What is a Subcontractor Business Associate Agreement?
Subcontractor business associate agreements are legal contracts that add a layer of protection to the data and electronic health information (PHI) that a contractor shares with its subcontractors. Like all business associate agreements, they formalize the relationship between a data holder and a third party vendor. These contracts additionally help contractors to meet and maintain HIPAA, HITECH, and state data security regulations.
The terms and conditions of a subcontractor business associate agreement specify the uses and disclosures of data that are permitted and prohibited. The contracts also require that the subcontractor take necessary efforts to ensure compliance with HIPAA and state PHI security regulations . Subcontractor agreements may be short form or long form. Short form agreements are most common; however, long form agreements may be necessary when the scope of work is large and/or when the data being shared has heightened sensitivity.
"Subcontractor" refers both to data vendors and third-party software developers. Applications, software, and devices make it easy to share and store data in the cloud, and the resulting risk is further illustrated by the fact that many products may have been developed by a company who is not the contractor. Such scenarios have led to the creation of subcontractor business associate agreements.
Essential Elements of a Business Associate Agreement
Subcontractor business associate agreements (BAAs) are part of the contractual network that connects best-practice protections for protected health information (PHI) with specific remedies and potential liabilities. A BAA should contain the following components:
- PHI and availability of the protected health information. A subcontractor BAA must define the subset of PHI to which it will have access, the purposes for its use, the permitted forms and media for the PHI, and whether the PHI will be provided in the original form or form as modified, for example, through de-identification of the PHI.
- Subcontractor’s obligations. A subcontractor BAA should contain standard business associate obligations, such as using and disclosing PHI only as permitted or required by the subcontractor BAA or the underlying contract with the covered entity, safeguarding the PHI, reporting violations, limiting or terminating prohibited actions and allowing the covered entity to inspect audit books and records, to name a few.
- Permitted uses and disclosures. The subcontractor BAA should define the uses and disclosures of PHI that the subcontractor is permitted to make as a business associate. The use and disclosure rules apply to subcontractors to the extent the subcontractor is acting as a "business associate."
- Subcontractor’s obligations upon termination. The subcontractor BAA should provide that the subcontractor will, at termination of the contract, return or destroy PHI that it maintains in any form or format.
- Ongoing duty of confidentiality. Although PHI may generally be destroyed upon termination, a subcontractor BAA should provide for an obligation of ongoing confidentiality, to protect against any archival back up copies, or email in transit that retain PHI.
Legal Foundations and Implementation
Both the HIPAA Security Rule (45 CFR § 164.314(a)(2)) and the HIPAA Privacy Rule (45 CFR § 164.502(e)(1)(ii)) make explicit that, unless an exception is applicable, business associates’ contractors and subcontractors must be contractually obligated to comply with the same restrictions and conditions with respect to protected health information ("PHI") that apply to the business associate with whom they are associated (the parent entity). However, while the HIPAA Security Rule, as codified under the implementing (final) HIPAA Omnibus Rule in 2013, is technically limited to PHI used or disclosed in electronic form, the HIPAA Privacy Rule does not raise such an exception for PHI in a particular form, meaning that even with respect to PHI maintained in only paper form, a subcontractor must comply with the same requirements of the HIPAA Privacy Rule that pertain to the parent business associate with whom it has a subcontracting relationship. Thus, although covered entities were formerly not liable under the HIPAA Rules for the acts of subcontractors, under the HIPAA Omnibus Rule they now may be fined for their subcontractors’ violations as well.
