Business Associate/Subcontractor
Under the new MEGA RULE, HIPAA Privacy, Security and Breach requirements extend beyond
Covered Entities to all Business Associates and any down-stream vendors or subcontractors
that may come in contact with or otherwise have access to PHI. While you, your BAs and their
subcontractors may all be scratching their heads and wondering but what does this mean to
me, the answer is actually quite simple. Under the MEGA Rule, a BA or any down-stream sub is
now individually responsible for compliance with HIPAAs mandates for privacy and security.
In order to ensure compliance with HIPAAs Mega Rule, the first step is determining if an entity
is subject to its reach. The following sample Questionnaire will help a CE or a BA/Subcontractor
determine if they are subject to HIPAA and help fashion appropriate programs to ensure
compliance. Note, this is questionnaire can and should be revised according to each individual
entitys business interests.