Skip Navigation

Institutional Review Board


What is HIPAA?

The U.S. Health Insurance Portability and Accountability Act (HIPAA) provides national standards for protecting the privacy and security of health information and gives rights to individuals with respect to their health information. The HIPAA Privacy Rule regulates how covered entities may use and disclose certain individually identifiable health information called protected health information (PHI) to researchers, whether communicated on paper, electronically, or orally. Only individually identifiable health information that is created or received by a covered entity qualifies as PHI and is covered by HIPAA.


What is a covered entity?

“Covered entities” are defined, in part, as health care providers that electronically transmit any health information in connection with billing. For example, hospitals, academic medical centers, and other health care providers that electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. A covered entity may be an organization, an institution, or an individual. Johns Hopkins Hospital is a covered entity.


Is JHSPH a covered entity?

JHSPH is not a covered entity. PHI obtained for research purposes with a HIPAA Privacy Authorization or through another permissible mechanism is no longer covered by HIPAA.  It is “sensitive private information” that requires appropriate protection and data security.  The JHSPH IRB is authorized as a Privacy Board to approve research use of PHI from covered entities.


What constitutes PHI?

Under the HIPAA Privacy Rule, PHI is electronic health information which is accompanied by one or more of the following identifiers. Any one of the following identifiers associated with the name of a covered entity provider or health plan also constitutes PHI.

• Name
• Geographic information smaller than state
• Elements of dates (birth date, admission date, date of death, ages greater than or equal to 90 years of age)
• Telephone numbers
• Fax numbers
• Email addresses • Social security numbers
• Medical record numbers
• Account numbers
• Certificate or license number
• Vehicle identifiers and serial numbers including license plate
• Device identifiers and serial numbers
• URLs • IP address numbers
• Biometric identifiers
• Full face photographic images and comparable images
• Health plan beneficiary numbers
• Any other unique identifying number, characteristic, or code


How do I initiate the HIPAA Submission Process?

Complete the fill-in form called the “Application for the Disclosure of Protected Health Information.”  You should explain whether you will obtain a signed HIPAA Authorization from your participants, can justify waiving the signature requirement and/or the Authorization requirement, and if you plan to use a limited data set.

If you plan to ask for disclosure of PHI, choose one of the following templates from the IRB website, as appropriate:

1. Combined consent/HIPAA authorization
2. Combined medical records release form/HIPAA authorization
3. Combined medical records release form/HIPAA authorization- child
4. Oral authorization/oral consent


NOTE: As with consent documents, IRB approved Authorization forms must be stamped with the IRB logo.


Do I need any special training to use PHI?

All JHSPH investigators, study staff, and students using Protected Health Information in research must complete HIPAA training: MyLearning Module: HIPAA for Research - 01. You will find this course in the MyLearning Course Catalog under “Compliance > Research Compliance and Ethics > HIPAA & Research.” It will NOT be listed under “HIPAA.” 

Questions?  Please contact the JHSPH IRB Office at