New HIPAA Rules Affect Business Associates and Their Subcontractors

The new HIPAA rules issued by the Department of Health and Human Services have made substantial changes to the way in which covered entities (e.g., hospitals, health insurers, etc…) and their business associates (entities which perform services on behalf of covered entities involving health information) secure and interact with health information.  One of the most significant and far-reaching of these changes relates to the way in which business associates and their subcontractors are regulated. 

The 2009 Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) obligated business associates to comply with much of the HIPAA rules that previously applied to covered entities only.  With certain limited exceptions, the new HIPAA rules extend that reach by broadening the definition of “business associate” to include not only businesses that contract directly with covered entities, but also those that act as subcontractors to business associates and perform services on behalf of the business associate involving health information. 

Therefore, subcontractors, and potentially their subcontractors “down the chain” (if they perform services involving health information), are themselves deemed to be business associates, and are statutorily obligated to comply with much of HIPPA’s rules.  One of the difficulties of this particular broadening of the rules is that many subcontractors may not be aware that they are working with information covered by HIPAA, let alone that they are obligated to comply with HIPAA. 

Covered entities and business associates alike should re-examine their relationships with subcontractors and ensure that they have obtained “satisfactory assurances” through written business associate agreements regarding the security and privacy of any health information available to the subcontractor.  On the other side of the relationship, businesses that store or work with data which even tangentially relates to health care, including payment for health care, should consider whether they are now subject to HIPAA and what steps they need to take to comply.

A further concern for covered entities and business associates is that a covered entity is now liable for a HIPAA violation by a business associate who is its agent under federal agency law, and a business associate will be liable for the violations of a subcontractor who is its agent.  Whether a business associate or subcontractor is an agent is determined under all the facts and circumstances, including the terms of the business associate agreement.

If you have questions about the new rules, the HITECH Act, or HIPAA generally, please contact Peter Guffin (, Kris Eimicke (, or Kyle Glover ( of Pierce Atwood LLP’s Privacy and Data Security Group.