A fellow member of Partners in Healthcare asked me to focus this month’s Partners Pointer on Business Associates, particularly a Business Associate that is a subcontractor of another Business Associate (we will call this a “Sub-BA”) and that Sub-BA’s rights and obligations with respect to protected health information (PHI).  I was asked to address two main questions.  First, to what extent is a Sub-BA permitted access to PHI?  Second, what are the Sub-BA’s obligations with respect to safeguarding PHI? 

Generally speaking, the extent to which a properly authorized Sub-BA is permitted to access PHI is the same as for any other entity or individual.  The standard is “the minimum necessary to accomplish the intended purpose of the use, disclosure, or request,” (45 C.F.R. 164.502(b)).  Similarly, Sub-BAs must adhere to the administrative, physical, and technical safeguards required under the HIPAA Security Rule.  These include measures such as implementing policies and procedures to prevent, detect, contain, and correct security violations (administrative safeguard), limiting physical access to information systems and facilities to authorized persons (physical safeguard), and data encryption (technical safeguard).

Both of these questions may also be answered, more specifically, by looking to the terms of the BAA between the primary Business Associate and the Covered Entity.  A Business Associate cannot convey rights to a Sub-BA that exceed those originally granted by the Covered Entity.  Likewise, the obligations of a Sub-BA must be the same or more stringent than those the primary Business Associate owes the Covered Entity.  For example: If the BAA between Covered Entity and Business Associate requires that Business Associate report any Security Incident to Covered Entity within 30 days of discovery, then the BAA between Business Associate and Sub-BA cannot give Sub-BA the statutory maximum of 60 days to report such incidents to Business Associate.

If you have any questions or would like assistance with Business Associate Agreements or other HIPAA-related needs, please contact Nixon Law Group.


Caitlin Riccobono, Esq., Counsel at Nixon Law Group, enjoys staying engaged with local healthcare providers and develops these routine “Partners Pointers” for the Virginia-based healthcare organization Partners in Healthcare.