Must a HIPAA covered entity have a written contract before disclosing protected health information to a vendor?
45 CFR 164.502(e) and 164.504(e) bar a covered entity from disclosing protected health information to a vendor unless it first obtains satisfactory assurances, documented in a written business associate contract.
The answer
Satisfactory assurances required
Under 45 CFR 164.502(e), a covered entity may use or disclose protected health information only as permitted by the Privacy Rule, and disclosures to a business associate are conditioned on satisfactory assurances that the associate will safeguard the information. A vendor handling PHI on the entity's behalf is a business associate.
The written contract
The assurances are not informal. Section 164.504(e)(1) requires the contract or other arrangement called for by 164.502(e)(2) to meet the implementation specifications for business associate contracts before PHI is disclosed.
The judged input
What the AI drafted
Submitted to the judgeThis is an excerpt from a draft vendor data-processing opinion — the kind of work product a lawyer generates with a legal-AI drafting tool, then has to stand behind. Kingsfield does not write it; it rules on the citations the model put in it. This draft cites three authorities; one of them is wrong.
The judge ruled on every citation as the draft used it — it accepted 45 CFR 164.502(e) and 45 CFR 164.504(e) and rejected 45 CFR 164.530(b). Here is why.
The verdict
How Kingsfield ruled
Ruled 2026-06-23Each citation in the draft above was submitted to the Kingsfield judge and ruled against the primary-law corpus — Accept, Reject, or Inconclusive, per citation. These are live verdicts, not editorial. Each card shows the claim the draft made and the verbatim authority the verdict was rendered against.
The draft claimed: A covered entity may use or disclose protected health information only as permitted by the Privacy Rule, and may disclose it to a business associate only on satisfactory assurances that the associate will appropriately safeguard the information.
“Standard. A covered entity or business associate may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter.”
Cite found; proposition supported by the cited text.
The draft claimed: The contract or other arrangement required by section 164.502(e)(2) must meet the implementation specifications for business associate contracts set out in this section.
“Standard: Business associate contracts. (i) The contract or other arrangement required by § 164.502(e)(2) must meet the requirements of paragraph (e)(2), (e)(3), or (e)(5) of this section, as applicable.”
Cite found; proposition supported by the cited text.
The draft claimed: Section 164.530(b) requires a covered entity to enter into a written business associate contract before disclosing protected health information to a vendor.
Cite found, but the cited text does not support the claim. 45 CFR 164.530(b) is the workforce training standard, requiring training on PHI policies and procedures; the written business associate contract requirement is at 45 CFR 164.502(e) and 164.504(e). Regenerate with the correct authority.
Run your own work through the judge
Kingsfield rules on every citation, quote, and proposition your AI produces, against the primary law we cover. Accept, Reject, or Inconclusive, per citation, with a signed Audit Capsule.
Connect the Judge See the architectureThis page is legal information, not legal advice, and does not create an attorney-client relationship. The draft shown is an illustration of a typical AI answer; verdicts reflect the cited authority in the Kingsfield corpus as of the ruling date shown above.