What is HIPAA?
The U.S. Health Insurance Portability and Accountability Act (HIPAA) provides national standards for protecting the privacy and security of health information and gives rights to individuals with respect to their health information. The HIPAA Privacy Rule regulates how covered entities may use and disclose certain individually identifiable health information called protected health information (PHI), whether communicated on paper, electronically, or orally. Only individually identifiable health information that is created or received by a covered entity qualifies as PHI and is covered by HIPAA.
What is a covered entity?
“Covered entities” are defined, in part, as health care providers that electronically transmit any health information in connection with billing. For example, hospitals, academic medical centers, and other health care providers that electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. A covered entity may be an organization, an institution, or an individual. We encourage you to review our guidance, “Protected Health Information and the JHSPH.” Johns Hopkins Hospital is a covered entity; you may access a complete list of Hopkins covered entities at the end of that document.
Is JHSPH a covered entity?
JHSPH is not a covered entity. HOWEVER, if you use PHI from a covered entity in your research at JHSPH, you have responsibilities to protect those data under HIPAA.
What constitutes PHI?
Under the HIPAA Privacy Rule, PHI is health information which is accompanied by one or more of the following identifiers. Any one of the following identifiers associated with the name of a covered entity provider or health plan also constitutes PHI
- Geographic information smaller than state
- Elements of dates (birth date, admission date, date of death, ages greater than or equal to 90 years of age)
- Telephone numbers
- Fax numbers
- Email addresses
- Social security numbers
- Medical record numbers
- Account numbers
- Certificate or license number
- Vehicle identifiers and serial numbers including license plate
- Device identifiers and serial numbers
- IP address numbers
- Biometric identifiers
- Full face photographic images and comparable images
- Health plan beneficiary numbers
- Any other unique identifying number, characteristic, or code
So if I am using PHI in my research, what do I need to do?
First, think about your study’s recruitment process and planned data use. Consider whether you need to, and are able to, contact participants before you access their PHI. If yes, your access to PHI will depend upon whether it’s “practicable” or not for you to obtain a signed privacy authorization from participants. Here are the ways that you may work with the JHSPH IRB to access PHI for research purposes.
- Ask participants who are clients of the covered entity for a signed authorization permitting to access and use their PHI for research purposes. If this is impracticable (for example, you must access PHI to identify potential participants), then
- Ask the IRB for a waiver of the authorization requirement. Keep in mind that if you will have an opportunity to later obtain consent and authorization from your study participants, you may need a waiver only for the recruitment process – not for the whole study. This is called a partial waiver; or
- Ask the IRB for a waiver of privacy authorization if you believe an oral consent process is appropriate. You will include some “oral HIPAA” language in the consent script, but will not obtain a signature on an authorization from the participant. Here, you are asking for a complete waiver because HIPAA requires a signature on the authorization; there is no “waiver of signature” for HIPAA authorizations. Therefore, you must waive the authorization entirely; or
- Ask the IRB for a waiver of privacy authorization if you seek to access and/or use PHI for secondary data analysis. This is a complete waiver of the HIPAA privacy authorization; or
- Use a limited collection of PHI, called a limited data set. In this data set, you may use only the following identifiers:
- Dates such as admission, discharge, service, DOB, DOD;
- City, state, five digit or more zip code; and
- Ages in years, months, days, or hours.
How do I initiate the HIPAA Submission Process?
1. Submit a HIPAA Application
The HIPAA submission process varies, depending on what kind of PHI you wish to access/use (Hopkins data or non-Hopkins data), and how you want to access those based on the variables addressed above. If your study is a new application, you need to complete a HIPAA application – either through the HIPAA section of the PHIRST application itself (which is a bit cumbersome) or by contacting the IRB office at email@example.com to obtain a fill-in version called the “Application for the Disclosure of Protected Health Information” that is a little shorter. If you are amending your research application, please fill out the Application for the Disclosure of Protected Health Information.
2. If you need a HIPAA Waiver
If you successfully justify your need for a waiver of the authorization requirement (partial, for recruitment, or full waiver to access/use existing PHI through oral consent or secondary data analysis) and the IRB approves your waiver, your compliance obligations depend upon whether or not the data comes from Hopkins or elsewhere. If you are receiving PHI from a Hopkins covered entity, you must track the disclosures of the PHI that Hopkins covered entities provide to you through the Hopkins HIPAA Compliance Tracking System. If you, yourself, are accessing the PHI to create the research dataset, you also may need to enter into a Business Associate Agreement with the covered entity providing that access. If you plan to use a HIPAA Limited Data Set, the IRB Senior Specialist working on your research submission will help you determine what your HIPAA compliance obligations are.
3. If you will obtain a HIPAA Authorization from your participants
If you are obtaining authorization from participants (written or oral), you will need to choose a HIPAA privacy authorization form template that best fits your consent process.
Choose one of the following templates from the IRB website:
1. Combined consent/HIPAA authorization
2. Combined medical records release form/HIPAA authorization
3. Combined medical records release form/HIPAA authorization- child
4. Oral authorization/oral consent
NOTE: Like consent documents, IRB approved Authorization forms must be stamped with the IRB logo.
Do I need any special training to use PHI?
All JHSPH investigators, study staff, and students using Protected Health Information in research must complete HIPAA training: MyLearning Module: HIPAA & Research - 01. You will find this course in the MyLearning Course Catalog under “Compliance > Research Compliance and Ethics > HIPAA & Research.” It will NOT be listed under “HIPAA” You do not need to take the “General Privacy Issues” course as a prerequisite.
Questions? Please contact the JHSPH IRB Office at firstname.lastname@example.org.