What is HIPAA?
The U.S. Health Insurance Portability and Accountability Act (HIPAA) provides national standards for protecting the privacy and security of health information and gives rights to individuals with respect to their health information. The HIPAA Privacy Rule regulates how covered entities may use and disclose certain individually identifiable health information called protected health information (PHI), whether communicated on paper, electronically, or orally. Only individually identifiable health information that is created or received by a covered entity qualifies as PHI and is covered by HIPAA.
What is a covered entity?
“Covered entities” are defined as health care providers that electronically transmit any health information in connection with billing. For example, hospitals, academic medical centers, and other health care providers that electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. A covered entity may be an organization, an institution, or an individual. Johns Hopkins Hospital is a covered entity; you may access a complete list of Hopkins covered entities here
Is JHSPH a covered entity?
JHSPH is not a covered entity. HOWEVER, if you use PHI from a covered entity in your research at JHSPH, you have responsibilities under HIPAA.
Helpful document: HIPAA and Research Common Scenarios- discusses common circumstances in which HIPAA affects research activities
Please send questions about HIPAA to the Research Compliance Officer, Elizabeth Peterson at email@example.com.
What constitutes PHI?
Under the HIPAA Privacy Rule, PHI is individually identifiable health information. PHI may include any of the following:
• Geographic information smaller than state
• Elements of dates (birth date, admission date, date of death, ages greater than or equal to 90 years of age)
• Telephone numbers
• Fax numbers
• Email addresses • Social security numbers
• Medical record numbers
• Account numbers
• Certificate or license number
• Vehicle identifiers and serial numbers including license plate
• Device identifiers and serial numbers
• URLs • IP address numbers
• Biometric identifiers
• Full face photographic images and comparable images
• Health plan beneficiary numbers
• Any other unique identifying number, characteristic, or code
So if I am using PHI in my research, what do I need to do?
Before you start filling out forms, think about your study’s recruitment process and data use. A key issue to consider is whether you are able to contact participants before you access their PHI. If you are planning to collect and/or use PHI in your research, you need to:
1. Ask participants from the covered entity for authorization to access and use their PHI for research purposes or, if this is impracticable (for example, you must access PHI to identify potential participants), then
2. Ask the IRB for a waiver of the authorization requirement. Keep in mind that if you will have an opportunity to later obtain consent and authorization from your study participants, you may only need a waiver for the recruitment process – not for the whole study. This is called a partial waiver; or
3. Ask the IRB for a waiver of privacy authorization if you believe an oral consent process is appropriate. You will include some “oral HIPAA” language in the consent script, but will not obtain a signature from the participant. Here, you are asking for a complete waiver because HIPAA requires a signature on the authorization; there is no “waiver of signature” for HIPAA authorizations. Therefore, you must waive the authorization entirely; or
4. Ask the IRB for a waiver of privacy authorization if you seek to use PHI for secondary data analysis, and you justify retention of some identifiers for scientific purposes. This is a complete waiver of the HIPAA privacy authorization; or
5. Use a limited collection of PHI, called a limited data set. In this data set, you may only use the following identifiers:
a. Dates such as admission, discharge, service, DOB, DOD;
b. City, state, five digit or more zip code; and
c. Ages in years, months, days, or hours.
Helpful document: Guidance on Protected Health Information and the JHSPH- covers the requirements for obtaining signed privacy authorizations, for obtaining a waiver of the signed privacy authorization requirement and for using limited data sets.
Now, it’s time to choose the appropriate form.
Your first step in the HIPAA approval process is filling out the HIPAA section on PHIRST. If you are using PHI, it is ESSENTIAL that you indicate this in your PHIRST application! If you are amending your application, please fill out the Application for the Disclosure of Protected Health Information.
Step 2 for Waiver Seekers
If you are asking for a (partial OR complete) waiver of the authorization requirement and you are receiving PHI from a Hopkins covered entity, congratulations, you get to use the Hopkins HIPAA Compliance System! Under the JHSPH HIPAA policy, you must track the disclosures of the PHI that Hopkins covered entities provide to you. Once your request for a waiver is approved, the Research Compliance Officer will provide you with information about this requirement.
Step 2 for Authorization Seekers
If you are obtaining authorization from participants (written or oral), you will need to choose a HIPAA privacy authorization form template that best fits your consent process.
Helpful document: Guidance on Choosing a HIPAA Privacy Authorization Form Template
Choose one of the following templates*:
1. Combined consent/HIPAA authorization
2. Combined medical records release form/HIPAA authorization
3. Combined medical records release form/HIPAA authorization- child
4. Oral authorization
5. Stand-alone HIPAA authorization
* Note: Like consent documents, IRB approved Authorization forms must be stamped with the IRB logo.
Step 2 for Limited Data Set Users
Investigators who seek access to limited data sets containing PHI from a Johns Hopkins covered entity will need to sign a Data Use Agreement (DUA). These agreements are generated by the Office of Research Administration. To obtain a DUA, contact the Research Compliance Officer, Elizabeth Peterson at firstname.lastname@example.org.
Do I need any special training to use PHI?
All JHSPH investigators, study staff, and students using Protected Health Information in research must complete HIPAA training: MyLearning Module: HIPAA & Research - 01. You will find this course in the MyLearning Course Catalog under “Compliance > Research Compliance and Ethics > HIPAA & Research.” It will NOT be listed under “HIPAA” You do not need to take the “General Privacy Issues” course as a prerequisite.