Like the Privacy Rule, the Security Rule includes three categories of safeguards: Administrative
The final rule that was issued January 25, 2013 requires covered entities and business associates (and the business associate's subcontractors, if any) to have in place administrative, physical, and technical safeguards that are in compliance with the Security Rule. The final rule not only makes business associates equally accountable for privacy and security safeguards, but extends the rules down to the subcontractor level. Any subcontractor that is hired by the business associate must agree to the same restrictions and conditions that apply to the business associate, if the subcontractor creates or receives PHI. Note that a subcontractor may not use PHI in any way that is not
permitted by the business associate agreement between the primary business associate and the covered entity.
The contract agreements that are made between the business associate and the subcontractor must be at least as stringent as the contract agreements between the covered entity and the business associate.