Have you entered into a Business Associate Agreements with all subcontractors who may have access to protected health information (PHI)?
Explanation
Subcontractor safeguards are the concern: the question is whether you have signed Business Associate Agreements with every subcontractor that may touch protected health information.
Under HIPAA (Health Insurance Portability and Accountability Act), a Business Associate is any entity that performs functions or activities on behalf of a Covered Entity (like a healthcare provider, health plan, or healthcare clearinghouse) that involves the use or disclosure of PHI. A subcontractor is any entity that a Business Associate delegates work to.
The question is being asked because HIPAA requires that Business Associates have written agreements with their subcontractors that establish specifically what the subcontractor can and cannot do with PHI. These agreements must include provisions that the subcontractor will implement appropriate safeguards to protect the PHI, report any security incidents, and comply with the same restrictions and conditions that apply to the Business Associate.
This is critical for security assessments because it ensures the chain of responsibility and accountability for PHI protection extends to all parties who might access this sensitive data. Without BAAs, there would be no legal obligation for subcontractors to protect PHI according to HIPAA standards.
To best answer this question:
- Inventory all your subcontractors who might access PHI
- Verify you have current, signed BAAs with each one
- Ensure the BAAs include all required HIPAA provisions
- Be prepared to provide evidence of these agreements
- If you don't have BAAs with all relevant subcontractors, explain your remediation plan
Guidance
Refer to HIPAA regulations documentation for supplemental guidance in this section.
Example Responses
Example Response 1
Yes, our organization has executed Business Associate Agreements (BAAs) with all subcontractors who may have access to PHI We maintain a comprehensive inventory of all subcontractors, which is reviewed quarterly to ensure completeness Our legal team has developed a standardized BAA template that includes all provisions required by HIPAA, including obligations to implement appropriate safeguards, report security incidents, and comply with the HIPAA Privacy and Security Rules Each BAA is reviewed annually to ensure it remains current with regulatory requirements We can provide redacted copies of these agreements upon request, as well as our subcontractor management process documentation.
Example Response 2
Yes, we have executed Business Associate Agreements with 100% of our subcontractors who may access PHI Our vendor management system automatically flags any vendor who might process PHI during the onboarding process, triggering our BAA workflow Our compliance team then works with the vendor to execute our standard BAA before any PHI access is permitted We conduct annual audits of our subcontractor relationships to verify BAA coverage and compliance Our most recent audit was completed in March 2023, confirming all 17 of our subcontractors with potential PHI access have current BAAs in place These agreements explicitly prohibit the use or disclosure of PHI beyond what is permitted or required by the BAA and require the implementation of appropriate safeguards.
Example Response 3
No, we have not yet executed Business Associate Agreements with all of our subcontractors who may have access to PHI We recently discovered through an internal audit that two of our twelve subcontractors lack proper BAAs These subcontractors provide technical support services and may occasionally have incidental access to systems containing PHI We have initiated our remediation process, which includes immediately restricting their access to PHI until proper agreements are in place Our legal team has already contacted both vendors, and we expect to have compliant BAAs executed within the next 14 days To prevent recurrence, we've implemented a new vendor onboarding checklist that explicitly requires BAA verification before system access is granted to any vendor who may encounter PHI.
Context
- Tab
- Case-Specific
- Category
- HIPAA Compliance
Related questions
- Do your workforce members receive regular training related to the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules and the HITECH Act?
- Have you identified areas of risk?
- Have the relevant policies/plans been tested?
- Do you monitor or receive information regarding changes in HIPAA regulations?
- Has your organization designated HIPAA Privacy and Security officers as required by the rules?
- Do you comply with the requirements of the Health Information Technology for Economic and Clinical Health Act (HITECH)?

