HIPAA Regulations: General Provisions: Definitions - Subcontractor - § 160.103
As Contained in the HHS HIPAA Privacy Rules
Includes changes from the January 2013 final HHS regulations
HHS Regulations as Added by the January 2013 Amendments |
Subcontractor means a person to
whom a business associate delegates a
function, activity, or service, other than in the capacity of a member of the
workforce of such business associate.
HHS Description and Commentary From the January 2013 Amendments |
Proposed Rule
We proposed in the definition of
"business associate" to provide that
subcontractors of a covered entity, i.e.,
those persons that perform functions for
or provide services to a business
associate other than in the capacity as
a member of the business associate’s
workforce, are also business associates
to the extent that they require access to
protected health information. We also
proposed to define "subcontractor" in
§ 160.103 as a person who acts on behalf
of a business associate, other than in the
capacity of a member of the workforce
of such business associate. Even though
we used the term "subcontractor,"
which implies there is a contract in
place between the parties, the definition
would apply to an agent or other person
who acts on behalf of the business
associate, even if the business associate
has failed to enter into a business
associate contract with the person. We
requested comment on the use of the
term "subcontractor" and its proposed
definition.
The intent of the proposed extension
of the Rules to subcontractors was to
avoid having privacy and security
protections for protected health
information lapse merely because a
function is performed by an entity that
is a subcontractor rather than an entity
with a direct relationship with a
covered entity. Allowing such a lapse in
privacy and security protections could
allow business associates to avoid
liability imposed upon them by sections
13401 and 13404 of the Act. Further,
applying HIPAA privacy and security
requirements directly to subcontractors
also ensures that the privacy and
security protections of the HIPAA Rules
extend beyond covered entities to those
entities that create or receive protected
health information in order for the
covered entity to perform its health care
functions. Therefore, we proposed that
downstream entities that work at the
direction of or on behalf of a business
associate and handle protected health
information would also be required to
comply with the applicable Privacy and
Security Rule provisions in the same
manner as the primary business
associate, and likewise would incur
liability for acts of noncompliance. This
proposed modification would not
require the covered entity to have a
contract with the subcontractor; rather,
the obligation would remain on each
business associate to obtain satisfactory
assurances in the form of a written
contract or other arrangement that a
subcontractor will appropriately
safeguard protected health information.
For example, if a business associate,
such as a third party administrator,
hires a company to handle document
and media shredding to securely
dispose of paper and electronic
protected health information, then the
shredding company would be directly
required to comply with the applicable
requirements of the HIPAA Security
Rule (e.g., with respect to proper
disposal of electronic media) and the
Privacy Rule (e.g., with respect to
limiting its uses and disclosures of the
protected health information in
accordance with its contract with the
business associate).
Overview of Public Comments
While some commenters generally
supported extending the business
associate provisions of the Rules to
subcontractors, many opposed such an
extension arguing, among other things,
that doing so was not the intent of
Congress and beyond the statutory
authority of the Department, that
confusion may ensue with covered
entities seeking to establish direct
business associate contracts with
subcontractors or prohibiting business
associates from establishing
subcontractor relationships altogether,
and/or that creating direct liability for
subcontractors will discourage such
entities from operating and participating
in the health care industry. Some
commenters asked how far down the
"chain" of subcontractors do the HIPAA
Rules apply — i.e., do the Rules apply
only to the first tier subcontractor or to
all subcontractors down the chain.
In response to our request for
comment on this issue, several
commenters were concerned that use of
the term subcontractor was confusing
and instead suggested a different term
be used, such as business associate
contractor or downstream business
associate, to avoid confusion between
primary business associates of a covered
entity and subcontractors. Other
commenters suggested changes to the
definition of subcontractor itself to
better clarify the scope of the definition.
Several commenters requested
specific guidance on who is and is not
a subcontractor under the definitions of
"business associate" and
"subcontractor." For example, one
commenter asked whether an entity that
shreds documents for a business
associate for the business associate’s
activities and not for the covered entity,
would qualify as a subcontractor.
Another commenter asked whether
disclosures by a business associate of
protected health information for its own
management and administration or legal
needs creates a subcontractor
relationship. Other commenters
recommended that subcontractors
without routine access to protected
health information, or who do not
access protected health information at
all for their duties, not be considered
business associates.
Final Rule
The final rule adopts the proposal to
apply the business associate provisions
of the HIPAA Rules to subcontractors
and thus, provides in the definition of
"business associate" that a business
associate includes a "subcontractor that
creates, receives, maintains, or transmits
protected health information on behalf
of the business associate." In response
to comments, we clarify the definition
of "subcontractor" in § 160.103 to
provide that subcontractor means: "a
person to whom a business associate
delegates a function, activity, or service,
other than in the capacity of a member
of the workforce of such business
associate." Thus, a subcontractor is a
person to whom a business associate has
delegated a function, activity, or service
the business associate has agreed to
perform for a covered entity or business
associate. A subcontractor is then a
business associate where that function,
activity, or service involves the creation,
receipt, maintenance, or transmission of
protected health information. We also
decline to replace the term
"subcontractor" with another, as we
were not persuaded by any of the
alternatives suggested by commenters
(e.g., "business associate contractor,"
"downstream business associate," or
"downstream entity").
