|
| Under a Memorandum of Agreement entered into by the Johns Hopkins School of Public Health and the Johns Hopkins HIPAA Office, JHSPH reserachers are no longer included within the HIPAA covered entity portion of Johns Hopkins University. Even though no longer in the covered entity portion of JHU, JHSPH researchers still will have to satisfy certain HIPAA requirements in order for the Johns Hopkins covered entities to be able to disclose PHI to them, just as they would when obtaining PHI from non-Johns Hopkins covered entities. Further, while JHSPH researchers are no longer included as covered entities, due to the close working relationships that JHSPH has with the covered entity portions of JHU and the Johns Hopkins Health System, JHSPH researchers must abide by certain requirements set forth in the Agreement, primarily the obligation to “track” the disclosures. A covered entity, as defined by HIPAA, is a health plan, a health care clearinghouse, or a health care provider who transmits health information in electronic form in connection with a transaction for which HHS has adopted a standard. JHSPH is not a healthcare component of JHU that transmits health information in electronic form as contemplated by HIPAA. For entities like the University that contain both covered and non-covered functions, a “hybrid entity” determination can be made, identifying which parts are covered and which are not. While the previous decision was made to include JHSPH researchers within the covered entity portion of JHU, JHSPH researchers have been moved outside the covered entity portion of JHU. PHI is individually identifiable health information, transmitted by an electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. The following are all considered identifiers under HIPAA. Therefore, if you will be obtaining any of the above information from a covered entity, you will be obtaining PHI from a covered entity. | Names | Certificate or license numbers | | Geographic information smaller than state | Vehicle identifiers and serial numbers including license plate numbers | | Elements of dates (birthdate, admission date, date of death, ages > 89 years of age) | Device identifiers and serial numbers | Telephone numbers | URLs | | FAX numbers | IP address numbers | | Electronic mail addresses | Biometric identifiers | | Social security numbers | Full face photographic images and comparable images | | Medical record numbers | Health plan beneficiary numbers | | Account numbers | Any other unique identifying number, characteristic or code. |
The new HIPAA policy applies to all studies where the Principal Investigator on a protocol is a JHSPH researcher and where it is necessary to obtain PHI from a covered entity. Most significantly, the new HIPAA policy applies to all JHSPH protocols seeking medical information from a Johns Hopkins covered entity where the Principal Investigator is a JHSPH researcher. A JHSPH protocol is one where the Principal Investigator is a JHSPH Principal Investigator. It also impacts studies where JHSPH researchers are on protocols where the PI is a School of Medicine or School of Nursing PI. The new HIPAA policy applies to all studies where the Principal Investigator on a protocol is a JHSPH researcher. Therefore, it applies to you if you have a joint appointment at JHSPH and SOM/SON and are doing research on a JHSPH protocol. If you are performing clinical care in a Johns Hopkins health care provider setting under your joint appointment at SOM, the information you obtain solely in that capacity will remain PHI subject to all applicable HIPAA limitations and requirements and cannot be used or disclosed for research purposes. (See the discussion under, "What if I wish to recruit in a covered entity?" to learn how your recruitment strategies may be impacted if you are performing clinical care.) If you are conducting research through the joint appointment for a JHSPH study (i.e. a study where the PI is a JHSPH researcher and where the study is approved by CHR, if applicable), and if you generate or have access to PHI at a JH covered entity when conducting the CHR approved research protocol involving clinical activities, the PHI that is maintained in the medical record of the health care provider will remain subject to HIPAA. However, as long as you have submitted a JHSPH HIPAA application and the necessary forms, the PHI which is documented in a separate research record will be free of HIPAA limitations and will no longer be considered PHI. This information will still be subject to the Common Rule. In the case where the PI is a SOM or SON researcher, the study is still included within the JH covered entities and is therefore still covered by HIPAA. JHSPH researchers will be treated as “outsiders” for these studies and must be identified in the HIPAA compliant Authorizations or requests for waiver of Authorization. If a JHSPH researcher obtains PHI due to participating in such a study, the researcher may use the PHI only in accordance with the terms of the approved protocol or a subsequent protocol approved by the SOM IRB. The PHI may not be added to a database that is accessible by other researchers who are not part of the protocol. When working with a non-Hopkins covered entity, prior to submitting your HIPAA forms to the Office of Graduate Education and Research for review, you