Is a subcontractor of a business associate also a business associate?

Key Points

• A HIPAA Business Associate Agreement (BAA) is a contract between HIPAA-covered entities and their business associates or subcontractors that outlines the type of PHI being released to the business associate and the permitted uses and disclosures of PHI by the business associate.

• A third-party service provider is considered a HIPAA business associate only when it gets access to PHI for a service it is providing to the covered entity. Some potential business associates are cloud storage providers, email encryption services, web hosting services, billing services, IT contractors, lawyers, and accountants.

• Business associate subcontractors are individuals or entities that provide services or perform functions or activities on behalf of business associates. They should also have a business associate subcontractor agreement with business associates to clarify the allowable uses of the PHI they have access to. Failure to have business associate agreements is a HIPAA violation and attracts financial penalties. 

Introduction

Healthcare businesses are increasingly seeking the services of third-party vendors to help them manage the massive volumes of Protected Health Information (PHI) generated during healthcare activities. With cyberattacks and data breaches taking on alarming proportions recently, there are growing concerns around the security and privacy of sensitive patient data. 

To tackle this menace, robust BAAs should be put in place to ensure security, privacy, and compliance. HIPAA mandates that covered entities enter BAAs with any third-party service provider that has access to PHI. 

In this article, we will describe the role of business associates and business associate agreements in the healthcare security ecosystem and explain why they’re essential for healthcare organizations, read more on HIPAA compliance checklist.

What is a Business Associate Agreement HIPAA?

A HIPAA business associate agreement (BAA), also called a business associate contract, is a legal and written agreement between a covered entity (e.g. healthcare provider) and its business associate (e.g. medical billing vendor) that will get access to PHI as part of a service it is providing the covered entity. 

Since HIPAA BAAs are legally-enforceable documents, it is best to seek the assistance of a lawyer, security officer, or HIPAA compliance solution to manage these contracts. Should you choose to use a HIPAA BAA template, ensure that it is the right one for your organization and that you can customize it according to your needs.

Having a comprehensive and up-to-date BAA has benefits for both covered entities and business associates – they will be on the same page as to how they’re required to maintain, transmit, and process PHI. 

The basic provisions of a BAA are:

• Ascertain what type of PHI the business associate will get access to
• Require the business associate to put safeguards in place to secure PHI
• Stipulate that the business associate will not disclose PHI except in cases allowed by the agreement
• Require the business associate to conduct employee HIPAA training
• Outline the steps to be taken in case of a data breach
• Require the business associate to ensure that any subcontractors with access to the PHI agree to the same limitations that apply to the business associate
• Authorize the termination of the contract if the business associate fails to meet any terms
• Outlines the steps to be taken to destroy or dispose of the PHI after the termination of the contract

Business associate subcontractor agreements have similar provisions as the BAAs.

Penalty for BAA failures

Regulators levy fines on covered entities for not having BAAs with their business associates or for incomplete BAAs even though the HITECH Act says that business associates must comply with the HIPAA Security Rule irrespective of having a BAA in place.

For example, in 2020, CHSPSC LLC, a business associate of Community Health Systems Inc., Tennessee, was fined $2.3 million after an OCR investigation found that a 2014 data breach had affected more than 6 million patients and there had been a “longstanding, systemic noncompliance” with HIPAA. This case is an apt example of the consequences of failing to have BAAs.

Covered entities also make the mistake of assuming that once a BAA is signed, their business associates are HIPAA-compliant. Best practices dictate that covered entities should do their due diligence to ensure that business associates have the necessary systems in place to safeguard PHI. They should also audit their business associates yearly and request risk assessments and evidence of policies and procedures revolving around breach of unprotected PHI. 

Business Associate HIPAA Agreement Examples

Health and Human Services (HHS) provides several HIPAA business associate examples and notes that an individual belonging to a covered entity’s workforce is not a business associate. 

Business associate activities and functions could be data analysis, billing, utilization review, practice management, claims processing, quality assurance, and processing or administration. Whereas business associate services include legal, consulting, accounting, administrative, actuarial, financial, data aggregation, and accreditation.

