The Subcontractor Chain Under HIPAA
The 2013 Omnibus Rule formalized a critical expansion of HIPAA liability: subcontractors of business associates are themselves business associates if they create, receive, maintain, or transmit PHI on behalf of a business associate. This means HIPAA obligations flow through the entire chain of service providers, not just to the first tier of vendors hired by a covered entity.
The chain works as follows: A covered entity hires a billing company (Business Associate 1). The billing company uses a cloud data storage provider to host its systems (Subcontractor Business Associate). The cloud provider uses a data center colocation facility (Sub-subcontractor Business Associate). Each entity in this chain that touches PHI must comply with HIPAA and must have a BAA with the entity directly above it in the chain.
Who Must Execute BAAs with Whom
The BAA requirement runs along contractual relationships, not directly from covered entity to every downstream vendor:
- The covered entity must execute a BAA with its direct business associates.
- Each business associate must execute a BAA with its own subcontractors that handle PHI.
- Each subcontractor must execute a BAA with its sub-subcontractors, and so on down the chain.
Notably, a covered entity does NOT need to execute a BAA directly with its business associates' subcontractors. The covered entity's contractual relationship is with the business associate, and the business associate is responsible for ensuring its subcontractors are bound by appropriate BAAs. However, the covered entity may require in its BAA with the business associate that the business associate provide notification of all subcontractors used, giving the covered entity visibility into the chain.
Flow-Down Obligations
A business associate's BAA with a covered entity must require the business associate to ensure that its subcontractors agree to the same restrictions and conditions on PHI that apply to the business associate. This flow-down requirement means that the protections negotiated by the covered entity must percolate down through the entire subcontractor chain — a subcontractor cannot agree to weaker protections than the business associate itself is bound by.
However, each BAA in the chain may — and should — be tailored to the specific relationship and the scope of PHI involved. A business associate does not simply pass through its own BAA to its subcontractor; it executes a new BAA that reflects the subcontractor's specific role and the subset of PHI the subcontractor will handle.
Covered Entity Oversight Responsibilities
While a covered entity is not contractually responsible for its business associates' subcontractors, it has a practical interest in understanding its extended vendor network. OCR has noted that covered entities should have reasonable oversight of their business associates, including monitoring whether business associates are fulfilling their obligations and understanding the risk profile of the subcontractor ecosystem.
Best practices for covered entity oversight of subcontractor chains include:
- Requiring business associates to disclose subcontractors that will have access to PHI
- Requiring business associates to represent that subcontractor BAAs are in place
- Including audit rights in BAAs to verify subcontractor compliance
- Conducting periodic vendor risk assessments that consider subcontractor risks
- Requiring business associates to notify the covered entity of material changes in their subcontractor relationships
When Subcontractor BAAs Are Missing
If a business associate fails to execute a BAA with a subcontractor that handles PHI, the business associate is in violation of HIPAA — both its contractual obligation to the covered entity and its direct regulatory obligations. The covered entity, upon discovering this gap, must take steps to address it, including potentially requiring the business associate to cure the deficiency or, if the business associate refuses, potentially terminating the relationship and reporting to HHS. A covered entity that knowingly allows a business associate to continue operating without required subcontractor BAAs may itself be found non-compliant.