Industries & Practices

Health Care Industry

    Back

    HIPAA Regulations: General Provisions: Definitions - Subcontractor - § 160.103

    As Contained in the HHS HIPAA Privacy Rules

    Includes changes from the January 2013 final HHS regulations


    HHS Regulations as Added by the January 2013 Amendments
    General Provisions: Definitions - Subcontractor- § 160.103

    Subcontractor means a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.


    HHS Description and Commentary From the January 2013 Amendments
    General Provisions: Definitions - Subcontractor - § 160.103

    Proposed Rule

    We proposed in the definition of "business associate" to provide that subcontractors of a covered entity, i.e., those persons that perform functions for or provide services to a business associate other than in the capacity as a member of the business associate’s workforce, are also business associates to the extent that they require access to protected health information. We also proposed to define "subcontractor" in § 160.103 as a person who acts on behalf of a business associate, other than in the capacity of a member of the workforce of such business associate. Even though we used the term "subcontractor," which implies there is a contract in place between the parties, the definition would apply to an agent or other person who acts on behalf of the business associate, even if the business associate has failed to enter into a business associate contract with the person. We requested comment on the use of the term "subcontractor" and its proposed definition.

    The intent of the proposed extension of the Rules to subcontractors was to avoid having privacy and security protections for protected health information lapse merely because a function is performed by an entity that is a subcontractor rather than an entity with a direct relationship with a covered entity. Allowing such a lapse in privacy and security protections could allow business associates to avoid liability imposed upon them by sections 13401 and 13404 of the Act. Further, applying HIPAA privacy and security requirements directly to subcontractors also ensures that the privacy and security protections of the HIPAA Rules extend beyond covered entities to those entities that create or receive protected health information in order for the covered entity to perform its health care functions. Therefore, we proposed that downstream entities that work at the direction of or on behalf of a business associate and handle protected health information would also be required to comply with the applicable Privacy and Security Rule provisions in the same manner as the primary business associate, and likewise would incur liability for acts of noncompliance. This proposed modification would not require the covered entity to have a contract with the subcontractor; rather, the obligation would remain on each business associate to obtain satisfactory assurances in the form of a written contract or other arrangement that a subcontractor will appropriately safeguard protected health information.

    For example, if a business associate, such as a third party administrator, hires a company to handle document and media shredding to securely dispose of paper and electronic protected health information, then the shredding company would be directly required to comply with the applicable requirements of the HIPAA Security Rule (e.g., with respect to proper disposal of electronic media) and the Privacy Rule (e.g., with respect to limiting its uses and disclosures of the protected health information in accordance with its contract with the business associate).

    Overview of Public Comments

    While some commenters generally supported extending the business associate provisions of the Rules to subcontractors, many opposed such an extension arguing, among other things, that doing so was not the intent of Congress and beyond the statutory authority of the Department, that confusion may ensue with covered entities seeking to establish direct business associate contracts with subcontractors or prohibiting business associates from establishing subcontractor relationships altogether, and/or that creating direct liability for subcontractors will discourage such entities from operating and participating in the health care industry. Some commenters asked how far down the "chain" of subcontractors do the HIPAA Rules apply — i.e., do the Rules apply only to the first tier subcontractor or to all subcontractors down the chain.

    In response to our request for comment on this issue, several commenters were concerned that use of the term subcontractor was confusing and instead suggested a different term be used, such as business associate contractor or downstream business associate, to avoid confusion between primary business associates of a covered entity and subcontractors. Other commenters suggested changes to the definition of subcontractor itself to better clarify the scope of the definition.

    Several commenters requested specific guidance on who is and is not a subcontractor under the definitions of "business associate" and "subcontractor." For example, one commenter asked whether an entity that shreds documents for a business associate for the business associate’s activities and not for the covered entity, would qualify as a subcontractor.

    Another commenter asked whether disclosures by a business associate of protected health information for its own management and administration or legal needs creates a subcontractor relationship. Other commenters recommended that subcontractors without routine access to protected health information, or who do not access protected health information at all for their duties, not be considered business associates.

    Final Rule

    The final rule adopts the proposal to apply the business associate provisions of the HIPAA Rules to subcontractors and thus, provides in the definition of "business associate" that a business associate includes a "subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate." In response to comments, we clarify the definition of "subcontractor" in § 160.103 to provide that subcontractor means: "a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate." Thus, a subcontractor is a person to whom a business associate has delegated a function, activity, or service the business associate has agreed to perform for a covered entity or business associate. A subcontractor is then a business associate where that function, activity, or service involves the creation, receipt, maintenance, or transmission of protected health information. We also decline to replace the term "subcontractor" with another, as we were not persuaded by any of the alternatives suggested by commenters (e.g., "business associate contractor," "downstream business associate," or "downstream entity").

