How HIPAA defines subcontractors

HIPAA regulations extend the chain of liability to encompass not only covered entities but also business associates and subcontractors. 

What is a subcontractor?

A subcontractor, according to 45 CFR 160, is a person or entity to whom a business associate delegates a specific function, activity, or service. This delegation occurs outside the context of being a part of the business associate's workforce.

In essence, subcontractors are individuals or organizations that perform functions for or provide services to a business associate, and these functions often involve handling protected health information. 

Business associates may engage subcontractors to carry out tasks related to processing, maintaining, or transmitting protected health information, and they are subject to compliance with the applicable Privacy and Security Rule provisions under HIPAA. 

See also: How to know if you're a business associate

HIPAA requirements

1. Security rule compliance: Subcontractors are required to comply with the HIPAA Security Rule. This means they must implement safeguards to protect the confidentiality, integrity, and availability of PHI. This includes having physical, technical, and administrative safeguards to secure electronic PHI.
2. Privacy rule compliance: Subcontractors are also expected to adhere to the Privacy Rule. This involves ensuring that they limit the uses and disclosures of PHI to the extent required by their business associate contract and as authorized by the covered entity or as required by law. Subcontractors must have policies and procedures in place to protect PHI.
3. Individual rights: Subcontractors must support the individual rights of patients regarding their PHI. This includes providing individuals with access to their PHI, accommodating their requests for amendments, and responding to their complaints and privacy breaches.
4. Implement secure communication: Use encrypted communication channels, like HIPAA compliant email, to transmit PHI. This ensures that compliance is upheld even as data is distributed by the organization. 
5. Breach notification: Subcontractors must report breaches of unsecured PHI to the business associate. The business associate, in turn, is required to report the breach to the covered entity, and the covered entity must report it to the affected individuals and HHS, as specified in the Breach Notification Rule.
6. Record-keeping: Subcontractors are expected to maintain records related to compliance with HIPAA requirements, which may be subject to audit by HHS.
7. Cooperation with audits and investigations: Subcontractors should cooperate with any inquiries or audits conducted by the HHS Office for Civil Rights (OCR) to ensure compliance with HIPAA regulations.

Is there a special contract or agreement for a subcontractor?

Yes, there is a specific contract or agreement for subcontractors in the context of HIPAA compliance. A business associate agreement (BAA) is required to formalize subcontractors' obligations and responsibilities regarding the handling of PHI.

This BAA outlines the safeguards, protections, and privacy requirements that subcontractors must adhere to, ensuring the secure and compliant handling of PHI.

The BAA is a legally binding contract that establishes the relationship between the subcontractor and the primary business associate or covered entity and is necessary to facilitate compliance with HIPAA regulations.

See also: What does a HIPAA compliant BAA look like?

Why is HIPAA's jurisdiction extended to subcontractors?

HIPAA's jurisdiction was extended to subcontractors to ensure the comprehensive protection of individuals' PHI and to address potential vulnerabilities in the handling of PHI by third parties. T

his extension aimed to avoid lapses in privacy and security protections for PHI when functions were outsourced to subcontractors, thus ensuring the consistent application of safeguards. 

By including subcontractors within its scope, HIPAA held them accountable for compliance with its requirements, preventing primary business associates from evading liability for PHI protection. This extension was in line with the HITECH Act's mandate for direct liability for entities handling PHI for covered entities' healthcare functions.