The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by "covered entities" (generally, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions). By regulation, the DHHS extended the HIPAA privacy rule to independent contractors of covered entities who fit within the definition of "business associates". PHI is any information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual. This is interpreted rather broadly and includes any part of an individual's medical record or payment history. They also must disclose PHI when required to do so by law, such as reporting suspected child abuse to state child welfare agencies.