Business Associate Subcontractor Agreements: What You Need to Know

As a business owner, you likely understand the importance of safeguarding your sensitive information and protecting it from cyber threats. The Health Insurance Portability and Accountability Act (HIPAA) outlines strict standards for managing protected health information (PHI) in the healthcare industry. However, HIPAA`s regulations extend beyond healthcare organizations, affecting any business that handles PHI.

If your business works with healthcare providers or insurance companies, you may need to sign a Business Associate Agreement (BAA) to comply with HIPAA regulations. Additionally, if you contract with other companies to help you manage or process PHI, you may need to sign a Business Associate Subcontractor Agreement (BASA).

What is a Business Associate Subcontractor Agreement?

A BASA is a legal agreement between a business associate and subcontractor that outlines the subcontractor`s obligations when handling PHI. A business associate is any person or organization that performs or assists a covered entity in performing a function or activity involving PHI. A subcontractor is any person or organization contracted by the business associate to perform such a function or activity.

The Department of Health and Human Services (HHS) requires that business associates ensure that their subcontractors comply with HIPAA`s rules and regulations. This obligation includes entering into a written agreement with subcontractors, outlining their responsibilities when handling PHI.

What should a Business Associate Subcontractor Agreement include?

A BASA should cover the same requirements as a regular BAA, including:

– The type of PHI the subcontractor will access or work with

– The purpose and scope of the subcontractor`s work and access to PHI

– The subcontractor`s responsibilities and obligations to protect PHI

– The required safeguards and privacy measures to secure PHI

– The subcontractor`s reporting requirements in the event of a breach

– The subcontractor`s indemnification obligations in case of a breach

– The subcontractor`s obligations to return or destroy PHI when the contract ends

– The subcontractor`s obligations to provide access to PHI for patient requests

It`s important to note that the subcontractor cannot use or disclose PHI for any other purposes than those outlined in the agreement. The subcontractor must also comply with all HIPAA regulations, including the Security Rule, Privacy Rule, and Breach Notification Rule.

How to ensure compliance with Business Associate Subcontractor Agreements

To ensure compliance with BASAs, you should implement the following best practices:

– Review and update your BASAs regularly to reflect any changes in the scope of work or business operations.

– Conduct due diligence on subcontractors before entering into agreements with them. This should include verifying that the subcontractor has appropriate security measures in place, including encryption and data backups.

– Provide regular training to subcontractors on HIPAA regulations and ensure that they understand their obligations under the BASA.

– Implement proper monitoring and auditing of subcontractors` activities to ensure compliance with the BASA.

– Include provisions in your legal contracts that require subcontractors to notify you of any potential breaches or security incidents.


Business Associate Subcontractor Agreements are vital for ensuring that subcontractors comply with HIPAA regulations and protect PHI. As a business owner, it`s your responsibility to ensure that your subcontractors follow these agreements and take the necessary measures to secure PHI. By implementing best practices and regularly reviewing your contracts, you can protect your business from potential legal and financial repercussions.