The privacy and security regulations enacted pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA Privacy and Security Rules) apply to physicians and other health care providers that use electronic means to perform HIPAA-covered transactions, such as the transmission of health claims, remittance or payment advice or any of the other electronic transactions included in the HIPAA Transaction Rule. The HIPAA Privacy and Security Rules permit covered entities to disclose “protected health information” (PHI) to business associates so long as satisfactory assurances are obtained in a business associate agreement that the business associate will properly safeguard the information. This document discusses business associates generally and general requirements for business associate agreements. For more detailed information on HIPAA, including the definition of “covered entity,” see CMA ON-CALL document #4100, “HIPAA Overview/Enforcement.”