1. Home
  2. |Insights
  3. |Final HIPAA Rules Clarifies Direct Liability of Business Associates and Subcontractors

Final HIPAA Rules Clarifies Direct Liability of Business Associates and Subcontractors

Client Alert | 3 min read | 02.08.13

The HIPAA omnibus rule contains important changes concerning business associate and downstream contractor liability. These changes implement provisions of the HITECH Act, which sought to make business associates more accountable for the use, disclosure and security of PHI. Under the HIPAA Final Rule, business associates and their subcontractors now face HIPAA enforcement actions and are directly liable for violating the HIPAA Security Rule as well as certain provisions of the Privacy and Breach Notification Rules.

In the HIPAA Final Rule, HHS clarified the provisions for which business associates and subcontractors now face direct liability. These provisions include: (1) impermissible uses and disclosures1; (2) failure to provide breach notification to the covered entity2; (3) failure to provide access to a copy of electronic PHI to either the covered entity, the individual, or the individual's designee (whichever is specified in the business associate agreement)3; (4) failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request4; (5) failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf5; failure to disclose PHI where required by the Secretary to investigate or determine the business associate's compliance with the HIPAA Rules6; failure to provide an accounting of disclosures (if subject to those requirements pursuant to the BA agreement)7; and (7) failure to comply with the requirements of the Security Rule.8

Business associates are not required to comply with other provisions of the Privacy Rule, such as providing a notice of privacy practices or designating a privacy official, unless the covered entity has chosen to delegate such a responsibility to the business associate.

The Final Rule clarifies that a person or an entity is a business associate as a result of receiving PHI from a covered entity in the performance of services, regardless of whether they have entered into a written BA agreement.

The final rule also establishes a parallel set of contracting requirements for subcontractors of business associates who create, receive, maintain, or transmit PHI on behalf of the business associate. The final rule requires covered entities to obtain satisfactory assurances regarding the protection of PHI from their business associates, and business associates must do the same with their subcontractors, and so on, no matter how far "down the chain" the information flows. Furthermore, a subcontractor is a business associate to the extent that it is carrying out a delegated function for a BA, subject to the same legal obligations as a BA that has contracted directly with a CE, again regardless of whether they have entered into a written BA agreement.

The agreement between a business associate and a subcontractor may not permit the subcontractor to use or disclose PHI in a manner that would not be permissible if done by the business associate. In short, each agreement in the business associate chain must be as stringent or more stringent as the agreement above with respect to the permissible uses and disclosures.

The final rule makes clear that a covered entity is not required to enter into a direct contract or other arrangement with subcontractors of its business associates. HHS believes that making subcontractors directly liable for violations of the applicable provisions of the HIPAA Rules will help to alleviate concern on the part of covered entities that PHI is not adequately protected when provided to subcontractors.

 

1 See § 164.502(a)(3).

2 See § 164.410.

3 See § 164.502(a)(4)(ii).

4 See § 164.502(b).

5 See § 164.502(e)(1)(ii).

6 See § 164.502(a)(4)(i).

7 See 76 Fed. Reg. 31426 (May 31, 2011).

8 Section 13401 of the HITECH Act provides that the Security Rule's administrative, physical, and technical safeguards requirements in §§ 164.308, 164.310, and 164.312, as well as the Rule's policies and procedures and documentation requirements in § 164.316 apply to business associates. 

Contacts

Insights

Client Alert | 5 min read | 12.12.25

Eleventh Circuit Hears Argument on False Claims Act Qui Tam Constitutionality

On the morning of December 12, 2025, the Eleventh Circuit heard argument in United States ex rel. Zafirov v. Florida Medical Associates, LLC, et al., No. 24-13581 (11th Cir. 2025). This case concerns the constitutionality of the False Claims Act (FCA) qui tam provisions and a groundbreaking September 2024 opinion in which the United States District Court for the Middle District of Florida held that the FCA’s qui tam provisions were unconstitutional under Article II. See United States ex rel. Zafirov v. Fla. Med. Assocs., LLC, 751 F. Supp. 3d 1293 (M.D. Fla. 2024). That decision, penned by District Judge Kathryn Kimball Mizelle, was the first success story for a legal theory that has been gaining steam ever since Justices Thomas, Barrett, and Kavanaugh indicated they would be willing to consider arguments about the constitutionality of the qui tam provisions in U.S. ex rel. Polansky v. Exec. Health Res., 599 U.S. 419 (2023). In her opinion, Judge Mizelle held (1) qui tam relators are officers of the U.S. who must be appointed under the Appointments Clause; and (2) historical practice treating qui tam and similar relators as less than “officers” for constitutional purposes was not enough to save the qui tam provisions from the fundamental Article II infirmity the court identified. That ruling was appealed and, after full briefing, including by the government and a bevy of amici, the litigants stepped up to the plate this morning for oral argument....

View All Insights