must first consult with the entity (or entities) from which you are receiving data to determine their policies. The covered entity may require that you use their forms or follow different guidelines than what we have implemented with Johns Hopkins covered entities. You should ask the covered entity’s privacy office/privacy officer if it has a form of Authorization for Use and Disclosure of Protected Health Information for research purposes and, if applicable, if a JHSPH CHR waiver of the authorization requirement and letter of CHR approval will suffice as record of IRB review. JH HIPAA forms may be used as default forms if the covered entity approves of their use. The JHSPH CHR may approve waivers or alterations of Authorization and provide HIPAA compliant documentation of the waiver or alteration to the covered entity. Once the protected health information is disclosed to the JHSPH researcher from the covered entity, subject to the exceptions noted above, the identifiable health information is no longer PHI subject to HIPAA. Rather, the privacy and confidentiality of the information is protected by other state and federal laws, such as the Common Rule. However, the identifiable information remains subject to the terms of any authorizations or waiver of the authorization requirement. Further, health information in the form of a limited data set remains subject to the terms of the Data Use Agreement. JHSPH researchers who submit an IRB application through PHIRST will access the HIPAA application on PHIRST. Researchers who are modifying a previously approved research study or who have studies that are being approved by WIRB must submit a hardcopy of the JHSPH HIPAA application and a copy of the Research Plan, consent forms, and any relevant HIPAA forms to the Office of Graduate Education and Research prior to attempting to access PHI from a covered entity. The HIPAA application will guide you through the HIPAA requirements and applicable forms. The HIPAA documents to be used by researchers obtaining PHI from JH covered entities have been approved by the JH HIPAA Office and therefore may not be modified. The approved documents can be found here. For modification to previously approved research, the IRB may also require that you submit an amendment to the IRB. The IRB will still approve waivers of the Authorization requirement for PHI sought from covered entities. Once your HIPAA application is received and reviewed, you will receive notification that the HIPAA review is complete. Once the HIPAA review is complete, and provided that the IRB has approved the research and that any required Business Associate Agreements and/or Data Use Agreements (see discussion below) are fully executed and in hand, you may pursue obtaining the PHI in the same manner as you have used in the past. If you will be accessing PHI at a Johns Hopkins covered entity, the Research Regulations Specialist will forward information about your protocol to the JH HIPAA Office for information purposes. Yes. The new HIPAA Authorization form is accessible here. Authorization for use and disclosure of health information allows a covered entity to release a patient’s or plan member’s individually identifiable health information with the patient’s or plan member’s signed permission. Informed consent is provided, either in writing or orally, by a potential research subject as record that the individual has been fully informed, understands the study and consents to enrollment into the research study. Ongoing studies that are covered by HIPAA, the information obtained from participants in these studies, and the databases created from these studies will remain covered by HIPAA. If an investigator or study staff is added to a covered study and will have access to the individually identifiable health information, the individual must complete the HIPAA training course entitled "Privacy Issues Relating to Research" and sign a "Confidentiality Agreement for Workforce Members-General." These are available at http://irb.jhmi.edu. If your study is being conducted outside the United States and individually identifiable health information is being sent from a health care provider to JHSPH, your study is not covered by HIPAA. However, if your study is being conducted outside the United States and information is being sent to a JH covered entity, if the information is identifiable (i.e. contains any of the 18 identifiers under HIPAA) or if the covered entity has access to a link between the information and the person from whom the information was obtained from, the information may become subject to HIPAA. If a JHSPH researcher stores samples at a Johns Hopkins covered entity, and the samples are identifiable to an individual, the samples are covered by HIPAA. Also, if the covered entity has control over the specimens or owns the specimens, they are covered by HIPAA. Example: A JHSPH researcher stores tissue samples for a JHSPH study at a laboratory located in a Johns Hopkins covered entity. The samples are labeled with study identification numbers as well as the date of birth of the subject. Since date of birth is individually identifiable information, and the samples are being maintained at a covered entity, the samples become covered by HIPAA. Example: A JHSPH researcher stores and analyzes blood samples for a JHSPH study at a laboratory