Applicable Provider Types: All

Is Your Entity in Compliance?

The Health Insurance Portability and Accountability Act of 1996, as modified by the Health Information Technology for Economic and Clinical Health Act of 2009 (HIPAA) requires Covered Entities (CEs), Business Associates (BAs) and Business Associate subcontractors to enter into written agreements governing each party’s rights and obligations with respect to the privacy and security of patient Protected Health Information (PHI). Most healthcare providers will qualify as a CE. CEs must obtain “adequate written assurances” from their BAs that the PHI will only be used or disclosed as permitted by law and as instructed by the CE, and BAs must impose these obligations and limitations on their subcontractors. These written assurances typically take the form of a Business Associate Agreement (BAA).