Business Associates? How Low Can You Go? HIPAA & HITECH Act Blog by Jonathan P. Tomes

JonTomesThe Omnibus Rule effectively made “downstream” business associates—that is, subcontractors—into business associates and thus effectively into covered entities. They are now effectively if not by law covered entities because, although DHHS has not added them to the list of covered entities, they now must comply with the HIPAA Security and Privacy Rules, they face the same criminal and civil liability as do covered entities, and they are subject to the same audits by the Department of Health and Human Services (“DHHS”) as covered entities are. Therefore, they now must comply with all the HIPAA requirements as “upstream” business associates.

The only good news is that the covered entity that engages the “upstream” business associate must get a business associate agreement in place with only that entity, not with subcontractors. Each subcontractor has the duty to get business associate agreements in place with subcontractors, but the subcontractor has the duty to get such agreements in place with the, to coin a term, the sub-subcontractors.

Remember the Chris Brown song “How Low Can You Go?” It gave me the idea for this contest. According to several websites, the chorus goes as follows: How low can you go [x8], Go low l-lower than you know [x3], Lower than you know l-lower than you know.

So the contest is to see who can come up with a hypothetical with the most subcontractors. For example, when I give my HIPAA seminars, I use the hypothetical in which I am hired to defend a covered entity in a malpractice case. So I am clearly a first-level business associate because I will, at a minimum, have to review the chart of the alleged victim of malpractice, as well as possibly needing access to other protected health information (“PHI”) to properly defend the case. Giving access to PHI to an attorney defending a covered entity against such a claim is clearly an authorized disclosure for treatment, payment, and health care operations. Further, in my example, I must hire an expert witness to testify that the treatment met the standard of care and, hence, was not malpractice. Thus, I must get a “downstream” business associate agreement in place with the subcontractor. Also, let’s say that the expert witness hires a shredding service to dispose of the documents when the case is over. Now, we have another level down.

So how low can you go? How many levels down can you imagine? The winner will win the winner’s choice of my new Your Happy HIPAA Book, my How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know, or one of my published trade paperback novels, HIPAA Hysteria or JAGC-Off: A Politically Incorrect Memoir of the Real Judge Advocate General’s Corps.

Criteria to select the winner, in our sole discretion, are the number of levels down and whether a given subcontractor is realistic in the health care business. To enter, simply submit a comment.

Perhaps, this contest has made you wonder whether you need to make sure that your organization is HIPAA compliant, Do you need to update your risk analysis, review your policies and procedures, and provide extra training on this issue or otherwise? Do want to get your organization HIPAA compliant in one fell swoop? Call our marketing director, Patrick R. Head II, toll-free at 855-341-8783 or email him at While you are talking with Patrick, ask him about our upcoming two-day Hands-on HIPAA Workshop aboard the Queen Mary anchored in Long Beach, California, October 16-17, 2014.


seo by: k.c. seo