Skip Navigation

Institutional Review Board

JHSPH, HIPAA & Research

The JHSPH IRB has revised its HIPAA Policy to provide greater clarity about how JHSPH researchers may access protected health information (PHI).  Note:  Only JHSPH researchers with joint appointment with the School of Medicine and clinical responsibilities there may access the JHHS Epic system unless the IRB approves a HIPAA Workforce Agreement for that researcher. 

JHU Policy authorizes the JHSPH IRB as a HIPAA Privacy Board.  This means that the JHSPH IRB may review and approve the access to and use of Protected Health Information (PHI) (e.g., medical record information, clinical billing records, insurance information, Medicare information, pharmacy records, etc.) in research conducted by its faculty, staff, and students. Please review our HIPAA FAQs before submitting a research application that involves accessing PHI.

Select from the documents and guides below to help prepare your research application, to access PHI from Johns Hopkins Medicine (JHM) and from non-JHM sources.  All investigators and research staff who are working with protected health information must complete the CITI module on HIPAA: Health Privacy Issues for Researchers.

PROTECTED HEALTH INFORMATION FROM JOHNS HOPKINS MEDICINE (JHM)

(See an updated list of JHM covered entities)

 

HIPAA Authorization

Researchers will ask participants to sign a HIPAA Authorization permitting access to medical/billing record information.

 

 

 

 

 

Recruitment

Research seeking access to medical records for sole purpose of identifying potentially eligible study participants Preparatory to Research

 

 

 

 

 

 

  • HIPAA Workforce Agreement – This document is needed for any individual JHSPH researcher who will work under the direction of a JHHS credentialed clinician to access Epic for this limited purpose.  No agreement is needed unless accessing Epic.  The Workforce Agreement must be co-signed by the JHHS credentialed clinician.  These documents must be stamped “IRB approved” and submitted to the JHM Privacy Office.

 

 

Secondary Data Analysis

Research using existing PHI from Johns Hopkins Medicine, including:

  • Identifiable datasets via a HIPAA Waiver;
  • Limited Data Sets and
  • De-Identified Data Sets

 

 

 

 

 

 

 

 

 

 

  • Data Security Checklist and Data Security Profile Forms (hosted on JHM IRB Form webpage) for access to more than 500 records – requires JHSPH IT and Data Trust Research Data Subcouncil Review.  Submit with your JHSPH IRB application.

 

  • Data Use Agreement (DUA) - submit to the JHURA JAWS system to obtain a signed DUA (access to system here:https://research.jhu.edu/jhura/jaws/).  Final IRB approval is contingent upon submission of this document.

 

Research involving PHI of Decedents

  • JHM HIPAA Form 5:  Representations for Research Involving Only Decedents’ Information

 

PROTECTED HEALTH INFORMATION FROM NON-HOPKINS INSTITUTIONS

All types of PHI disclosures

 

 

 

 

 

 

 

  • Data Use Agreement (DUA) - submit to the JHURA JAWS system to obtain a signed DUA (access to system here: https://research.jhu.edu/jhura/jaws/).  Final IRB approval is contingent upon submission of this document.

 

Questions? Please contact the JHSPH IRB Office at jhsph.irboffice@jhu.edu.