HIPAA Covered Entities may be subject to civil money penalties and criminal penalties for HIPAA violations.
HIPAA stands for Health Insurance Portability and Accountability Act of 1996.
HIPAA Covered Entities (CEs) are healthcare providers who conduct certain financial and administrative transactions electronically with PHI ( Ex: Healthcare providers who submit claims electronically), Health Plans, and Health Care Clearinghouses.
PHIstands for Protected Health Information. It is any data containing at least oneHIPAA identifier.
Business Associates (BAs) use or disclose Protected Health Information (PHI) while they conduct businesses with or on behalf of a HIPAA Covered Entity (CE), and are not members of the HIPAA Covered Entity's workforce.
Business Associate Agreements (BAAs) or Contracts outline how the HIPAA Covered Entity (CE) and the Business Associate (BA) will handle confidentiality, privacy, and security of Protected Health Information (PHI) involved.
Thus, a Business Associate Agreement (BAA) or Contract is required between a HIPAA Covered Entity (CE) and a Business Associate (BA); and between a Business Associate and its Subcontractors.