direct the subcontractor's remediation efforts.
HITECH Act Enforcement
The HITECH Act established four penalty tiers for HIPAA violations: Tier 1 (unknowing) — $137 to $68,928 per violation; Tier 2 (reasonable cause) — $1,379 to $68,928; Tier 3 (willful neglect, corrected) — $13,785 to $68,928; Tier 4 (willful neglect, not corrected) — $68,928 minimum per violation, up to $2,067,813 annually per provision. Criminal penalties under 42 USC 1320d-6 can reach $250,000 and 10 years imprisonment. State attorneys general may also pursue independent enforcement actions on behalf of their residents.
Frequently Asked Questions
Official Resources
Authoritative HHS and regulatory resources on HIPAA subcontractor compliance and Business Associate requirements.
HHS - Business Associate Guidance
Official HHS guidance on business associate relationships, subcontractor requirements, and BAA provisions.
HHS - Breach Notification Rule
Complete regulatory guidance on breach notification requirements, timelines, and reporting obligations.
HHS - HIPAA Security Rule
Administrative, physical, and technical safeguard requirements for entities handling electronic PHI.
NIST SP 800-66 Rev. 2
NIST resource guide for implementing the HIPAA Security Rule, including risk assessment methodology.
HHS Breach Portal
Public database of breaches affecting 500+ individuals, useful for understanding enforcement patterns and common subcontractor failures.
ONC - Health IT Privacy & Security Resources
Office of the National Coordinator resources on health IT security, interoperability, and privacy best practices.
Create Your HIPAA Subcontractor Agreement
Protect PHI across your subcontractor chain with a compliant Business Associate Agreement that meets HIPAA, HITECH, and state health data privacy requirements.
Create DocumentNo account required. Free to create and preview.