located in a Johns Hopkins covered entity. The samples are labeled only with the study identification number of the participants. The pathologist analyzing the blood samples has access to the code linking the study identification number to the study participant. Since the covered entity can link the identity of the participants to the blood samples, the samples are covered by HIPAA. However, if a researcher stores samples at a Johns Hopkins covered entity and has total control over the use of the samples, or if the samples are de-identified in a manner so that the covered entity does not have access to the identifiers, the samples will not be impacted by HIPAA. Example: A JHSPH researcher is storing tissue samples for a JHSPH protocol in a laboratory located at a Johns Hopkins covered entity. The samples are identified by study identification number. The only information that can link the sample to an individual is retained at JHSPH, and the covered entity does not have access to this information. Since the samples are entirely de-identified to the covered entity, they do not become subject to HIPAA. Example: A JHSPH researcher stores and analyzes blood samples for a JHSPH protocol in a laboratory that is covered by HIPAA. The JHSPH researcher retains complete control over the use of the samples including who has access to the samples, which samples are used, when the samples are used, and what tests are run on the samples. The samples are labeled with a study identification number. The JHSPH researcher has the code linking the identification numbers to the individuals. However, the pathologist who analyzes the samples in the laboratory does not have access to this information. The samples are therefore not impacted by HIPAA.
De-identified data is data that excludes all 18 elements that could be used to identify the individual. The factors that must be removed from the data to make it de-identified are listed on the JHSPH HIPAA application. They are also listed under the question "What are identifiers under HIPAA?" If you desire to use de-identified information from a Johns Hopkins covered entity, you will be responsible for de-identifying (or obtaining the de-identification of) the PHI in accordance with the HIPAA requirements. You must submit a HIPAA application providing adequate assurance that the data will be de-identified. You will need to enter into a Business Associate Agreement (BAA) with the Johns Hopkins HIPAA Office using a standard Johns Hopkins Business Associate Agreement designed specifically for use with JHSPH researchers that allows you to have access to the PHI to create the de-identified data. You may obtain the BAA from the JH HIPAA Office by providing your full name, your address, the name of your study, your study number, and an identification of the Johns Hopkins covered entity or entities that holds the records from which you intend to obtain the de-identified data. Contact dbradfi4@jhmi.edu to obtain a BAA. If the data is de-identified as defined by HIPAA, no waiver of Authorization is needed. Health information is not PHI once it is de-identified as described by the Privacy Rule. A limited data set may include city; state; ZIP Code; elements of date; and other numbers, characteristics, or codesnot listed as direct identifiers. The following identifiers must be removed from the health information: Name | Certificate or license numbers | Postal address information, other than town or city, state, and ZIP Code; | Vehicle identifiers and serial numbers including license plate | Telephone numbers | Device identifiers and serial numbers | FAX numbers | URLs | Electronic mail address | IP address numbers | Social Security Number | Biometric identifiers | Medical record numbers | Full face photographic images and comparable images | Account numbers | Health Plan beneficiary numbers |
If you want to use a limited data set, you will be responsible for creating the limited data set in accordance with the HIPAA requirements. You must submit a HIPAA application representing that only a HIPAA compliant limited data set of PHI is to be obtained. You will need to enter into a Business Associate Agreement with the Johns Hopkins HIPAA Office using a standard Johns Hopkins Business Associate Agreement designed specifically for use with SPH researchers that allows you to have access to the PHI to create the limited data set. You will also need to enter into a Data Use Agreement with the Johns Hopkins HIPAA Office using the standard Johns Hopkins Data Use Agreement form designed specifically for use with SPH researchers. The Data Use Agreement will limit the way that the information in the data set may be used and will establish how the information will be protected. Neither an Authorization nor a waiver of Authorization is needed for the disclosure of a limited data set. Limited data sets contain individually identifiable health information and therefore are, and remain, PHI. The information may be used only consistent with the Data Use Agreement and for no other purpose. If you want access to PHI for the purpose of preparing for research, you must complete a HIPAA application and indicate that (i) the disclosure is requested solely for purposes preparatory to research, (ii) the PHI will not be removed from the covered entity in the course of the review except that you