Does a subcontractor have to sign a BAA?

Subcontractors that handle PHI on behalf of a healthcare provider or business associate must sign a business associate agreement (BAA) to ensure compliance with HIPAA regulations. 

Subcontractors and business associate agreements

HIPAA mandates that healthcare providers and their business associates must have written agreements, known as business associate agreements, with any third-party subcontractors that may handle PHI. These subcontractors, referred to as business associate subcontractors, are legally required to safeguard electronic PHI (ePHI) to the same standards and conditions outlined in the original BAA between the covered entity and the business associate. 

Who does the subcontractor need to sign the BAA with?

Subcontractors must sign the BAA with the business associate who contracts them for healthcare-related services. This agreement is a legal requirement under HIPAA. The BAA outlines the responsibilities and obligations regarding the protection of PHI. By signing the BAA, subcontractors commit to safeguarding patient data and adhering to HIPAA regulations in their dealings with PHI.

See also: How HIPAA defines subcontractors

Consequences of a subcontractor not signing a BAA

1. Legal penalties: Non-compliance with HIPAA can result in substantial legal penalties. Subcontractors may be subject to civil monetary penalties, which can range from thousands to millions of dollars, depending on the severity of the violation.
2. Criminal charges: In extreme cases, non-compliance can lead to criminal charges. Subcontractors who knowingly and willfully disregard HIPAA regulations may face criminal charges, including fines and imprisonment.
3. Data breaches: Without a BAA in place, there is often a lack of clear policies and safeguards for PHI. This increases the risk of data breaches and unauthorized disclosures, potentially leading to financial and reputational damage.
4. Termination of contract: The business associate may be forced to terminate its contract with the non-compliant subcontractor to avoid legal liabilities and regulatory actions, disrupting their business relationship.
5. Regulatory scrutiny: Non-compliance can trigger investigations and audits by the HHS Office for Civil Rights (OCR), leading to fines and corrective action plans.

The civil monetary penalties for HIPAA violations and breaches

Official Penalty Amounts for 2023 are as follows: 

Tier 1: Lack of knowledge

• Minimum Penalty per Violation: $137
• Maximum Penalty per Violation: $34,464
• Annual Penalty Cap: $34,464

Tier 2: Reasonable cause

• Minimum Penalty per Violation: $1,379
• Maximum Penalty per Violation: $68,928
• Annual Penalty Cap: $137,886

Tier 3: Willful neglect (corrected within 30 days)

• Minimum Penalty per Violation: $13,785
• Maximum Penalty per Violation: $68,928
• Annual Penalty Cap: $344,369

Tier 4: Willful neglect (not corrected within 30 days)

• Minimum Penalty per Violation: $68,928
• Maximum Penalty per Violation: $68,928
• Annual Penalty Cap: $2,067,813

See also: 2023 HIPAA civil monetary penalty adjustments

Exceptions

An exception includes entities often referred to as conduits for PHI. For example, entities like internet service providers, the US Postal Service, and other courier services are generally not considered business associates or business associate subcontractors under HIPAA, and therefore, they may not require a separate BAA.

Additionally, contractors working exclusively for a healthcare provider and do not have access to PHI for their own purposes may also be considered exceptions. In such cases, these contractors are not classified as business associates, and a separate BAA may not be necessary.