Legal Blog

Subcontractor Business Associate Agreements Needed When Business Associates Provide Covered Entity PHI to a Subcontracted Vendor


Example Situation:


Covered Entity:  Health plans, healthcare clearing houses, and healthcare providers who electronically transmit any health information in connection with transactions for which the U.S. Department of Health and Human Services has adopted standards.  45 CFR §160.103.

Business Associate:  In short, a person or entity that performs activities on behalf of or provides services to a covered entity where the activities and/or services involve the use or disclosure of protected health information.  See 45 CFR §160.103.

Protected Health Information (“PHI”):  Generally relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for healthcare to an individual that identifies the individual or can be used to identify the individual.  See 45 CFR §160.103 and the definition of “individually identifiable health information.”

Generally, HIPAA requires that a Covered Entity enter into Business Associate agreements with the Covered Entity’s Business Associates to ensure adequate protections for the Covered Entity’s PHI.  This is very common for Covered Entities and their Business Associates.  What happens, however, when the Business Associate shares the Covered Entity’s PHI with another vendor who is providing services on behalf of the Business Associate? For example, an IT services provider (Business Associate) may access and retrieve data (PHI) of a client hospital (Covered Entity) and then store the data on the hosting platform of another company (Subcontracted Business Associate).



By entering into a Business Associate agreement with the Covered Entity, the Business Associate agrees to safeguard the Covered Entity’s PHI that the Business Associate accesses, retrieves, and hosts.  How does the Business Associate assure that the subcontracted entity appropriately safeguards the Covered Entity’s PHI?



A Subcontracted Business Associate agreement is the answer, and it is generally the law.  Under HIPAA, any subcontractor that creates, receives, maintains, or transmits PHI on behalf of a Business Associate of a Covered Entity, is itself a Business Associate.  A Business Associate may only use or disclose PHI as permitted or required by the Business Associate agreement between the parties or as required by law.  A Business Associate can be directly liable under HIPAA for its use and disclosure of PHI that is not within the permissions granted by the Business Associate agreement or required by law. It is beneficial for both the original Business Associate and the Subcontracted Business Associate to enter into the appropriate Business Associate agreement that sets forth the permissible uses and disclosures of PHI by the Subcontracted Business Associate. It doesn’t stop there either…continue downstream.  If you are the Subcontracted Business Associate, execute Business Associate agreements with your vendors who are receiving PHI of the Covered Entity from you.  It is likely that your Business Associate agreement with the original Business Associate requires it.  If you need help creating a Business Associate to Subcontracted Business Associate agreement or a review of one, contact Maggie DiCostanzo, Esq.


Maggie DiCostanzo is a principal attorney in Offit Kurman’s Healthcare practice group. For nearly 20 years she has focused her legal practice by representing physicians, hospitals, post-acute care facilities, and other healthcare professionals, delivering health law advice and counseling as well as representation in regulatory, general liability, and professional liability matters.  She is also a registered patent attorney with the U.S. Patent & Trademark Office, and drafts licensing agreements and other intellectual property-related documents. Ms. DiCostanzo also assists lawyers in Offit Kurman’s other practice groups, including Business Law and Transactions, to address discreet healthcare issues.






Offit Kurman, one of the fastest-growing, full-service law firms in the United States, serves dynamic businesses, individuals and families. With 19 offices and more than 280 lawyers who counsel clients across more than 30 areas of practice, Offit Kurman helps maximize and protect business value and personal wealth by providing innovative and entrepreneurial counsel that focuses on clients’ business objectives, interests and goals. The firm is distinguished by the quality, breadth and global reach of its legal services and a unique operational structure that encourages a culture of collaboration. For more information, visit