By Kevin Lin
Business associate agreements bind entities with access to protected health information (PHI) to HIPAA’s privacy and data security rules. The obligations of entities under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) can be thought of as links in a chain of liability. At the highest level, HIPAA’s privacy rules apply to “covered entities,” such as health plan providers, clearinghouses, insurance carriers, and certain healthcare providers, which lie at the top of the chain. The HIPAA privacy rules require covered entities such as medical practices to implement comprehensive privacy and data safeguards to protect personal health information. These requirements generally fall into three categories: (i) administrative safeguards, such as requiring ongoing risk assessments to identify potential vulnerabilities and risks; (ii) physical safeguards, such as requiring physical measures to prevent unauthorized access and protect against environmental hazards; and (iii) technical safeguards, such as requiring technical controls to ensure data security.