HIPAA Contractors & Subcontractors
Definition of HIPAA Contractors and Subcontractors
The 2013 HIPAA Omnibus defines subcontractors as business associates. (And does not differentiate between contractors and subcontractors.) Prior versions of HIPAA were not specific about this, and allowed some gray area about whether HIPAA applied to contractors and subcontractors. The revision creates a clear set of requirements for all those who have access to protected health information (PHI). The quote from the Final Rule is:
(3) Business associate includes (iii) a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate. (§160.103)
The HHS has been clear to not restrict the definition of subcontractor to individuals who have an actual contractual relationship. The goal of this requirement to ensure that the rules of HIPAA, especially the Privacy and Security Rules, apply equally to all individuals with access to protected health information. A contractual relationship with the covered entity is not necessary to be a HIPAA contractor or subcontractor; the requirements and liabilities of HIPAA still apply.
The quote from HHS in the Omnibus Rule is “[W]e believe that making subcontractors directly liable for violations of the applicable provisions of the HIPAA Rules will help to alleviate concern on the part of covered entities that protected health information is not adequately protected when provided to subcontractors.”
Applicability to All HIPAA Contractors and Subcontractors
The Omnibus Rule also does not put a limitation on the number of, or size of HIPAA contractors and subcontractors to which these rules apply. Subcontractors are liable no matter their size (such as individual contractors), and now matter how far “down the chain” they might be from the covered entity. (For example, covered entity hires a business associate, who hires a subcontractor (1), who in turn hires its own subcontractor (2) – even subcontractor #2 is liable.) All HIPAA contractors and subcontractors are liable to the extent that they create, receive, maintain, or transmit PHI.
Sharing PHI with HIPAA Contractors and Subcontractors
The HIPAA rules allow sharing PHI with HIPAA contractors and subcontractors assuming they have received “satisfactory assurances… that the subcontractor will appropriately safeguard the information.” The covered entities are not held liable in these situations assuming the subcontractor has a contract with the business associate that meets the contract requirements, the covered entity did not know of a pattern or practice of the associate that violates the contract, and the covered entity did not fail to act as required by the Privacy and Security Rules.
While HIPAA contractors and subcontractors do not need to have a contract in order to be considered business associates, a contract is required if the covered entity wishes to pass the liability for meeting HIPAA requirements on to the associate. There must be a contract that meets the requirements of §164.502(e) and §164.504(e) that requires the subcontractor to:
- Use the PHI properly and not disclose the PHI
- Apply appropriate safeguards (protections) to the PHI
- Report possible breaches or disclosure of the PHI
- Allow potential audits by the HHS
- Ensure any of its own subcontractors are under contract to meet these requirements
Permitted Exception for On-Site Contractors
The Omnibus Rule does allow for on-site contractors (individuals that work on-site at a covered entity) to be considered as either an employee of the covered entity, or a business associate, for the purposes of HIPAA rules and applicability. Covered entities can choose to accept the liability for the on-site contractor as they would for any of their employees. This choice depends on the nature of the relationship with the on-site contractor and the contractual relationship that is in place. This can be useful in certain situations when on-site contractors are entirely dependent upon the covered entity’s controls to safeguard and protect PHI. (For example, the on-site contractor uses the covered entity’s equipment, network, and relies upon the provided controls.)
There is another exception for business associates that act as conduits for the transport of protected health information but do not access the information other than on a random or infrequent basis. This exception will be covered in a future post.
The 2013 Omnibus Rule clearly defines that HIPAA contractors and subcontractors are to be treated the same as business associates when it comes to the handling of PHI. All HIPAA contractors and subcontractors are liable for complying with HIPAA whether or not there is a contractual relationship in place. The only exception to this is that covered entities can choose to treat subcontractors the same as employees provided they have appropriate controls and contractual requirements in place. Finally, having a proper contractual relationship can allow covered entities to pass certain parts of HIPAA liability on to its business associates including contractors and subcontractors.