HIPAA Subcontractor Agreement Template

Use a HIPAA Subcontractor Agreement to allow the secured sharing of medical records between a business associate and subcontractor.

Updated April 23, 2024
Written by Josh Sainsbury | Reviewed by Brooke Davis

A HIPAA subcontractor agreement is a legal agreement between a subcontractor and a business associate specified in the Health Insurance Portability and Accountability Act (HIPAA) regulations. The agreement outlines the subcontractor’s responsibility under HIPAA regulations and how protected health information (PHI) should be handled.

You cannot add a clause that opposes any HIPAA regulations, such as allowing the disclosure or use of PHI without written patient authorization.

• When to Use
• Hiring HIPAA Subcontractors
• What to Include
• HIPAA Subcontractor Agreement Sample

When to Use

You may be liable if a HIPAA violation occurs during your subcontractor’s work. That is when an agreement comes into play; it not only lays out what the subcontractor needs to do but also offers proof that you took steps to ensure regulations were followed with your subcontractors.

HIPAA requirements include:

• Use encrypted communication channels for the transmission of PHI
• Notification of any breach to the covered entity or business associate
• Accommodating patient’s rights to access or amend their information
• Have policies and procedures in place to safeguard PHI
• Implement measures for protecting the integrity, confidentiality, and availability of PHI
• Complying with any inquiries or audits conducted by the HHS Office for Civil Rights (OCR) as part of their duty to ensure compliance with regulations
• Maintain records related to HIPAA requirements compliance[/lt_tip]

Hiring HIPAA Subcontractors

Any time HIPAA is involved, you must know who you hire. This is true even if the person you hire is not meant to be a full-time employee.

What Is HIPAA?

HIPAA is the national standard for protecting individual medical records and patient privacy. It is relevant to insurance plans, healthcare providers, and healthcare clearinghouses, especially those who use digital records.

It also limits how and when medical records can be used and what constitutes a breach of patient privacy.

It is based on the Federal Health Insurance Portability and Accountability Act of 1996, a federal law initiating the creation of national standards protecting confidential patient health information from disclosure without the patient’s consent or knowledge.

HIPAA Subcontractor Definition

In 45 CFR 160.202, HIPAA defines a subcontractor as “a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.”

If you employ other industry professionals on a case-by-case basis or without adding them as permanent team members, they are considered subcontractors.

Sharing Medical Records Without Consent

In almost every case, patient consent must be gained to share medical records. This includes sharing them with potential employers or selling them to advertisers or marketers.

Disclosures for family and close friends allow healthcare providers to share relevant information about the patient’s condition or care.

There are a few cases where patient consent is not required,

• Disclosure of protected health information to the individual who is the subject of the information.
• Use and disclosure of protected health information for healthcare operations activities, treatment, and payment.
• If the patient is incapacitated, in an emergency, or unavailable, a covered entity can make such disclosures if it is in the patient’s best interest.
• Information is for health oversight activities such as audits or investigations regarding government benefit programs or the healthcare system.
• When it is required by law or by court order for law enforcement or judicial purposes.
• Disclose protected health information in compliance with workers’ compensation laws in case of workplace injuries.
• The individual is a victim of neglect, domestic or physical abuse

Are Subcontractors Subject to HIPAA Rules?

Subcontractors must still abide by HIPAA rules, as should any professional handling sensitive medical records. As such, you must ensure they comply with regulations. You can be held liable if they commit a HIPAA violation and you took no steps to prevent this.

The penalties for non-compliance include civil monetary penalties starting from $100 to $50,000 per violation, depending on the tier of the breach (Tier 1, Tier 2, Tier 3, or Tier 4).

Criminal penalties can also be imposed for certain intentional violations, leading to fines and potential imprisonment.

Do HIPAA Subcontractors Need to Protect Health Information?

HIPAA subcontractors must protect health information to the extent that HIPAA requires. Professionals dealing with a patient’s private medical records and full-time health care and insurance professionals are responsible for protecting that privacy.

The Common Agency Provision states that if a business associate violates the regulations, it is also considered a violation for the covered entity. To protect data, the business associate or covered entity may offer HIPAA training and services to subcontractors.

However, it’s important to note that a company cannot dictate how contractors should do their jobs. That is why it’s recommended that subcontractors be responsible for obtaining their own HIPAA training and creating their policies to comply with regulations.

What to Include

Included in any HIPAA subcontractor agreement should be a breakdown of the contractor’s responsibilities, including:

• Use of information: Consider what information the subcontractor may share with anyone other than the patient.
• Disclosures and safeguards: Specify that the subcontractor must adhere to regulations and not provide any medical information in a way that goes against them.
• Breach notifications: Detail that the subcontractor must report any breach or disclosure of PHI as soon as they are aware of it.
• PHI availability: The general contractor will provide a limited amount of access, called a designated record set, to PHI, allowing the subcontractor to meet patient needs.
• Third-party disclosures: There are certain exceptions in which it might be necessary to share medical information with third parties, such as when required by law. Third-party disclosures detail these instances.
• HIPAA compliance determination: Any internal practices or records used to reach compliance will be made available to the subcontractor.

After sharing all this information, both parties will sign the contract to make it enforceable.

HIPAA Subcontractor Agreement Sample

Comply with HIPAA regulations using our subcontractor agreement template. Download the fillable form in Word or PDF format.