Under the proposed rule modifying HIPAA, per the HITECH Act, it will be important for HIEs, as business associates, to know which of their subcontractor relationships require a business associate contract. Failure to have this type of agreement in place will be considered a violation of HIPAA, and also will subject the business associate to liability for the subcontractors' violations. With limited exceptions, including subcontractors that provide data transmission services that do not require access to PHI on a routine basis, a business associate contract will be the required agreement between HIEs and their subcontractors.

The business associate contract would require modification to specify that the contractor is subject to the same requirements to secure the PHI as the business associate. The contract requires assurances that the subcontractor can meet this standard, including notification to the covered entity in the event of a breach. The business associate agreement also would include the steps a business associate would take if it learns of a breach by the subcontractor, from taking remedial steps to termination of the contract. The contract between a business associate and subcontractor must include all of the provisions required for a business associate agreement.