Who Needs a Business Associate Subcontractor Agreement?
The HIPAA Subcontractor BAA, Explained
The HIPAA regulations require healthcare providers to enter into “business associate agreements” with their business associates. Business associates often require assistance in performing their tasks. For example, an IT services provider that fixes a provider’s network issues, may itself store that provider’s data on a cloud hosting platform of another company. When a business associate contracts with another business for that other business to create, maintain, transmit, or receive PHI that the business associate shares with the provider, that other business is called a “business associate subcontractor.” Just as business associates must enter into business associate agreements with their providers, so must subcontractors of business associates. The requirements of a business associate subcontractor agreement, or subcontractor BAA are outlined below.
Business Associate Subcontractor Agreement: Subcontractor BAA Basics
A business associate subcontractor agreement (referred to as a subcontractor BAA) is a legally binding contract between (1) a business associate of a covered entity; and (2) a business associate of that business associate. The latter, subcontractors of business associates, must promise to safeguard the electronic protected health information (ePHI) it creates, receives, maintains, or transmits on behalf of the business associate.
By law, a business associate must ensure that any subcontractors it may engage on its behalf that will have access to protected health information, will agree to the same restrictions and conditions that apply to the business associate with respect to such information.
So, the same restrictions and conditions in the provider/business associate agreement that apply to the business associate, must be listed in the business associate subcontractor BAA.
In other words, the business associate subcontractor, in the business associate subcontractor agreement, must agree to the following.
PHI Use and Disclosure
Not use or disclose protected health information, other than as permitted or required by the subcontractor BAA, or as required by law. The rule here is that the subcontractor may use or disclose PHI when HIPAA allows it to, or whenever HIPAA or other law requires it to. If HIPAA does not allow a specific use or disclosure of PHI without written patient authorization, the business associate contract cannot “override” HIPAA by requiring or permitting the subcontractor to use or disclose such information without written patient authorization.
Implement HIPAA Security Rule Safeguards
Use appropriate safeguards, and comply with the Security Rule provisions with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for by the BAA. This means the BA subcontractor must comply with the administrative, physical, and technical safeguard standards for protection of ePHI. So, not only may certain kinds of PHI be used or disclosed; the PHI that the subcontractor BA uses or discloses, must be safeguarded as required under the Security Rule.
Breach Notification and Security Incidents
Report to the business associate any use or disclosure of protected health information not provided for by the business associate subcontractor agreement of which it becomes aware, including breaches of unsecured protected health information, and any security incident of which it becomes aware.
For example, an employee of the subcontractor transmits secured PHI about a patient to the subcontractor’s family member. The transmission is not a breach, since the employee transmitted secured PHI – not unsecured PHI. However, the transmission IS a security incident. A security incident is defined as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” A successful unauthorized disclosure, which is what the employee has made, is a security incident. Therefore, under the subcontractor BAA, the subcontractor must report the incident to the business associate.
Working with Other Subcontractors
Ensure that any of its subcontractors that create, receive, maintain, or transmit protected health information on behalf of it, agree to the same restrictions, conditions, and requirements that apply to the subcontractor with respect to such information.
Availability of PHI
Make available protected health information in a designated record set to its business associate as necessary to satisfy a provider’s right of access obligations. They must also make any amendment(s) to protected health information in a designated record set as directed or agreed to by the provider.
Accounting of Disclosures
Maintain and make available the information required to provide an accounting of disclosures of PHI, as necessary to satisfy covered entity’s or business associate’s accounting obligations.
Determining HIPAA Compliance
Make their internal practices, books, and records available to the Secretary of Health and Human Services for purposes of determining compliance with the HIPAA Rules.
Third-Party Disclosures
Subcontractors of business associates are permitted to use or disclose PHI to third parties, under limited conditions. The business associate subcontractor agreement should therefore contain the following provisions:
- The subcontractor may use or disclose protected health information as required by law. If, for example, a state law requires the subcontractor to disclose PHI for public health purposes, the subcontractor may do so.
- The subcontractor business associate may use protected health information for the proper management and administration of the subcontractor business associate or to carry out the legal responsibilities of the subcontractor business associate.