HIPAA is the federal law that governs how "Covered Entities" handle the privacy and security of patients' protected health information (PHI). HIPAA Covered Entities include health care providers and health plans that send certain information electronically. The Commission may be deemed a "Business Associate" of certain institutions that are HIPAA Covered Entities. A Business Associate is an individual or entity that performs a function or activity on behalf of a HIPAA Covered Entity involving the use or disclosure of individually identifiable health information. Business Associates must comply with certain HIPAA Security and Privacy rules and implement training programs. The Commission "HIPPA Policy and Procedure Manual" is updated on a yearly basis. A copy of the manual is available upon request. All Commission site visitors, Review Committee members, Commissioners, and staff are required to attend a CODA HIPAA training session on a yearly basis.