HIPAA Subcontractor Agreement

A HIPAA subcontractor agreement is an agreement that identifies an individual who will be receiving or creating information as it relates to the HIPAA Act on behalf of a business or entity. They must maintain the information securely and only provide the information to allowable entities, as deemed by law or identified in the agreement. Failure to upkeep and store information securely could result in penalties for noncompliance or loss of the contract.

Employee HIPAA Agreement – For employers when hiring new employees that will have access to sensitive medical information.

Independent Contractor HIPAA Agreement – For an individual or company acting as an independent contractor that will be handling medical information.

What is HIPAA?

HIPAA regulations are based on the Federal Health Insurance Portability and Accountability Act of 1996. This determines how personal or health information can be utilized by any organization or subcontractor that is receiving it. The Act determines the standards of privacy rights that must be followed and potential consequences of not doing so. Protected information could range from an individuals mental or medical condition, payments in relation to treatments and delivery of treatment to the individual. However, under certain circumstances as allowable by HIPPA, the individual’s information can be disclosed to another party without consent if it falls under the following:

  • Required by law or by court order to identify a fugitive, inform law enforcement officials of death, or if the information is tied to a crime, etc.
  • Information is subject to FDA regulation (i.e. reporting an adverse effect of a drug)
  • Requested from employers due to a work-related injury
  • The individual is a victim of neglect, domestic or physical abuse
  • Information is for audits or investigations in regard to government benefit programs or the healthcare system

What Must a HIPAA Subcontractor Agreement Include?

The following must be included in the subcontractor agreement:

  • Use of information: How the information can and would be used must be defined in the contract
  • Further disclosure: Language advising that the subcontractor may not use or provide the information to another party in a way that violates the HIPAA Privacy Act or as determined in the contract. Furthermore, the agreement must advise that the subcontractor follow all guidelines and regulations as deemed in the HIPAA Act.
  • Safeguards: Agreement must advise that the subcontractor is responsible for maintaining the information safe and privately
  • Unauthorized Disclosure or Use: The agreement must advise the subcontractor that they will be responsible for reporting any unauthorized use and disclosure of the information or security incidents that occur, inclusive of breaches.
  • Access to PHI: The agreement must advise that the information should be made available upon request to any direct individual. Additionally, if and when the agreement is amended it should also be made readily available along with accountings.
  • Covered Entity’s Duties: The subcontractor will carry out a covered entity’s obligation and comply with the requirements of HIPPA that apply to the entity in the agreement.
  • Record Keeping: The subcontractor must have the following made available to the Department of Health and Human Services (HHS): books, internal policies and procedures, information regarding the disclosure and use of Protected Health Information (PHI) and received or created documents by the subcontractor on behalf of the entity.
  • Process for Destroying or Returning PHI: The subcontractor will be responsible for returning or destroying (as deemed in the agreement), any PHI that was received or created on behalf of the entity. In the event the information cannot be returned or destroyed, they are required to limit any future use of the information, they remain responsible in ensuring the information is kept safe until further notice.

Do HIPAA Subcontractors Need to Protect Health Information?

HIPAA Subcontractors will need to ensure any PHI is maintained safely and securely. The contract can further advise stipulations required by the entity and additional laws by state, can provide guidance on appropriate security measures.

Are Subcontractors Subject to HIPAA Rules?

All HIPAA Subcontractors are subject to the HIPAA regulations and conditions. Any unauthorized sharing, breach or misuse of information could result in adverse action. Penalties could result in monetary consequences or potential jail time. Monetary penalties could stem from $100 for each violation to $1.5 million dollars for each calendar year. Criminal penalties could face up to 10 years in prison dependent on the severity of the action (i.e. unknowingly violating HIPAA to malicious reasons).