    We disagree with the commenters that suggested that applying the business associate provisions of the HIPAA Rules to subcontractors is beyond the Department’s statutory authority. In the HITECH Act, Congress created direct liability under the HIPAA Privacy and Security Rules for persons that are not covered entities but that create or receive protected health information in order for a covered entity to perform its health care functions, to ensure individuals’ personal health information remains sufficiently protected in the hands of these entities. As stated in the NPRM, applying the business associate provisions only to those entities that have a direct relationship with a covered entity does not achieve that intended purpose. Rather, it allows privacy and security protections for protected health information to lapse once a subcontractor is enlisted to assist in performing a function, activity, or service for the covered entity, while at the same time potentially allowing certain primary business associates to avoid liability altogether for the protection of the information the covered entity has entrusted to the business associate. Further, section 13422 of the HITECH Act provides that each reference in the Privacy subtitle of the Act to a provision of the HIPAA Rules refers to such provision as in effect on the date of enactment of the Act or to the most recent update of such provision (emphasis added). Thus, the Act does not bar the Department from modifying definitions of terms in the HIPAA Rules to which the Act refers.

    Rather, the statute expressly contemplates that modifications to the terms may be necessary to carry out the provisions of the Act or for other purposes.

    Further, we do not agree that covered entities will be confused and seek to establish direct business associate contracts with subcontractors or will prohibit business associates from engaging subcontractors to perform functions or services that require access to protected health information. The final rule makes clear that a covered entity is not required to enter into a contract or other arrangement with a business associate that is a subcontractor. See §§ 164.308(b)(1) and 164.502(e)(1)(i). In addition, as commenters did not present direct evidence to the contrary, we do not believe that covered entities will begin prohibiting business associates from engaging subcontractors as a result of the final rule, in cases where they were not doing so before. Rather, we believe that making subcontractors directly liable for violations of the applicable provisions of the HIPAA Rules will help to alleviate concern on the part of covered entities that protected health information is not adequately protected when provided to subcontractors.

    The Department also believes that the privacy and security protections for an individual’s personal health information and associated liability for noncompliance with the Rules should not lapse beyond any particular business associate that is a subcontractor. Thus, under the final rule, covered entities must ensure that they obtain satisfactory assurances required by the Rules from their business associates, and business associates must do the same with regard to subcontractors, and so on, no matter how far "down the chain" the information flows. This ensures that individuals’ health information remains protected by all parties that create, receive, maintain, or transmit the information in order for a covered entity to perform its health care functions.

    For example, a covered entity may contract with a business associate (contractor), the contractor may delegate to a subcontractor (subcontractor 1) one or more functions, services, or activities the business associate has agreed to perform for the covered entity that require access to protected health information, and the subcontractor may in turn delegate to another subcontractor (subcontractor 2) one or more functions, services, or activities it has agreed to perform for the contractor that require access to protected health information, and so on. Both the contractor and all of the subcontractors are business associates under the final rule to the extent they create, receive, maintain, or transmit protected health information.

    With respect to requests for specific guidance on who is and is not a subcontractor, we believe the above changes to the definition provide further clarity. We also provide the following in response to specific comments.

    Disclosures by a business associate pursuant to § 164.504(e)(4) and its business associate contract for its own management and administration or legal responsibilities do not create a business associate relationship with the recipient of the protected health information because such disclosures are made outside of the entity’s role as a business associate. However, for such disclosures that are not required by law, the Rule requires that the business associate obtain reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person and the person notifies the business associate of any instances of which it is aware that the confidentiality of the information has been breached. See § 164.504(e)(4)(ii)(B).

    In contrast, disclosures of protected health information by the business associate to a person who will assist the business associate in performing a function, activity, or service for a covered entity or another business associate may create a business associate relationship depending on the circumstances. For example, an entity hired by a business associate to appropriately dispose of documents that contain protected health information is also a business associate and subject to the applicable provisions of the HIPAA Rules. If the documents to be shredded do not contain protected health information, then the entity is not a business associate. We also clarify that the same interpretations that apply to determining whether a first tier contractor is a business associate also apply to determining whether a subcontractor is a business associate.

    Thus, our interpretation of who is and is not excluded from the definition of business associate as a conduit also applies in the context of subcontractors as well. We refer readers to the above discussion regarding transmission services and conduits.