The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required adoption of federal privacy protections for individually identifiable health information. To implement HIPAA, HHS issued rules regarding the protection of individual health information (Privacy Rule). In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) amended and expanded certain HIPAA privacy protections, including making certain HIPAA privacy requirements applicable to business associates (BAs).

In January 2013, HHS issued comprehensive regulations that finalize changes to the HIPAA rules involving privacy, genetic information, breach notification and enforcement (the Final Regulations). Covered entities (CEs), which include group health plans, and BAs must comply with the Final Regulations by September 23, 2013. This resource, which excerpts Practical Law's Practice Note, HIPAA Privacy Rule, addresses liability for subcontractors, as HIPAA BAs, under the Final Regulations.

Individuals, organizations and agencies that meet HIPAA's definition of a CE must comply with the Privacy Rule's requirements for protecting the privacy of health information. These entities must provide individuals with certain rights concerning their health information. Some privacy provisions also apply to BAs of CEs (see Practice Note, HIPAA Privacy Rule). If an individual or entity is not a CE or a BA, it need not comply with the Privacy Rule.

However, under the Final Regulations, a subcontractor that creates, receives, maintains or transmits protected health information (PHI) on a BA's behalf is a BA in its own right. A subcontractor is a person to whom a BA delegates a function, activity or service, other than in the person's capacity as a member of the BA's workforce. Subcontractor status extends to agents or other individuals acting on a BA's behalf, even if the BA has not entered into a BA agreement with the individual.

For example, assume that a BA (such as a third-party administrator), hires a company to handle document and media shredding to securely dispose of paper and electronic PHI. The shredding company is directly required to comply with:

CEs need not enter into a contract or other arrangement with a BA that is a subcontractor. Instead, each BA must obtain satisfactory assurances that a subcontractor will appropriately protect PHI through a contract or other arrangement. However, CEs must obtain satisfactory assurances from their BAs, and BAs must do the same with regard to subcontractors, and so on, no matter how far "down the chain" the information flows.

Assume that a CE contracts with a BA, and:

Both the BA and all of the subcontractors in this example are BAs to the extent they create, receive, maintain or transmit PHI.