Health Insurance Portability and Accountability Act of 1996 (HIPPA) Privacy, requires that “covered entities” protect certain information, “protect health information (PHI)”. Covered entities need to enter into a Business Associate Agreement (BAA) with any vendor or entity that has access to their PHI.
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html