In 2023, OCR settled with a business associate that failed to ensure its subcontractor had adequate safeguards for protected health information — resulting in a six-figure penalty and a corrective action plan that consumed the organization's compliance resources for two years. The case underscored a requirement that many organizations still overlook: every business associate agreement subcontractor relationship must be governed by a written contract that meets specific HIPAA standards. If your organization delegates any function involving PHI to a downstream entity, this rule applies to you.

Why the Omnibus Rule Changed Business Associate Agreement Subcontractor Requirements

Before the 2013 Omnibus Rule, subcontractors operating under business associates existed in a regulatory gray area. The Omnibus Rule eliminated that ambiguity entirely. Under 45 CFR §164.502(e)(1)(ii) and §164.504(e), a business associate that engages a subcontractor to create, receive, maintain, or transmit PHI must execute a business associate agreement (BAA) with that subcontractor.

This means the chain of accountability doesn't stop at your direct business associate. If your billing company hires a cloud hosting provider that stores claims data containing PHI, that cloud provider is a subcontractor — and it must be bound by a BAA. The subcontractor itself is now directly liable for HIPAA violations under the Security Rule and certain provisions of the Privacy Rule.

OCR has made clear in guidance and enforcement actions that ignorance of subcontractor relationships does not shield a covered entity or business associate from liability. Your organization bears responsibility for confirming that downstream protections are in place.

What a Subcontractor BAA Must Include

A business associate agreement subcontractor contract must contain the same core elements as any BAA between a covered entity and a business associate. Under 45 CFR §164.504(e)(2), these provisions are non-negotiable:

  • Permitted uses and disclosures: The agreement must specify exactly how the subcontractor may use or disclose PHI, and it must prohibit uses that would violate the Privacy Rule if performed by the covered entity.
  • Safeguards requirement: The subcontractor must agree to implement appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic PHI under the Security Rule.
  • Breach notification obligation: The subcontractor must report any breach of unsecured PHI to the business associate without unreasonable delay, consistent with the Breach Notification Rule at 45 CFR §164.410.
  • Minimum necessary standard compliance: The subcontractor's access to PHI must be limited to the minimum necessary to accomplish the contracted purpose.
  • Termination provisions: The agreement must authorize termination if the business associate determines the subcontractor has violated a material term.
  • Return or destruction of PHI: Upon contract termination, the subcontractor must return or destroy all PHI, or if that is not feasible, extend protections indefinitely.

Missing even one of these provisions can render the BAA non-compliant — and expose both the business associate and the covered entity to OCR enforcement action.

The Subcontractor Risk Analysis Most Organizations Skip

In my work with covered entities and their business associates, I see the same gap repeatedly: organizations execute a BAA with a subcontractor and assume the job is done. It is not. The HIPAA Security Rule at 45 CFR §164.308(a)(1)(ii)(A) requires an accurate and thorough risk analysis — and that analysis must account for every entity that touches your PHI, including subcontractors.

Before onboarding any subcontractor, your business associate should evaluate the subcontractor's security posture. This includes reviewing their encryption practices, access controls, workforce training programs, and incident response procedures. Requesting evidence of a completed risk analysis from the subcontractor is not optional diligence — it is a regulatory expectation that OCR has cited in multiple investigations.

If your business associate cannot demonstrate that it assessed its subcontractors' security environment, your organization's own risk analysis is incomplete.

How Covered Entities Should Oversee the Subcontractor Chain

As a covered entity, you may not have a direct contractual relationship with your business associate's subcontractors. But you are not absolved of oversight. Your BAA with your business associate should include provisions requiring the business associate to:

  • Notify you when subcontractors with access to PHI are engaged.
  • Confirm that compliant BAAs are in place with each subcontractor.
  • Report any subcontractor-related breaches through the established notification chain.

Healthcare organizations consistently struggle with visibility into these downstream relationships. A practical step is to require your business associates to maintain a current inventory of subcontractors and make it available during compliance audits. This approach aligns with OCR's expectations and strengthens your organization's defensible compliance posture.

A compliant business associate agreement subcontractor arrangement on paper means nothing if the people handling PHI don't understand their obligations. Under 45 CFR §164.530(b), covered entities must train their workforce on HIPAA policies and procedures. The same standard applies to business associates and, by extension, their subcontractors under the Omnibus Rule.

Your workforce — including contract managers, procurement staff, and compliance officers — must understand when a subcontractor relationship triggers BAA requirements. Too many HIPAA violations originate from employees who engage vendors without recognizing PHI is involved. Investing in comprehensive HIPAA training and certification for your team is one of the most effective ways to close this gap before OCR identifies it for you.

Subcontractor personnel who handle PHI should also receive documented HIPAA training. If your business associate cannot verify that its subcontractor's workforce has been trained, that is a red flag your compliance team should escalate immediately.

Three Steps to Strengthen Your Subcontractor BAA Program Today

1. Audit your existing BAAs. Pull every business associate agreement your organization has executed. Confirm that each one includes a subcontractor flow-down provision requiring the business associate to obtain compliant BAAs from its own subcontractors.

2. Map the PHI data flow. Identify every point where PHI leaves your organization's control and trace it through business associates to their subcontractors. Any entity in that chain without a BAA is an active compliance gap.

3. Require ongoing compliance verification. A BAA signed three years ago is not proof of current compliance. Build periodic attestation and audit requirements into your agreements. Pair this with workforce HIPAA compliance programs that keep your team current on evolving subcontractor obligations.

The business associate agreement subcontractor requirement is not a technicality — it is the mechanism that ensures PHI remains protected regardless of how many hands it passes through. OCR's enforcement record shows that downstream failures are treated with the same severity as direct violations. The time to verify your subcontractor BAA program is before the breach report lands on your desk.