HIPAA Subcontractor Agreement Template

Create a high quality document online now!

Updated December 29, 2021

A HIPAA subcontractor agreement is between a business associate and a subcontractor to allow the secured sharing of medical records. This agreement is required under HIPAA law (45 CFR § 164.504(e)(1)) to be signed prior to accessing medical information.

HIPAA Definition “Subcontractor”

Subcontractor means a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.”

Related HIPAA Agreements

Employee HIPAA Agreement – For employers when hiring new employees that will have access to sensitive medical information.

Independent Contractor HIPAA Agreement – For an individual or company acting as an independent contractor that will be handling medical information.

What is HIPAA?

HIPAA regulations are based on the Federal Health Insurance Portability and Accountability Act of 1996 that establishes the rules and regulations when handling medical records.

The main purpose is to determine how personal or health information can be utilized by any organization or subcontractor that has access. The Act determines the standards of privacy rights that must be followed and the consequences. Protected information could range from an individual’s mental or medical condition, payments in relation to treatments, and delivery of treatment to the individual.

Sharing medical records WITHOUT consent

Under certain circumstances as allowable by HIPPA, a patient’s information can be disclosed to another party without consent if it falls under the following:

  • Required by law or by court order to identify a fugitive, inform law enforcement officials of death, or if the information is tied to a crime, etc.
  • Information is subject to FDA regulation (i.e. reporting an adverse effect of a drug)
  • Requested from employers due to a work-related injury
  • The individual is a victim of neglect, domestic or physical abuse
  • Information is for audits or investigations in regard to government benefit programs or the healthcare system

What must a HIPAA Subcontractor Agreement include?

  • Use of Information: How the information can and would be used must be defined in the contract
  • Further Disclosure: Language advising that the subcontractor may not use or provide the information to another party in a way that violates the HIPAA Privacy Act or as determined in the contract. Furthermore, the agreement must advise that the subcontractor follow all guidelines and regulations as deemed in the HIPAA Act.
  • Safeguards: Agreement must advise that the subcontractor is responsible for maintaining the information safe and privately
  • Unauthorized Disclosure or Use: The agreement must advise the subcontractor that they will be responsible for reporting any unauthorized use and disclosure of the information or security incidents that occur, inclusive of breaches.
  • Access to PHI: The agreement must advise that the information should be made available upon request to any direct individual. Additionally, if and when the agreement is amended it should also be made readily available along with accountings.
  • Covered Entity’s Duties: The subcontractor will carry out a covered entity’s obligation and comply with the requirements of HIPPA that apply to the entity in the agreement.
  • Record Keeping: The subcontractor must have the following made available to the Department of Health and Human Services (HHS): books, internal policies and procedures, information regarding the disclosure and use of Protected Health Information (PHI) and received or created documents by the subcontractor on behalf of the entity.
  • Process for Destroying or Returning PHI: The subcontractor will be responsible for returning or destroying (as deemed in the agreement), any PHI that was received or created on behalf of the entity. In the event the information cannot be returned or destroyed, they are required to limit any future use of the information, they remain responsible in ensuring the information is kept safe until further notice.

Do HIPAA Subcontractors need to protect health information?

HIPAA Subcontractors will need to ensure any PHI is maintained safely and securely. The contract can further advise stipulations required by the entity and additional laws by state, can provide guidance on appropriate security measures.

Are Subcontractors subject to HIPAA rules?

All HIPAA subcontractors are subject to the HIPAA regulations and conditions. Any unauthorized sharing, breach, or misuse of information could result in an adverse action. Penalties can result in monetary consequences or potentially jail time.

Monetary penalties could stem from $100 for each violation to $1.5 million dollars for each calendar year. Criminal penalties could face up to 10 years in prison depending on the severity of the action (i.e. unknowingly violating HIPAA for malicious reasons).