HIPAA Privacy

[HIPAA Privacy] Lesson 3 | Business Associates and Subcontractors

Download Lesson PDF

HIPAA is not new. When it was written, healthcare operated differently than today. And some of the technology used today was only in science fiction back then. BAAs and business associates were covered in the last lesson; but, it’s worth revisiting both in more detail as healthcare has adopted new technologies, partners, and types of relationships.

Expanding the Nest

Over the last 20 years, covered entities have adopted technology that is increasingly delivered and / or supported by partners, or partners of partners. Electronic health records (EHRs) are the 800-pound gorilla example but there are countless more technologies used from everything from clinical communications to telemedicine to scheduling to patient message and on and on.

As the web of partners has tumbled out from covered entities, the web of trust, codified in business associate agreements, has expanded in tow. Third-party assurance, the term that refers to the process of ensuring partners are secure and can be trusted with data, has grown immensely as the web has grown. The cloud and technology partners of partners have made third-party assurance extremely challenging.


As the adoption of third-party technology services, most notably the public cloud, began to gain steam 10-15 years ago, HIPAA was updated to reflect this new reality. The HIPAA Omnibus Rule, which went into effect in 2013, created a new class of entities called subcontractors. These are simply business associates of business associates. BAAs are required between business associates and all of their subcontractors.

It’s worth reiterating that there is not a standard template (terms, definitions, structure, etc) for BAAs so the string of contracts used to define accountability and obligations is widely variable and hard to track.

Below is an example of a chain of organizations linked by business associate agreements.

  • A covered entity works with a telemedicine provider. There is a BAA in place between them that mandates the telemedicine provider to notify the covered entity of a breach within 72 hours.
  • The telemedicine provider leverages a cloud platform for its technology. There is a BAA between the telemedicine provider and the cloud platform provider. Under the BAA, the cloud platform provider is mandated to notify the telemedicine provider of a breach within 60 days (max allowable under HIPAA).

The above is a simple and pretty typical example. In this example, the telemedicine provider may not learn about a data breach for 60 days, and only then would be able to notify the covered entity. Many times, BAAs from covered entities put clauses into BAAs that require their business associates to have terms as strict, or more stringent, than the covered entities BAAs. In practice, this can easily be violated.


Your company could be a business associate and / or a subcontractor. In any of those cases, HIPAA applies to you and it’s important to understand your company relationships under HIPAA.