Use a HIPAA Subcontractor Agreement to allow the secured sharing of medical records between a business associate and subcontractor.
Updated April 23, 2024
Written by Josh Sainsbury | Reviewed by Brooke Davis
A HIPAA subcontractor agreement is a legal agreement between a subcontractor and a business associate specified in the Health Insurance Portability and Accountability Act (HIPAA) regulations. The agreement outlines the subcontractor’s responsibility under HIPAA regulations and how protected health information (PHI) should be handled.
You cannot add a clause that opposes any HIPAA regulations, such as allowing the disclosure or use of PHI without written patient authorization.
You may be liable if a HIPAA violation occurs during your subcontractor’s work. That is when an agreement comes into play; it not only lays out what the subcontractor needs to do but also offers proof that you took steps to ensure regulations were followed with your subcontractors.
HIPAA requirements include:
Any time HIPAA is involved, you must know who you hire. This is true even if the person you hire is not meant to be a full-time employee.
HIPAA is the national standard for protecting individual medical records and patient privacy. It is relevant to insurance plans, healthcare providers, and healthcare clearinghouses, especially those who use digital records.
It also limits how and when medical records can be used and what constitutes a breach of patient privacy.
It is based on the Federal Health Insurance Portability and Accountability Act of 1996, a federal law initiating the creation of national standards protecting confidential patient health information from disclosure without the patient’s consent or knowledge.
In 45 CFR 160.202, HIPAA defines a subcontractor as “a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.”
If you employ other industry professionals on a case-by-case basis or without adding them as permanent team members, they are considered subcontractors.
In almost every case, patient consent must be gained to share medical records. This includes sharing them with potential employers or selling them to advertisers or marketers.
Disclosures for family and close friends allow healthcare providers to share relevant information about the patient’s condition or care.
There are a few cases where patient consent is not required,
Subcontractors must still abide by HIPAA rules, as should any professional handling sensitive medical records. As such, you must ensure they comply with regulations. You can be held liable if they commit a HIPAA violation and you took no steps to prevent this.
The penalties for non-compliance include civil monetary penalties starting from $100 to $50,000 per violation, depending on the tier of the breach (Tier 1, Tier 2, Tier 3, or Tier 4).
Criminal penalties can also be imposed for certain intentional violations, leading to fines and potential imprisonment.
HIPAA subcontractors must protect health information to the extent that HIPAA requires. Professionals dealing with a patient’s private medical records and full-time health care and insurance professionals are responsible for protecting that privacy.
The Common Agency Provision states that if a business associate violates the regulations, it is also considered a violation for the covered entity. To protect data, the business associate or covered entity may offer HIPAA training and services to subcontractors.
However, it’s important to note that a company cannot dictate how contractors should do their jobs. That is why it’s recommended that subcontractors be responsible for obtaining their own HIPAA training and creating their policies to comply with regulations.
Included in any HIPAA subcontractor agreement should be a breakdown of the contractor’s responsibilities, including:
After sharing all this information, both parties will sign the contract to make it enforceable.
Comply with HIPAA regulations using our subcontractor agreement template. Download the fillable form in Word or PDF format.