Additionally, while the General Data Protection Regulation ("GDPR") (Regulation (EU) 2016/679) (the European Union’s most recent privacy regulation) specifically applies only to PHI in electronic form, the GDPR’s Article 28 imposes similar requirements as the HIPAA Rules with respect to data processors (the GDPR’s equivalent to subcontractors and business associates), including obligations to:
Some exceptions applicable to the HIPAA Rules require that only the business associate with whom a subcontractor is associated must be contractually obligated to ensure that the subcontractor complies with the same requirements of the HIPAA Rules. However, the requirements for the GDPR almost parallel those for HIPAA, thus perhaps adding some relief to entities subject to both statutes. The GDPR further codifies limited exceptions with respect to the obligations upon the entity in a business associate/subcontractor relationship to ensure the compliance of a subcontractor:
These exceptions are helpful in that they allow, for example, a covered entity to have a master services agreement with a vendor for services other than that pertaining to HIPAA without creating costly confusion and liability with which you would otherwise have to deal.
The Upside of Having a Subcontractor Business Associate Agreement
Subcontractor Business Associate Agreements are typically put in place to address the obligations of subcontractors otherwise known as business associates, and in turn their subcontractors, regarding the use and disclosure of protected health information ("PHI") in compliance with the HIPAA Privacy Rule. However, Subcontractor Business Associate Agreements serve a larger purpose; that is, they help to better prepare a subcontractor for compliance with the Privacy Rule. More specifically, they help the subcontractor mitigate risk by ensuring that it has a written arrangement in place with its subcontractor regarding the use and disclosure of PHI. Subcontractor Business Associate Agreements also help to ensure that a subcontractor has required its own subcontractors to comply with the Privacy Rule.
Moreover, Subcontractor Business Associate Agreements encourage better data security and result in more proactive and reactive privacy policies as well as improved vendor relationships. Subcontractor Business Associate Agreements do this by setting clear expectations regarding security standards and breach notification requirements. Subcontractor Business Associate Agreements also help to inform subcontractors of their potential liabilities should they suffer a breach. Thus, Subcontractor Business Associate Agreements help to ensure that subcontractors have the privacy policies they need to prevent a data breach.
Pitfalls to Avoid
Common mistakes businesses make with subcontractor BAA’s and how to avoid them
First: Failing to have a written agreement. It seems obvious, but this is something healthcare providers and business associates often overlook. HIPAA requires a written contract with subcontractors when one or more of the three HIPAA "Hs" are present (mounted, access and storage). Use a written subcontractor business associate agreement ("BAA") with any subcontractor that you intend to draft and enter into a contract with where the contractor will be handling data subject to HIPAA.
Second: Adopting a boilerplate or "one-size-fits-all" approach. Each subcontractor BAA will involve a different subcontractor, specific scope of services and unique responsibilities. Don’t rely on your prior agreement as a template for the future or use an online sample agreement. Although they may be a good starting point, the BAA must be tailored to the transaction and the parties involved. Don’t jump to using a final version too soon.
Third: Not changing the definitions and identified requirements in the subcontractor BAA to reflect the contracted services . Don’t assume that no changes are needed because the subcontractor BAA appears similar to the original BAA you used as a template. Responsibilites vary based upon the level of access and application to the agreements. Duplicate definitions and terms also can lead to ambiguity regarding which obligations apply to the contractor and subcontractor, respectively.
Fourth: Assuming that the subcontractor is not a business associate. Even if the subcontractor describes itself as a vendor or agent, it may be a business associate and need a subcontractor BAA.
Fifth: Omitting appendices to the subcontractor BAA. Use an appendix attached to the subcontractor BAA to define the scope of services, anticipated uses and disclosures of data, regulatory requirements of the parties and implementation standards. This will clarify responsibilities and create a foundation to maintain compliance with the BAA.
Sixth: Failing to conduct due diligence to ensure that the subcontractor’s policies will comply with HIPAA. Make sure that the subcontractor has adequate policies and procedures and will act with due diligence when executing its responsibilities under the subcontractor BAA. This will decrease liability risk and the potential for unexpected costs.
The Process for Crafting an Agreement
To create subcontractor business associate agreement documents that are both comprehensive and effective, there are several steps that should be followed. These steps take into consideration best practices for achieving an enforceable document while ensuring compliance with current HIPAA and HITECH regulations. Involving an attorney who is well-versed in HIPAA and HITECH regulations is a best practice. The necessary steps include:
Information Gathering
Your health care organization must gather information that provides a comprehensive picture of how the business associate does business. This includes:
Legal Interview
Working with your health care organization’s corporate legal counsel is critically important. Your corporate counsel can ensure that the document is legal and follows best practices. Your corporate counsel will interview key stakeholders, with a focus on understanding how the business associate performs its services when provided with PHI.
