All-in-one Risk Management Platform

What is a Business Associate Subcontractor?

Most people are familiar with the term "Business Associates" under HIPAA, but what happens when those BAs need to subcontract out work to other BAs? In this page we'll detail what a Business Associate Subcontractor is and what steps need to be taken to ensure liability is shared properly.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Join thousands of companies who build trust with Accountable.

What is a Business Associate Subcontractor?

When it comes to the world of HIPAA, there are a lot of terms and phrases that can be confusing for those who are not familiar with them. One such term is "business associate subcontractor." So, what is a business associate subcontractor? It’s actually exactly what it sounds like: a company or individual contracted by a business associate to provide services related to the operation of the business. Typically, this includes support functions such as accounting, human resources, marketing, medical devices, and information technology.

In some cases, a subcontractor may also provide services related to the product or service offered by the business. Read on to learn more about how to find and work with a good business associate subcontractor.

What is a Business Associate Subcontractor? 

  • If you are in the business world, you have likely heard of subcontractors. But more specifically, what is a business associate subcontractor? In short, a business associate subcontractor is an entity that provides services or performs functions on behalf of a business associate that involves the use or disclosure of protected health information (PHI). Business associate subcontractors are required to comply with the same privacy and security requirements as the business associate they are providing services for.
  • Just as they have done previously with covered entities, business associates must enter into a written contract with the business associate subcontractor, called a business associate agreement (BAA). In this they agree to comply with the applicable HIPAA privacy and security requirements. Business associates are directly liable for compliance with certain provisions of the Privacy Rule and may be subject to civil and criminal penalties for violating HIPAA.
  • Under the HITECH Act, business associate subcontractors must notify the business associate of any breaches of unsecured protected health information. Business Associates must then take appropriate steps to mitigate any harmful effects of the breach and notify individuals whose information was involved in the breach, if necessary. 

Examples of Business Associate Subcontractors

There are many different types of business associate subcontractors. Here are five examples:

1. Accounting and Bookkeeping Services 

These services are usually provided by an outside contractor or firm that specializes in financial record keeping and management. The main benefit of using a business associate subcontractor for these services is that it can free up time for businesses to focus on other aspects of their operations.

2. Marketing and Advertising Services 

These services can also be outsourced to specialized agencies or contractors. The main advantage of doing this is that businesses can save on costs associated with marketing and advertising campaigns.

3. Information Technology (IT) Services 

IT services cover a wide range of activities, from website development and maintenance to network security and data backup. Contracting out these services can help businesses save money and ensure that professionals manage their IT infrastructure.

4. Human Resources (HR) Services 

HR services encompass various activities, from recruiting and training employees to managing payroll and benefits. Businesses can save time and money by outsourcing these services to specialized firms or contractors.

5. Shipping and Logistics Services 

Shipping and logistics services involve the coordination of transportation and storage of goods. Businesses can save money by contracting out these services to firms that specialize in this area.

“Saved our business.”
"Easy to use!"
"Accountable is a no brainer."

Get started with Accountable today.

The modern platform to manage risk and build trust across privacy, security, and compliance.
Get Started Today
Join over 17,000 companies who trust Accountable.

Business Associate Subcontractor Agreements

When you engage a business associate subcontractor to perform services on your behalf, you must have a written agreement that establishes the arrangement's terms and conditions. The agreement must spell out the nature and scope of the work to be performed and the protections that will be in place to safeguard patient information.

There are many different types of business associate agreements, but all must contain certain basic elements. Here are five of the most important:

1. Scope of Services: 

The agreement should clearly define the services to be performed by the business associate subcontractor. This will help prevent any misunderstandings about the scope of the work to be done and avoid any potential HIPAA violation.

2. Responsibility for Safeguarding Protected Health Information: 

The agreement should state that the subcontractor is responsible for safeguarding any protected health information they come into contact with. This includes ensuring that all PHI is properly encrypted and stored in a secure location.

