The HIPAA BAA Chain — Why Subcontractors Matter
Many organizations focus on their direct vendor relationships and miss a critical HIPAA requirement: Business Associates are required to obtain Business Associate Agreements from their own subcontractors who handle PHI. This creates a chain of protection that extends from your organization down through every entity that touches your patients' data.
If your IT vendor uses a subcontractor to provide after-hours support, and that subcontractor has access to systems containing your patients' PHI, that subcontractor is a downstream Business Associate — and must have a BAA with your vendor.
Step 1: Assess Whether This Is a New Development
When you discover a vendor's subcontractor has PHI access, first determine:
- Is this a new arrangement, or has the subcontractor always had access?
- Was the subcontractor's access disclosed to you in the original vendor contract or BAA?
- Did the access originate from a recent change in your vendor's service delivery model?
- Did you have any knowledge of or consent to this arrangement?
If this was disclosed in the original vendor agreement, your BAA with the primary vendor should already cover this through the downstream BAA chain requirement. If it's a new, undisclosed arrangement, this is more concerning.
Step 2: Contact Your Vendor Immediately
Reach out to your primary vendor and request:
- Written confirmation of which subcontractors have or have had access to your organization's PHI
- A copy of the BAA between the vendor and each subcontractor with PHI access
- Documentation of what PHI the subcontractor accessed and for what purpose
- Confirmation that the subcontractor has implemented appropriate security safeguards
- The subcontractor's name, contact information, and location (relevant for cross-border data transfers)
Step 3: Review the BAA Chain
Your BAA with the primary vendor should require them to:
- Obtain BAAs from all subcontractors who create, receive, maintain, or transmit PHI on their behalf
- Ensure subcontractors implement the same safeguards and restrictions that apply to the primary BA
- Notify you of any subcontractor arrangements that may affect your PHI
Review your BAA now. If it doesn't contain these requirements, the BAA may be deficient and needs to be updated.
Step 4: Conduct a Risk Assessment
Evaluate the risk this subcontractor access creates:
- What PHI did the subcontractor access? Names only? Clinical data? Financial information?
- How many patient records were potentially exposed to the subcontractor?
- What is the subcontractor's security posture? Are they known to have appropriate safeguards?
- Is there evidence of any unauthorized use or disclosure by the subcontractor?
- Was the access necessary for the services being provided, or was it broader than needed?
Step 5: Determine If Breach Notification Is Required
If the subcontractor's access was unauthorized (i.e., there was no downstream BAA in place or the access exceeded what was permitted), this may constitute an impermissible disclosure requiring breach notification. Your Privacy Officer must conduct a formal four-factor risk assessment to make this determination.
Note: A breach by a Business Associate (or their subcontractor) is treated as a breach by the covered entity for notification purposes. If patients need to be notified, you are responsible for sending those notifications, not the vendor.
Step 6: Remediation and Monitoring
Going forward:
- Update your vendor contracts and BAAs to explicitly require disclosure of any subcontractors with PHI access
- Require primary BAs to provide you with a list of all subcontractors and their BAA status annually
- Include subcontractor management as part of your annual vendor risk assessment process
- Consider contract provisions that give you approval rights before your vendor can engage a new subcontractor with PHI access
- If the vendor failed to disclose the subcontractor arrangement and you have a material concern about the breach, consider whether termination of the vendor relationship is appropriate