Each part of the chain is required by regulations and contracts to protect the IHP and manage it in accordance with the obligations of the company covered at the top of the chain. So, for example, if a covered company is a hospital and that hospital has a 24-hour breach notification, each link (or business partner) in that chain must also provide 24-hour notification of violations in its BAAs. Below are examples of service providers that are sometimes business partners, depending on the underlying relationships, whether or not they access PHI and the features involved: Although hipAA now applies directly to business partners, HIPAA still requires covered companies to execute “business partnership agreements” (BAAs) with their business partners before sending them PHI. The following covered entities must sign BAA forms. BAAs must be signed by all covered entities when their trading partner processes PSRs that first pass through the covered entity. . . .