3. Reporting of Security Incidents: 

The agreement should require the business associate subcontractor to report any security incidents that occur to the covered entity. This helps ensure that the business associate is aware of potential risks and can take steps to mitigate them. In this relationship, the business associate also shares liability so they should also notify the subcontractor if a security incident occurs on their end. 

4. Return or Destruction of Protected Health Information: 

The agreement should require the business associate to return or destroy all PHI once the services have been completed. This helps ensure that the business associate does not have any unnecessary PHI in its possession.

5. Compliance with HIPAA: 

The agreement should require the subcontractor to comply with all applicable HIPAA regulations. This helps ensure that the business associate is protected from any potential liability in the event of a HIPAA violation.

These are just some of the key elements that should be included in a business associate agreement. 

Bottom line

When entering into a business relationship with a subcontractor, it is important to have a clear understanding of the roles and responsibilities of each party. This can help avoid any confusion or misunderstandings down the road. Additionally, executing a Business Associate Subcontractor Agreement is often a good idea.  

Here at Accountable, we offer various services to help companies comply with HIPAA, including training, vendor management, and software. We are here to help you protect your client's data and keep your business compliant with the law. Visit our website at ( to learn more about our services, or contact us today to get started.

Like what you see?  Learn more below

Most people are familiar with the term "Business Associates" under HIPAA, but what happens when those BAs need to subcontract out work to other BAs? In this page we'll detail what a Business Associate Subcontractor is and what steps need to be taken to ensure liability is shared properly.
How to Respond to a Breach or Cyberattack
CMIA (California Confidentiality of Medical Information Act)
What is a HIPAA Compliance Checklist?
Ten Common HIPAA Compliance Mistakes and Effective Strategies for Mitigation
Safeguarding Your Business: Preventing a Data Incident
What is Personal Data under the GDPR?
Streamlining the Employee Off-boarding Process
Traits and Responsibilities of a GDPR Data Controller
ISO 27001 vs HIPAA
Complying with Texas HB300
Contractors Under CCPA/CPRA
Why was the CCPA Introduced?
HIPAA IT Compliance Checklist
How to Secure Your Company's Email Communication: Best Practices and Strategies
Complying with ISO 27001: Strategies and Best Practices
GDPR Compliance for Startups
What is Personal Information Under the CPRA?
Steps to Ensure Operational Resilience
The CCPA Do Not Sell Requirement
Am I a Data Controller or Data Processor?
Service Providers Under CCPA/CPRA
Why Security Does Not Equal Data Privacy
What Does PHI Stand For?
Common GDPR Compliance Mistakes & Pain Points
"Likely to Result in Risk" Under GDPR
Key Elements of a Data Processing Agreement
What Is a Data Processor?
What is a Business Associate Subcontractor?
What You Need To Know About Browser Cookies
How Long Should You Retain Personal Data?
Operational Risk Management
ADPPA Preview
What is a Data Controller?
Data Protection Impact Assessments (DPIAs)
The Importance of Monitoring External Data Breaches
Fraud Risk Factors
Security Awareness Training
5 Steps to Creating a Vendor Management Process
The 18 PHI Identifiers
Notice of Privacy Practices under HIPAA
Data Subject Access Requests
What is a HIPAA Lawyer?
ISO 27001
Types of Financial Risk
SOC 2 Compliance Mistakes
Data Disaster Recovery Plan
The Truth about Data Security
Business Continuity Plans
Security Risk Assessment Overview
How To Comply With the HIPAA Security Rule
How To Ensure GDPR Compliance
The Complete Guide to PCI Compliance
Data Governance in Healthcare
Why is Personal Data Valuable?
8 Steps To Establish a Risk Management Framework
How To Prevent a Former Employee From Becoming a Security Risk
Vendor Risk Management
4 PCI DSS Compliance Levels
The Difference Between DoS and DDoS Attacks
Internet of Things (IoT) Security
Compliance as a Competitive Advantage
SOC 2 Compliance
Opt-In vs. Opt-Out Data Rights
5 Habits of an Effective Privacy Officer
Principles of Data Governance
Data Protection Officer vs. HIPAA Privacy Officer
Personally Identifiable Information (PII)