Examples:

• A consultant who conducts utilization reviews for a healthcare provider
• A CPA firm that provides accounting services to a healthcare provider that requires access to PHI
• An attorney who offers legal services to a health plan that requires access to PHI
• A third-party administrator that performs claims processing functions for a health plan 
• A freelance medical transcriptionist that offers transcription services to doctors

Who are HIPAA Business Associate Agreement Covered Entities?

To understand which contractor should sign a BAA, you should know who is considered as  a business associate by HIPAA. 

HHS describes a business associate as an entity or individual that carries out certain activities or functions requiring the use a HIPAA release form of PHI for a covered entity or to provide services to the covered entity. 

Third-party service providers become business associates only when PHI is shared with the third party for a service it is providing to the covered entity. For example, if a healthcare provider avails accounting services from an accounting firm but does not provide access to PHI, the accounting firm is not a business associate. It does not need to sign a BAA with the healthcare provider.

Third-party service providers that do not qualify as business associates need only sign a service level agreement (SLA) but business associates must sign both a BAA and an SLA. 

Thus, your potential business associates could be:

• Web hosting services 
• Cloud storage providers
• Accounting or consulting firms
• IT vendors
• Lawyers
• Managed service providers (MSP)
• E-prescribing software vendors
• File sharing vendors
• Medical equipment service companies (that hold PHI)
• Billing software vendors
• Email encryption services
• Translator services
• Medical answering services

HHS mandates that covered entities can release PHI to third-party service providers only for healthcare activities or functions and not for any other purposes. For instance, a business associate cannot use the PHI shared by the covered entity for a marketing campaign. 

Who are Business Associate Subcontractors?

A business associate subcontractor is an individual or entity to which a business associate assigns a service, activity, or function i.e. it is a business associate of a business associate.

Business associates must enter agreements with their subcontractors (separate from the BAA with the covered entity) before permitting access to PHI. They’re called business associate subcontractor agreements (BAS agreements).

Who Needs a HIPAA Compliance Business Associate Agreement?

Since the HIPAA Omnibus Rule was established in 2013, covered entities must get “satisfactory assurances” from their business associates that they will properly guard the PHI they are given access to or the PHI they create for the covered entity. These assurances should be in writing, either in the form of a contract or any other type of agreement between a covered entity and a business associate. 

Except for the following entities that are considered conduits through which PHI passes, all other business associates or subcontractors must sign a BAA, such as:

• US postal service
• Courier services
• Medical billing services
• IT services
• EHR providers
• Internet service providers

Conclusion

If you meet the definition of a HIPAA certification, you should necessarily sign BAAs with your business associates to remain compliant with HIPAA. Such contracts or agreements outline the allowable uses or disclosures of PHI and its limits, thus protecting against unauthorized access to private patient data. 

HIPAA compliance is a long, daunting, and often frustrating process because covered entities aren’t always sure to whom a BAA applies. Let Sprinto help you become audit-ready in days, and not months, with a simple four-step process. Request a demo today!

FAQ: Business Associate Agreement

• What purpose does the business associate agreement serve?

A business associate agreement ensures that business associates of HIPAA-covered entities will use or release protected health only as permitted by the HIPAA Rules. It prevents the unauthorized use of protected health information for purposes other than standard healthcare functions, activities, or services. 

• What is a HIPAA business associate agreement?

A business associate agreement HIPAA is a contract between covered entities and their business associates that details and limits how the business associate may use or disclose protected health information and how it should set up safeguards to prevent unauthorized access or use. 

• When is a business associate agreement required under HIPAA?

A business associate agreement is required under HIPAA when a covered entity outsources certain healthcare functions, activities, or services to a third party that involves the use and disclosure of protected health information.  

• Why is a BAA required for HIPAA?

The HIPAA Privacy Rule requires covered entities and their business associates or subcontractors to enter business associate agreements to prevent unauthorized access or disclosure of PHI by the business associates or subcontractors. 

• Who needs a business associate agreement?

HIPAA-covered entities and their business associates or subcontractors need to enter a business associate agreement before the covered entity releases PHI to the business associate. Under HIPAA, a third-party service provider is considered a business associate only if it has access to PHI.

What entities are considered a business associate?

Which of the following would not be classified as a business associate?

What is a business associate contract?

What does it mean to be an associate of a business?