July 25, 2014

Subcontractors under the HIPAA Final Rule

Released last week, the Health Insurance Portability and Accountability Act (HIPAA) final omnibus rule (available here) not only finalized proposed changes, but also included changes that the Department of Health and Human Services (HHS) says will expand HIPAA requirements to business associates of healthcare providers and any entity with which they subcontract.

With this final rule, HIPAA now covers the processors of health insurance plans and other service providers that handle protected healthcare information (PHI), including both contractors and subcontractors. PHI is protected health information as such term is defined in 45 C.F.R. 160.202.

The final rule defines “subcontractor” as “a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.” 45 C.F.R. 160.202. The discussion of the final rule clarifies that a subcontractor is a business associate where that function, activity, or service involves the creation, receipt, maintenance, or transmission of PHI.   According to the definition of "business associate" under the final rule, if a business associate subcontracts part of its function requiring access or use of PHI to another organization, that subcontractor is also subject to HIPAA."  45 C.F.R. 160.202.  There must be an agreement between the business associate and its subcontractor that contains the elements required to be included in business associate agreements and describes the subcontractor's permitted uses and disclosures of PHI (which may not include uses and disclosures not permitted to the business associate).” An example of this subcontractor relationship would be a third party administrator business associate that contracts with another party to shred and destroy documents containing PHI. 

Previously, the focus of HIPAA has been on covered entities themselves.  A "covered entity" is defined as a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a transaction subject to HIPAA. 45 C.F.R. 160.202. Under the final rule, covered entities must ensure that business associates, which now include subcontractors, protect "electronic protected health information they create, receive, maintain, or transmit on behalf of the covered entities." 45 C.F.R. 164. 308. Thus, every connected contractor and subcontractor must be responsible for each other and subcontractors are now directly liable to HHS for breaches. It is important to note that a covered entity is not liable for the actions of a subcontractor as there is no direct relationship between the entities.

Business associates (and therefore subcontractors as well) have until the Sept. 23, 2013 compliance date to comply with these new provisions. Keep checking the Barnes & Thornburg Healthcare blog in the upcoming weeks for more information on what subcontractors, and other business associates, can expect under these new regulations.


About the Author

Nita Garg, Health Care Attorney, Barnes Thornburg, Law firm
Staff Attorney

Nita Garg is an associate in Barnes & Thornburg LLP’s Chicago office and a member of the firm’s Healthcare Department. Ms. Garg assists clients with healthcare issues, including physician employment, physician-hospital contracting, Medicare and Medicaid reimbursement, and various state and federal regulatory matters, including fraud and abuse and HIPAA. 


Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558  Telephone  (708) 357-3317 If you would ike to contact us via email please click here.