Information Verification
Verify all the information collected with the business associate.
Agreement Drafting
Next, your corporate counsel should draft the agreement and work with you to gather agreement between both parties.
Review Process
Your corporate counsel should review the document with all relevant departments utilizing drafts to confirm that their needs are met. You should also meet separately with the business associate to discuss changes as necessary. In some instances, the business associate should have its own legal counsel review the agreement.
Review And Sign
Your corporate counsel should perform a final review of the document before signature, and you should sign the agreement at the appropriate level within your organization.
Case Examples of Implementation
A large national hospital management company faced a dilemma when several of its third-party vendors notified them that they would no longer do business with them because there was no HIPAA Business Associate Agreement in place. Four months later, the same company entered into an agreement with the third-party vendors that both parties considered solid and satisfying.
The hospital management company’s initial reaction was to consult with legal counsel and have the primary vendor responsible for interfacing with its third-party vendors (i.e., the prime contractor or subcontractor) draft the necessary business associate agreements for its subcontractors. The primary vendor was not familiar with HIPAA and had trouble processing the request in any effective manner. Several months of back and forth occurred with one of the prime contractor’s larger subcontractors, only to result in a subpar agreement in the end. During this time, the hospital management company used the opportunity to review its HIPAA compliance process and determine whether its existing process for reviewing business associate agreements needed to be updated and revised. It learned that with HIPAA’s expansion, it had fallen behind and what had been an effective compliance process a few years before was no longer sustainable. In the interim, the hospital management company also discovered the law firm that handled its primary vendor’s business associate agreement review process, was their own labor and employment law firm. It quickly enlisted the labor and employment law firm’s expertise gathering all the prime contractor’s subcontractor’s business associate agreements for review and revision.
It took approximately four months for the prime contractor to produce the business associate agreements to all of its subcontractors but the communication in the process enabled it to understand how important compliance was to the primary hospital management company. If its subcontractors were not receiving the proper training, the prime contractor risked exposing itself to liability and fines. The prime contractor also understood how essential it was to have its labor and employment law firm review the process , determine where the issues were occurring and how to streamline the current process by using technology. The prime contractor also realized that several of its subcontractors lacked an updated analysis and/or risk assessment conducted on their own to determine if and how they needed to be in compliance with HIPAA. The use of a variable rate card using a third-party cloud database provided a solid foundation for the hospital management company’s compliance program and streamlined the entire process. The substitution of databases and spreadsheets was a welcome development as it saved so many hours in responding to internal and external audits as the databases and spreadsheets allowed for easy and efficient reporting.
The third-party technology consulting company and the labor and employment law firm worked with the hospital management company, the prime contractor and its subcontractors over the course of several months to review all of the subcontractors’ status regarding their business associate agreement compliance with their existing business processes. Once a streamlined process was implemented, the government’s department of Health and Human Services (HHS) published sweeping changes to HIPAA in 2013. While these changes were reviewed and incorporated into the new compliance package, a huge issue emerged when it was determined due diligence steps conducted by both the hospital management company and prime contractor were lacking. The hospital management company tasked its compliance team with determining how to best safeguard against additional penalties from HHS.
The end result of several months of hard work benefited both the hospital management company, as well as all other parties in the process. The third-party technology company was able to incorporate the process into its platform and make it available to its customers, which vastly increased its value proposition and bottom line. The labor and employment law firm gained another portal by which it could serve its clients, who were oftentimes not sure whether their operations were impacted by HIPAA. The prime contractor was pleased all parties were satisfied with the process and its streamlined efficiency. The hospital management company was pleased to have the issues in its business corrected all at a lower than expected cost.