Subcontractor Business Associate
A business associate that creates, receives, maintains, or transmits PHI on behalf of another business associate.
1 min read · Last reviewed May 23, 2026
At a glance
- Category
- HIPAA & Privacy
- Primary sources
- 3
- Workspace handoff
- compliance binder →
Where this comes up
Privacy officers and practice managers handle this — patient rights requests, accounting of disclosures, BAA reviews with new vendors, breach risk assessments after an incident, and OCR responses when a complaint lands. The 60-day breach-notification clock starts at discovery, not at investigation close.
Full definition
What it is in practice
Under the 2013 Omnibus Rule, HIPAA obligations flow down through the entire vendor chain. If your billing company subcontracts coding to a third party, that third party is a subcontractor business associate and needs its own BAA with the billing company.
How it shows up in your practice
When auditing a vendor, ask for the BAA they hold with their own subcontractors. A break in the chain leaves a regulatory gap. Document the chain in your vendor register.
Sources
- 45 CFR 160.103 — Definitionshttps://www.ecfr.gov/current/title-45/section-160.103
- HHS — HIPAA Omnibus Rule (2013)https://www.federalregister.gov/documents/2013/01/25/2013-01073/modifications-to-the-hipaa-privacy-security-enforcement-and-breach-notification-rules-under-the
- HHS — Business Associateshttps://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
Audit your vendor chain in the Compliance Binder
Open compliance binder →Related terms
- HIPAA & PrivacyBAA (Business Associate Agreement)A written contract required between a covered entity and any vendor that creates, receives, maintains, or transmits PHI on its behalf.
- HIPAA & PrivacyBusiness AssociateA person or entity that performs functions or activities on behalf of, or provides services to, a covered entity that involve the use or disclosure of PHI.
- HIPAA & PrivacyHIPAA Omnibus RuleThe 2013 final rule that implemented the HITECH Act amendments to HIPAA, making business associates directly liable and tightening the breach notification standard.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- GlossaryBAA (Business Associate Agreement)A written contract required between a covered entity and any vendor that creates, receives, maintains, or transmits PHI on its behalf.
- GlossaryBusiness AssociateA person or entity that performs functions or activities on behalf of, or provides services to, a covered entity that involve the use or disclosure of PHI.
- GlossaryHIPAA Omnibus RuleThe 2013 final rule that implemented the HITECH Act amendments to HIPAA, making business associates directly liable and tightening the breach notification standard.
- GlossaryCovered EntityA health plan, health care clearinghouse, or health care provider that transmits health information in electronic form in connection with a HIPAA transaction.
- GlossaryePHI (Electronic Protected Health Information)PHI that is created, received, maintained, or transmitted in electronic form.
- SRABAA Vendor List: Which Vendors a Small Practice Needs to Sign WithA working list of the vendor categories a small practice typically needs a Business Associate Agreement with under 45 CFR 164.504(e), plus how to handle subcontractor chains.
- RegulationHIPAA Accounting of Disclosures (45 CFR 164.528)Individuals may request an accounting of disclosures of their PHI made by a covered entity in the prior six years, with a defined list of exclusions.
- BillingBusiness Associate Agreement Checklist for Small PracticesA working checklist for small practices to identify which vendors need a Business Associate Agreement, what clauses the BAA must contain, and how to track them.
This glossary entry is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at HHS, OCR, CMS, eCFR, NIST, and the relevant payer or industry body.