may leave the covered entity premises only with the minimal amount of PHI necessary to satisfy the tracking requirements under HIPAA, and the PHI taken from the covered entity premises for tracking purposes may be used only to complete the tracking database and for no other purpose; and (iii) the PHI for which access is requested is necessary for the research. Once your application is reviewed, the Research Regulations Specialist will provide documentation to the Johns Hopkins HIPAA Office of the assurances made in your HIPAA application. You must make appropriate entries into the SPH JH HIPAA Compliance System, noting the disclosure of the PHI by the Johns Hopkins covered entity to you. (See the discussion under "Do I have to track disclosures by Johns Hopkins covered entities?") You must complete a HIPAA application and represent that the use and disclosure is sought solely for the research on the protected health information of decedents, the PHI is necessary for research purposes, and be prepared to provide documentation of the death of the individuals whose PHI you are seeking. You also must make appropriate entries into the SPH JH HIPAA Compliance System, noting the disclosure of the PHI by the Johns Hopkins covered entity to you. (See the discussion under "Do I have to track disclosures by Johns Hopkins covered entities?) The JHSPH IRB will still be the IRB that reviews JHSPH applications for waivers of the Authorization requirement or partial waivers. To apply for a waiver or partial waiver, fill out a JHSPH HIPAA Application, indicating why your study is eligible for a waiver by completing sections I, II, III.A, and IV. Once the IRB makes a determination on the waiver, you will receive notification of the determination. If the waiver is granted, you must make appropriate entries into the SPH JH HIPAA Compliance System, noting the disclosure of the PHI by the Johns Hopkins covered entity to you. (See the discussion under "Do I have to track disclosures by Johns Hopkins covered entities?) If you are recruiting in a covered entity, your recruitment procedures must comply with HIPAA. HIPAA has changed the ways a treating physician or treatment personnel may refer patients to a researcher for screening and recruitment. As noted below, direct recruitment for a study by a clinician/researcher or his/her treatment personnel is not prohibited by HIPAA. These personnel already have a reason to know the patient's PHI and, assuming the study (and the recruitment process) has been approved by the IRB, these personnel may approach the patient about participating in the trial without a HIPAA waiver. Also, these treatment personnel may discuss the patient's PHI with other research personnel, such as the coordinator, so long as the patient first has given his/her verbal or written consent to wanting to learn more about the study and the proper note has been made in the patient’s record. Below are two mechanisms for recruitment permitted under HIPAA. Your proposed recruitment strategy, and everything else that follows recruitment, is subject to IRB approval. 1. Recruitment by the Clinician or the Treatment Staff a. A physician who has a treatment relationship with the patient (the “clinician”) and who is also the researcher may approach a patient about participation in any CHR approved trials in which the clinician participates as a researcher. The clinician’s treatment personnel (those who have a “reason to know” identifiable health information by virtue of the treatment relationship) also may approach the patient about this research. The clinician and his/her treatment personnel must note the communication in the patient's medical record. b. A clinician who is not the researcher (and the clinician’s treatment personnel) may approach his/her patient about participation in another researcher's study. The clinician or his/her staff must note the communication in the patient's medical record. If the patient agrees to a referral to the researcher, suggested language is as follows: "I discussed the referral of the patient to [team or doctor] for [describe research study]. The patient agreed to the referral, including sharing information about the patient's condition." c. A clinician who is not the researcher (and the clinician’s treatment personnel) may give his/her patient another researcher's name and contact information, and the patient may contact the researcher. d. A clinician who is not the researcher (and the clinician’s treatment personnel) may discuss possible patient eligibility with the research personnel in a de-identified manner, i.e., with all specified subject identifiers removed. If the research personnel believe the de-identified patient would be eligible for the trial, the treatment personnel could then obtain the patient's permission to give the research personnel the patient's name or give the patient the researcher's contact information. (See bullets b and c above.) e. A clinician who is not the researcher (and the clinician’s treatment personnel) may send a letter to his/her patient about how to join a CHR approved study so long as the content of the letter is approved by the CHR. (Note: unless the CHR approves a waiver of Authorization for study recruitment purposes, the letter may NOT be co-signed by the researcher and the researcher may not have a copy of the letter.)
