Health Insurance Portability and Protection Act for Research (HIPAA)

The following provides guidance on Health Insurance Portability and Protection Act (HIPAA) responsibilities and regulations for research at the Icahn School of Medicine at Mount Sinai.

HIPAA requires a covered entity to enter into a Business Associate Agreement with someone hired by the entity to perform certain tasks involving Protected Health Information (PHI). In the research context that may involve telephone follow ups, database management, web hosting, etc. The Covered Entity is the entity that holds the PHI—i.e. the entity that is disclosing the information in most cases.

If you already have an agreement, it will be necessary to add the Business Associate Addendum.

If this is a new agreement, you must use the Business Associate Agreement. To complete this form, the services the Business Associate (BA) is performing and the PHI may use are to be listed on Schedule A (alternatively, you may list them in Section 3.a and revise it accordingly). The names of the Covered Entity and the Balso need to be added on the first page and the last page. Please contact the legal department if you have further questions.