HIPAA - Subcontractors and suppliers


Involved In Discussions
Hello, any HIPAA experts out there?

I am wondering if it is the responsibility of the Covered Entity to 'sign-up' their subcontractors/suppliers as Business Associates?

What I mean by this is - if I am given Protected Health Information by a healthcare professional and we do not have a Business Associate Agreement in place (because the healthcare professional has not made me sign one), am I obliged to comply with HIPAA?


Trusted Information Resource
CAs are responsible to have a BAA with their BAs. BAs are also responsible for having BAAs with any subcontractors they use.

If you know you are a business associate, and you are one if you process PHI/ePHI on behalf of a CA, then you have to comply with HIPAA.
If the CA didn't ask you to sign BAA, I would ask them for one, or you create one and ask CA to execute.
Top Bottom