HIPAA

HIPAA protects U.S. health information (PHI) through several rules: the Privacy Rule governs use and disclosure, the Security Rule mandates administrative, physical, and technical safeguards for electronic PHI, and the Breach Notification Rule sets disclosure obligations. Business Associate Agreements (BAAs) extend these duties down the chain to any vendor — cloud host, billing service — that touches PHI on a covered entity’s behalf.