HIPAA Subcontractor Agreement: What Your BAA Must Cover

The Downstream Liability Most Business Associates Overlook

In 2023, OCR settled with a medical transcription company for over $100,000 after a breach traced not to the company itself, but to a subcontractor it had hired to handle overflow work. The subcontractor stored protected health information on an unsecured server. The transcription company — the business associate — had no written HIPAA subcontractor agreement in place. Under the Omnibus Rule, that business associate was directly liable.

This scenario plays out more often than most organizations realize. Since the 2013 Omnibus Rule took effect, every business associate that delegates PHI-related functions to a downstream entity must execute a compliant subcontractor agreement. Without one, your organization carries enormous regulatory and financial risk.

What the Omnibus Rule Changed About Subcontractor Liability

Before 2013, HIPAA's enforcement chain largely stopped at the business associate. Subcontractors existed in a gray area — handling PHI without direct regulatory accountability. The Omnibus Rule eliminated that gap entirely.

Under 45 CFR §164.502(e)(1)(ii) and §164.504(e), a business associate must ensure that any subcontractor who creates, receives, maintains, or transmits protected health information on its behalf agrees to the same restrictions and conditions that apply to the business associate under its own BAA with the covered entity. In plain terms: the subcontractor is now a business associate of the business associate.

OCR has made clear that this obligation flows downstream without limit. If your subcontractor hires its own subcontractor, that entity also needs a compliant agreement. The chain of accountability is only as strong as the weakest agreement in it.

Required Elements of a HIPAA Subcontractor Agreement

A HIPAA subcontractor agreement is, functionally, a business associate agreement (BAA). The regulatory requirements under 45 CFR §164.504(e)(2) apply equally. Here is what your subcontractor agreement must address:

• Permitted uses and disclosures of PHI: The agreement must specify exactly how the subcontractor may use or disclose protected health information, limiting it to the functions the subcontractor performs.
• Minimum necessary standard: The subcontractor must agree to use or disclose only the minimum PHI necessary to accomplish the intended purpose.
• Safeguards requirement: The subcontractor must implement appropriate administrative, physical, and technical safeguards to protect PHI, consistent with the HIPAA Security Rule.
• Breach notification obligations: The agreement must require the subcontractor to report any security incident or breach of unsecured PHI to the business associate without unreasonable delay — and no later than 60 days after discovery under the Breach Notification Rule.
• Access to PHI for individuals: The subcontractor must cooperate with the business associate in fulfilling individuals' rights to access, amend, and receive an accounting of disclosures of their PHI.
• Return or destruction of PHI: At termination of the agreement, the subcontractor must return or destroy all PHI, or if that is not feasible, extend protections indefinitely.
• HHS access to records: The subcontractor must make its internal practices, books, and records relating to PHI use available to the Secretary of HHS for compliance audits.
• Termination provisions: The agreement must allow the business associate to terminate the contract if the subcontractor violates a material term.

Common Mistakes That Expose Your Organization to HIPAA Violations

In my work with covered entities and business associates, I see the same subcontractor agreement failures repeatedly. These are the ones that lead to OCR enforcement actions and six-figure settlements.

Using a Generic Vendor Contract Instead of a BAA

A standard vendor services agreement — even one with a confidentiality clause — does not satisfy HIPAA's subcontractor requirements. The agreement must contain the specific provisions outlined in 45 CFR §164.504(e). A confidentiality clause is not a substitute for a compliant HIPAA subcontractor agreement.

Failing to Conduct a Risk Analysis Before Onboarding

Your organization is required to conduct a risk analysis under the Security Rule. That analysis must account for how subcontractors access, store, and transmit PHI. Executing an agreement without understanding the subcontractor's security posture is a compliance gap OCR specifically looks for during investigations.

Not Monitoring Subcontractor Compliance Over Time

Signing the agreement is not a one-time event. Business associates have an ongoing obligation to address known patterns of subcontractor noncompliance. If you learn that a subcontractor is mishandling PHI and fail to take corrective action — or terminate the agreement — your organization shares liability for any resulting HIPAA violation.

Ignoring the Downstream Chain

If your subcontractor uses its own vendors to process PHI — cloud hosting providers, data analytics firms, shredding companies — each of those entities also needs an agreement. Healthcare organizations consistently struggle with mapping this full downstream chain, but the Omnibus Rule leaves no room for ambiguity on this point.

How Workforce Training Reduces Subcontractor Risk

Your subcontractor agreement is only effective if the people executing on it understand what HIPAA requires. That means workforce training must extend beyond your internal team. Every member of your workforce — and ideally your subcontractor's workforce — who handles PHI needs to understand the Privacy Rule, Security Rule, and Breach Notification Rule obligations that govern their work.

Investing in comprehensive HIPAA training and certification for your team ensures that the people managing subcontractor relationships know what to look for, what to require, and when to escalate a compliance concern. OCR penalty data consistently shows that organizations with documented training programs fare better in enforcement proceedings.

Protecting Your Organization from Downstream PHI Exposure

A compliant HIPAA subcontractor agreement is not optional — it is a regulatory mandate with real consequences. OCR's enforcement history demonstrates a clear pattern of holding business associates accountable for their subcontractors' failures.

Start by auditing every downstream relationship where PHI is involved. Verify that each subcontractor has a signed agreement meeting the requirements of 45 CFR §164.504(e). Incorporate subcontractor oversight into your risk analysis. And ensure that every person in your organization who manages these relationships has completed proper training.

If your organization needs to strengthen its compliance foundation — from workforce training to policy development — HIPAA Certify's workforce compliance platform provides the structured approach covered entities and business associates need to meet their obligations at every level of the PHI chain.

The subcontractor you trust with protected health information today could be the source of your next breach notification tomorrow. The agreement you put in place — and enforce — is your first and best line of defense.