Under HIPAA, a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another Business Associate is also a Business Associate. Contracts between Business Associates and Business Associates that are subcontractors are subject to these same requirements under HIPAA as contracts between Covered Entities and Business Associates. System shall require any Office within the Health Care Component that acts as a Business Associate to OEB or another Covered Entity and that contracts with other contractors to agree by written agreement to certain restrictions and duties with respect to PHI that the contractor creates, collects or holds on behalf of System in its capacity as the subcontractor of an office that is a Business Associate.
6.2(1) Identifying Subcontractors to Business Associates
- Offices within the Health Care Component shall review all of their existing contracts to determine whether the contract involves actual or potential Use or Disclosure of PHI maintained by or on behalf of the office in order to determine whether such contracts need to be amended to include Business Associate agreement provisions.
- Prior to entering into any new agreement with another entity for any services or activities, Offices shall determine whether the entity will provide services or activities that involve the actual potential Use or Disclosure of PHI maintained by or on behalf of the office in order to determine whether such contracts need to be amended to include Business Associate agreement provisions.
Business Associates include persons or entities who have periodic contact with PHI (e.g., outside auditors), or that have contact with PHI or (e.g., vendors providing software or hosting services) that require the vendor to persistently store PHI even if the vendor does not access the PHI.
6.2(2) Contracting with Subcontractors to Business Associates
If an office determines that a contract will or could result in the creation, receipt, Use, or Disclosure of System PHI maintained by that office as a Business Associate, that office shall ensure that the contract contains the provisions set forth in Policy 6.2(2) for Business Associate agreements. In any case where the services are to be  provided by another governmental entity, this section can be satisfied by a memorandum of understanding with the other government entity that contains terms that accomplish the objectives of the HIPAA Privacy Standards that relate to Business Associate Agreements.
6.2(3) Monitoring Subcontracting by Business Associates
If System learns that a subcontractor to an office acting as a Business Associate as described in this Policy 6.2 has materially violated one or more of the written agreement’s provisions described in subsection 6.2(2), System shall take reasonable steps to end the violation and mitigate the violation’s harmful effects in accordance with Section 8.4 of this Manual. If System’s steps to end the violation and mitigate its effects are unsuccessful, System shall terminate the contract or arrangement with the Business Associate or, if the Privacy Officer determines that such termination is not feasible, report the problem to the Secretary.
6.1(4) Documentation of Subcontracting to Business Associates.
System shall retain any written agreement between an office that is a Business Associate and a subcontractor intended to comply with this Section. Such documentation shall be retained in accordance with Section 9.2 of this Manual.
REFERENCES/CITATIONS
45 C.F.R. §§ 164.502(e), 164.504(e)