2. Recruitment by the Researcher a. The IRB may grant the request of a researcher for a partial waiver of the patient’s or plan member’s Authorization for recruitment purposes if the IRB determines that the treating physician's direct approach to the patient or obtaining the patient's prior Authorization is impracticable. The request for waiver of Authorization may include several possibilities: i. A partial waiver of Authorization for treatment personnel to refer patients to the researcher or share PHI with the researcher without first speaking to the patient about the referral. ii. A partial waiver of Authorization for the researcher to look at medical records, or schedules, patient lists, etc., and then to have treatment personnel contact potential subjects. iii. A partial waiver of Authorization to advertise about the study and screen by phone potential subjects for the study. iv. A partial waiver of Authorization to advertise about the study to specific potential study subjects and screen potential subjects for the study and to keep the screening database for use in screening for future studies (which future use may require another partial waiver) .
The Privacy Rule requires, upon receiving an individual’s request, that a covered entity give an “accounting” of certain disclosures by the covered entity, including those related to research, for a period of 6 years from the date of the disclosure. A disclosure of PHI occurs when information is communicated to a person or entity outside of the covered entity. This includes the communication of PHI from a health care component to a non-health care component of a hybrid entity (i.e. communication of PHI from JH covered entities to JHSPH researchers). In order to be able to “account” for the disclosure, the disclosure must be “tracked” when made. Due to the close research relationship that JHSPH shares with the Hopkins “covered entity” health care components, it is JHSPH policy to assist the JH covered entities in accounting for disclosures that occur as a result of a JHSPH study by “tracking” those disclosures. Therefore, JHSPH researchers are required to track information for the JH covered entity that discloses the PHI to you by entering information into the SPH JH HIPAA Compliance System in the following instances: 1. Research where the IRB has fully or partially waived individual Authorization; 2. Research using only the PHI of decedents; 3. Reviews preparatory to research. All disclosures by a JH covered entity must be tracked in these instances, regardless of whether the information is eventually used in the research. If you are granted a waiver, if your request to review PHI in preparation for research is approved, or if you are approved to review the PHI of decedents, you may receive the records of individuals who you later learn had a limitation on the use of their medical information. For example, an individual may have indicated that they did not want to be recruited for research protocols. If this happens, you must enter the names and other identifiers of these individuals into the SPH JH HIPAA Compliance System and note the nature of the limitation. If you have obtained a waiver or partial waiver of the Authorization requirement, prior to contacting any individual to obtain a consent/authorization related to research, you must check the database to determine if the individual that you want to contact has limited his/her being contacted for research. If a limitation is noted, you must abide by the limitation. If you are going to use identifiable data that was obtained from a JH covered entity in a previous study through a waiver of authorization or through the review of the PHI of decedents, then you need to search the limitations database to ensure that limitations are followed. You can access the SPH JH HIPAA Compliance System here. If you are establishing a database with information obtained from a covered entity, your database is subject to the terms in the Authorization or data use agreement, if applicable. However, with the exception of databases created under a Data Use Agreement, the database and future research using the database is not governed by HIPAA restrictions. Other protections, such as the Common Rule, cover the information held at JHSPH and limit its use and disclosure. No. Any PHI received from a Johns Hopkins covered entity by a JHSPH researcher may not be used for any marketing or fundraising purposes. You can access the new HIPAA policy here. The new HIPAA forms are available here. If you have questions about HIPAA, contact Margi Joshi, Research Regulations Specialist at mjoshi@jhsph.edu or at 410-502-0433. |
