HIPAA Policy and Practice
The JHSPH IRB is a Privacy Board under HIPAA and may review and approve the use of Protected Health Information (PHI) for research purposes.
The JHSPH IRB HIPAA Policy explains the conditions under which PHI may be accessed and used by JHSPH researchers. There are 5 ways that a researcher may access PHI:
- A research participant signs a HIPAA Authorization permitting the disclosure and use of his or her PHI;
- The JHSPH IRB approves access/use of PHI for recruitment purposes under the limited terms allowed “Preparatory to Research”;
- The JHSPH IRB approves a HIPAA Waiver when it is impracticable to access PHI through the first two methods;
- Through the use of a Limited Data Set created by a HIPAA Workforce Member; and
- For the use of PHI of deceased individuals, through the JHSPH IRB approval of a “Representations Form for Research Involving Only Decedents’ Information.”
To obtain IRB approval for a research-related disclosure of PHI, researchers must submit a JHSPH IRB Application for Disclosure of Johns Hopkins Medicine (JHM) PHI, or the JHSPH IRB Application for Disclosure of non-JHM PHI with their new PHIRST application or with their Amendment Application. If a researcher seeks to access JHM PHI for recruitment purposes, that person may need to complete a HIPAA Workforce Agreement in addition to fulfilling the HIPAA Training requirements. The JHSPH HIPAA Policy provides greater detail about these requirements.
Please see the HIPAA FAQs and our HIPAA 2017 powerpoint presentation for more details about HIPAA.
HIPAA FORMS:
For JHM PHI:
- JHSPH IRB Application for Disclosure of Johns Hopkins Medicine (JHM) PHI
- HIPAA Workforce Agreement (for Preparatory to Research Recruitment Activities)
- Data Use Agreement for Limited Data Sets
- Representations Form for Research Involving Only Decedents’ Information
For non-JHM PHI:
Questions? Please contact the JHSPH IRB Office at jhsph.irboffice@jhu.edu.