Question

Welcome to a Bite-Size HIPAA® Q&A article, where we answer your questions about how HIPAA applies to your dental practice. We recently received the following question in our Bite-Size HIPAA® Q&A inbox. The writer says:

“I was reading through one of your previous Bite-Size blogs on the topic of requiring cyber liability insurance from our business associates. I followed the reference to the HIPAA law in Bite-Size HIPAA® and noticed the last line of the section states that as a covered entity our practice is, “NOT required to obtain such satisfactory assurances from a business associate that is a subcontractor.” I’m a little confused. Can you help me understand the distinction between a “business associate” and a “business associate that is a subcontractor?”

Thank you for your question! I understand the confusion here. It’s important to understand how the law defines the word subcontractor. Let’s see what the HIPAA law has to say about business associate subcontractors.

The HIPAA Law

The confusing part of the law we are discussing is section 164.502(e)(1)(i).The exact same language is used in 164.308(b)(1) as well. These sections first state that, “A covered entity may disclose protected health information to a business associate… if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information.”  But then they say, “a covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.” But aren’t all your business associates subcontractors? You are contracting with them to perform some service on your behalf. In common language that seems like the very definition of a subcontractor. Then why the distinction in the law?

If you look at the definitions included in section 160.103, you will find that in HIPAA, the word subcontractor has a specific defined meaning. It is a person or organization to whom a business associate delegates a function, activity, or service. So, a subcontractor is a business associate to another business associate. They do not have a direct relationship with the covered entity but may be engaged in providing the service to your practice.

It’s a privacy and security responsibility chain. For example, if your practice contracts a billing company to perform a service for your practice, and then they contract with various individuals to perform that service, the individuals contracted by the billing company would be considered subcontractors.

You do not need to enter into a business associate agreement with the subcontractors because you do not have a direct relationship with them. It is not your practice’s responsibility to ensure that the people hired by the billing company understand and comply with HIPAA. It is the responsibility of the billing company, the business associate.  In section 164.502(e)(1)(ii), you will see that business associates are the one that must obtain satisfactory assurances that the subcontractor will safeguard PHI. This ensures there are no “weak links” in our chain of privacy and security.

Summary

To summarize- HIPAA does require that all organizations that use PHI on behalf of a covered entity enter into business associate agreements and provide satisfactory assurances. However, covered entities only need to enter BAAs with the organizations they work with directly. If those business associates wish to subcontract some of the work it is their responsibility to enter into a BAA with their subcontractors. These sections of the law are essentially stating that every organization that has access to PHI either directly as a business associate, or indirectly as a subcontractor of the business associate provides the necessary assurances that they understand and comply with HIPAA standards.

Have a HIPAA Question?

If you have a HIPAA question related to the day-to-day operations of your dental practice, feel free to send it my way. My email address is todd(at)bitesizehipaa(dot)com. I can’t promise I’ll be able to get to every question submitted – but I’ll do my best to find the most applicable ones to address in future Bite-Size HIPAA® Q&As.