New HIPAA Rules Affect Business Associates And Their Subcontractors


The new HIPAA rules issued by the Department of Health and Human Services have made substantial changes to the way in which covered entities (e.g., hospitals, health insurers, etc…) and their business associates (entities which perform services on behalf of covered entities involving health information) secure and interact with health information.  One of the most significant and far-reaching of these changes relates to the way in which business associates and their subcontractors are regulated. 

The 2009 Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) obligated business associates to comply with much of the HIPAA rules that previously applied to covered entities only.  With certain limited exceptions, the new HIPAA rules extend that reach by broadening the definition of “business associate” to include not only businesses that contract directly with covered entities, but also those that act as subcontractors to business associates and perform services on behalf of the business associate involving health information. 

Therefore, subcontractors, and potentially their subcontractors “down the chain” (if they perform services involving health information), are themselves deemed to be business associates, and are statutorily obligated to comply with much of HIPPA’s rules.  One of the difficulties of this particular broadening of the rules is that many subcontractors may not be aware that they are working with information covered by HIPAA, let alone that they are obligated to comply with HIPAA. 

Covered entities and business associates alike should re-examine their relationships with subcontractors and ensure that they have obtained “satisfactory assurances” through written business associate agreements regarding the security and privacy of any health information available to the subcontractor.  On the other side of the relationship, businesses that store or work with data which even tangentially relates to health care, including payment for health care, should consider whether they are now subject to HIPAA and what steps they need to take to comply.

A further concern for covered entities and business associates is that a covered entity is now liable for a HIPAA violation by a business associate who is its agent under federal agency law, and a business associate will be liable for the violations of a subcontractor who is its agent.  Whether a business associate or subcontractor is an agent is determined under all the facts and circumstances, including the terms of the business associate agreement.

If you have questions about the new rules, the HITECH Act, or HIPAA generally, please contact Peter Guffin (, Kris Eimicke (, or Kyle Glover ( of Pierce Atwood LLP’s Privacy and Data Security Group.


Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Pierce Atwood LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.