Who Needs a Business Associate Subcontractor Agreement?

The HIPAA Subcontractor BAA, Explained

The HIPAA regulations require healthcare providers to enter into “business associate agreements” with their business associates. Business associates often require assistance in performing their tasks. For example, an IT services provider that fixes a provider’s network issues, may itself store that provider’s data on a cloud hosting platform of another company. When a business associate contracts with another business for that other business to create, maintain, transmit, or receive PHI that the business associate shares with the provider, that other business is called a “business associate subcontractor.” Just as business associates must enter into business associate agreements with their providers, so must subcontractors of business associates. The requirements of a business associate subcontractor agreement, or subcontractor BAA are outlined below.

Business Associate Subcontractor Agreement: Subcontractor BAA Basics

Business Associate Subcontractor Agreement

A business associate subcontractor agreement (referred to as a subcontractor BAA) is a legally binding contract between (1) a business associate of a covered entity; and (2) a business associate of that business associate. The latter, subcontractors of business associates, must promise to safeguard the electronic protected health information (ePHI) it creates, receives, maintains, or transmits on behalf of the business associate. 

By law, a business associate must ensure that any subcontractors it may engage on its behalf that will have access to protected health information, will agree to the same restrictions and conditions that apply to the business associate with respect to such information.

So, the same restrictions and conditions in the provider/business associate agreement that apply to the business associate, must be listed in the business associate subcontractor BAA.  

In other words, the business associate subcontractor, in the business associate subcontractor agreement, must agree to the following.

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance