Subcontractor BAAs: When Business Associates Need Their Own BAAs

By BAA Generator Editorial  ·  Published Apr 19, 2026  ·  Last reviewed Apr 19, 2026  ·  5 min read

When a business associate hires its own vendors — cloud hosting providers, analytics platforms, customer support tools — and those vendors access PHI, the chain of HIPAA accountability extends. Understanding how BAAs work generally is the foundation; the subcontractor rule is how that structure cascades through multiple vendor layers.

What Is a Subcontractor Under HIPAA?

HIPAA defines a "subcontractor" as a person to whom a business associate delegates a function, activity, or service — other than in the capacity of a workforce member of the BA. Under the HITECH Act (2009), subcontractors who handle PHI on behalf of a BA are themselves treated as business associates for purposes of direct HIPAA liability.

This means a subcontractor who receives PHI from a BA:

• Is directly subject to the HIPAA Security Rule
• Is directly subject to the Breach Notification Rule
• Can be subject to OCR enforcement independently
• Must comply with HIPAA even if the covered entity at the top of the chain is unaware of the subcontractor's existence

The BA is responsible for ensuring its subcontractors who handle PHI are under sub-BAAs — the covered entity's BAA with the BA typically requires the BA to flow down these obligations, but the CE does not execute sub-BAAs directly with the BA's subcontractors.

When a Business Associate Needs a Sub-BAA

A BA needs a sub-BAA with any vendor or subcontractor that creates, receives, maintains, or transmits PHI on the BA's behalf. The test is the same as the primary BA test: does the vendor perform a function or service that involves access to PHI? If yes, a sub-BAA is required.

Common situations requiring a sub-BAA:

• The BA hosts its application on a cloud infrastructure provider (AWS, Google Cloud, Azure) that stores customer PHI
• The BA uses a third-party analytics tool that processes PHI for performance monitoring or reporting
• The BA uses a customer support platform (Zendesk, Intercom) where support tickets may include PHI
• The BA uses a document management system that stores PHI-containing documents
• The BA contracts with offshore data processing teams that access PHI for operations
• The BA uses a third-party email or SMS service to send communications containing PHI

A vendor that only processes de-identified data (per HIPAA's de-identification standards) or aggregated, non-PHI data does not require a sub-BAA. The key is whether actual PHI is accessed.

The BAA Chain: Covered Entity → BA → Subcontractor

The HIPAA accountability chain flows from the covered entity down through each layer:

The chain can extend further: if the subcontractor (e.g., AWS) has its own subcontractors who handle PHI, those parties also need sub-BAAs. In practice, major cloud providers manage this through their own BAA programs with their infrastructure vendors.

What Must Be in a Subcontractor BAA

Under 45 CFR § 164.308(b)(2), a sub-BAA must ensure that the subcontractor will appropriately safeguard the information. Under 45 CFR § 164.314(a)(2)(ii), the sub-BAA must contain the same substance as the primary BAA requirements in 45 CFR § 164.504(e). In practice, a sub-BAA should contain all the same elements as a standard BAA:

• Permitted uses and disclosures of PHI (limited to what is necessary to perform the subcontract function)
• Security safeguards requirements
• Breach notification obligations — the subcontractor must report breaches to the BA, who then reports to the CE
• Sub-sub-contractor BAA requirements (the chain continues)
• PHI return or destruction upon termination
• HHS access rights

The primary practical difference between a sub-BAA and a primary BAA is that breach notifications flow up the chain: subcontractor notifies BA, who notifies covered entity, who notifies individuals and OCR.

Practical Examples of Subcontractor BAA Requirements

Frequently Asked Questions

Does a business associate need BAAs with its vendors?

Yes. Under 45 CFR § 164.308(b)(2), a business associate must enter into BAAs (sub-BAAs) with any of its own vendors who create, receive, maintain, or transmit PHI on the BA's behalf. The sub-BAA must impose the same HIPAA restrictions on the subcontractor that the primary BAA imposes on the BA.

What is a subcontractor BAA?

A subcontractor BAA (sub-BAA) is a Business Associate Agreement between a business associate and its own vendor who handles PHI. It governs the subcontractor's PHI handling obligations and flows down the same restrictions the primary BAA imposes on the BA. The covered entity is not a party to the sub-BAA — it runs between the BA and the subcontractor.

What happens if a subcontractor violates a BAA?

The business associate is responsible for managing the violation per the sub-BAA's terms. If the violation constitutes a breach of PHI, the subcontractor must notify the BA, who then notifies the covered entity within the primary BAA's required timeframe. OCR can pursue enforcement directly against subcontractors, as they became directly subject to HIPAA under HITECH (2009). The BA may also terminate the subcontractor relationship and must report the violation to the CE per the primary BAA.