We disagree with the commenters that
suggested that applying the business
associate provisions of the HIPAA Rules
to subcontractors is beyond the
Department’s statutory authority. In the
HITECH Act, Congress created direct
liability under the HIPAA Privacy and
Security Rules for persons that are not
covered entities but that create or
receive protected health information in
order for a covered entity to perform its
health care functions, to ensure
individuals’ personal health information
remains sufficiently protected in the
hands of these entities. As stated in the
NPRM, applying the business associate
provisions only to those entities that
have a direct relationship with a
covered entity does not achieve that
intended purpose. Rather, it allows
privacy and security protections for
protected health information to lapse
once a subcontractor is enlisted to assist
in performing a function, activity, or
service for the covered entity, while at
the same time potentially allowing
certain primary business associates to
avoid liability altogether for the
protection of the information the
covered entity has entrusted to the
business associate. Further, section
13422 of the HITECH Act provides that
each reference in the Privacy subtitle of
the Act to a provision of the HIPAA
Rules refers to such provision as in
effect on the date of enactment of the
Act or to the most recent update of such
provision (emphasis added). Thus, the
Act does not bar the Department from
modifying definitions of terms in the
HIPAA Rules to which the Act refers.
Rather, the statute expressly
contemplates that modifications to the
terms may be necessary to carry out the
provisions of the Act or for other
purposes.
Further, we do not agree that covered
entities will be confused and seek to
establish direct business associate
contracts with subcontractors or will
prohibit business associates from
engaging subcontractors to perform
functions or services that require access
to protected health information. The
final rule makes clear that a covered
entity is not required to enter into a
contract or other arrangement with a
business associate that is a
subcontractor. See §§ 164.308(b)(1) and
164.502(e)(1)(i). In addition, as
commenters did not present direct
evidence to the contrary, we do not
believe that covered entities will begin
prohibiting business associates from
engaging subcontractors as a result of
the final rule, in cases where they were
not doing so before. Rather, we believe
that making subcontractors directly
liable for violations of the applicable
provisions of the HIPAA Rules will help
to alleviate concern on the part of
covered entities that protected health
information is not adequately protected
when provided to subcontractors.
The Department also believes that the
privacy and security protections for an
individual’s personal health information
and associated liability for
noncompliance with the Rules should
not lapse beyond any particular
business associate that is a
subcontractor. Thus, under the final
rule, covered entities must ensure that
they obtain satisfactory assurances
required by the Rules from their
business associates, and business
associates must do the same with regard
to subcontractors, and so on, no matter
how far "down the chain" the
information flows. This ensures that
individuals’ health information remains
protected by all parties that create,
receive, maintain, or transmit the
information in order for a covered entity
to perform its health care functions.
For
example, a covered entity may contract
with a business associate (contractor),
the contractor may delegate to a
subcontractor (subcontractor 1) one or
more functions, services, or activities
the business associate has agreed to
perform for the covered entity that
require access to protected health
information, and the subcontractor may
in turn delegate to another
subcontractor (subcontractor 2) one or
more functions, services, or activities it
has agreed to perform for the contractor
that require access to protected health
information, and so on. Both the
contractor and all of the subcontractors
are business associates under the final
rule to the extent they create, receive,
maintain, or transmit protected health
information.
With respect to requests for specific
guidance on who is and is not a
subcontractor, we believe the above
changes to the definition provide further
clarity. We also provide the following in
response to specific comments.
Disclosures by a business associate
pursuant to § 164.504(e)(4) and its
business associate contract for its own
management and administration or legal
responsibilities do not create a business
associate relationship with the recipient
of the protected health information
because such disclosures are made
outside of the entity’s role as a business
associate. However, for such disclosures
that are not required by law, the Rule
requires that the business associate
obtain reasonable assurances from the
person to whom the information is
disclosed that it will be held
confidentially and used or further
disclosed only as required by law or for
the purposes for which it was disclosed
to the person and the person notifies the
business associate of any instances of
which it is aware that the
confidentiality of the information has
been breached. See
§ 164.504(e)(4)(ii)(B).
In contrast, disclosures of protected
health information by the business
associate to a person who will assist the
business associate in performing a
function, activity, or service for a
covered entity or another business
associate may create a business
associate relationship depending on the
circumstances. For example, an entity
hired by a business associate to
appropriately dispose of documents that
contain protected health information is
also a business associate and subject to
the applicable provisions of the HIPAA
Rules. If the documents to be shredded
do not contain protected health
information, then the entity is not a
business associate. We also clarify that
the same interpretations that apply to
determining whether a first tier
contractor is a business associate also
apply to determining whether a
subcontractor is a business associate.
Thus, our interpretation of who is and
is not excluded from the definition of
business associate as a conduit also
applies in the context of subcontractors
as well. We refer readers to the above
discussion regarding transmission
services and conduits.