Comparison · Privacy

BAA vs Subcontractor BAA

A BAA flows from a covered entity down to a business associate. A Subcontractor BAA flows from a business associate down to its subcontractor that handles PHI. Both are required for the chain to satisfy HIPAA.

Last reviewed May 24, 2026

Side by side

Option A

BAA (CE → BA)

Business Associate Agreement between a covered entity and a vendor that creates, receives, maintains, or transmits PHI on its behalf.

45 CFR 164.504(e)
  • Required by 45 CFR 164.504(e).
  • BA must obtain BAAs with its own subcontractors that handle PHI.
Option B

Subcontractor BAA (BA → Subcontractor)

BAA flowed down to a subcontractor of a business associate that creates, receives, maintains, or transmits PHI on the BA's behalf.

45 CFR 164.502(e)(1)(ii)
  • Required by 45 CFR 164.502(e)(1)(ii).
  • Subcontractors are themselves directly liable as business associates under HITECH.
  • Must offer equivalent or stronger protections than the upstream BAA.
Who signs it
BAACovered entity and BA
Sub-BAABA and its subcontractor
Required by
BAA45 CFR 164.504(e)
Sub-BAA45 CFR 164.502(e)(1)(ii)
Who is liable to OCR
BAABA directly liable under HITECH
Sub-BAASubcontractor directly liable under HITECH
Protections must be
BAAAt least the Privacy/Security Rule minimum
Sub-BAAAt least equivalent to the upstream BAA

When to use BAA (CE → BA)

  • Practice contracts with any vendor that will handle PHI — BAA in place before data is shared.

When to use Subcontractor BAA (BA → Subcontractor)

  • Practice's existing BA uses its own subcontractor for part of the work (e.g., cloud hosting) — confirm the BA has a sub-BAA in place.

Common mistakes

  • Assuming the upstream BAA covers all subcontractors automatically — each handoff requires its own BAA.
  • Allowing a BA to share PHI with a subcontractor that has no sub-BAA — both are exposed.
  • Not auditing the BA's subcontractor list periodically.

Sources

Take it into the workspace

Map the BAA chain in the SRA readiness check

Open sra studio
Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

This comparison is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at CMS, HHS, OCR, eCFR, NIST, and the relevant payer or state regulator. Last reviewed May 24, 2026.