HIPAA FAQs

What is HIPAA?

The U.S. Health Insurance Portability and Accountability Act (HIPAA) provides national standards for protecting the privacy and security of health information and gives rights to individuals with respect to their health information. The HIPAA Privacy Rule regulates how covered entities may use and disclose certain individually identifiable health information called protected health information (PHI), whether communicated on paper, electronically, or orally. Only individually identifiable health information that is created or received by a covered entity qualifies as PHI and is covered by HIPAA.

What is a covered entity?

“Covered entities” are defined, in part, as health care providers that electronically transmit any health information in connection with billing. For example, hospitals, academic medical centers, and other health care providers that electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. A covered entity may be an organization, an institution, or an individual.Johns Hopkins Hospital is a covered entity; allJohns Hopkins organizations providing health care to the public at all of their delivery sites are “covered entities.”

Is JHSPH a covered entity?

JHSPH is not a covered entity. HOWEVER, if you use PHI from a covered entity in your research at JHSPH, you have responsibilities to protect those data. Please review our JHSPH HIPAA Policy.

If I would like to use PHI in my research, what do I need to do?

  1. Complete one of the two JHSPH IRB HIPAA applications: the JHSPH IRB Application for Disclosure of Johns Hopkins Medicine (JHM) PHI, or the JHSPH IRB Application for Disclosure of non-JHM PHI, and submit it with your new PHIRST application or Amendment (if you are adding the access/use of PHI to an existing IRB approved study.)
  1. Ensure that your study team has completed the appropriate HIPAA training.
  1. If JHU faculty, staff, or students will access JHM PHI for recruitment purposes, Preparatory to Research, they must be working at the direction of a credentialed Johns Hopkins Health Systems (JHHS) Workforce Member. If the person accessing the PHI is not a JHM Workforce Member, that person must complete a JHM HIPAA Workforce Agreement to allow access to PHI for the limited purpose described in the JHSPH HIPAA Application.
  1. If JHU faculty, staff or students will receive JHM PHI in the form of a Limited Data Set, they will need to sign a Data Use Agreement through the JHM Privacy Office.
  1. If you will ask study participants to sign a HIPAA Authorization with the study consent form, use the approved templates available on our Consent Forms page.
  1. If you want to use PHI from deceased individuals only, submit a HIPAA Form 5, Representations Form for Research Involving Only Decedents’ Information.

How does recruitment “Preparatory to Research” work?

The HIPAA Privacy Rule permits access to PHI within a covered entity for recruitment purposes, without Authorization or waiver, when that access meets very specific criteria. For Johns Hopkins Health Systems (JHHS):

  1. Only a “JHHS HIPAA Workforce Member” may access the PHI
  2. Access to PHI must be to identify potential participants “within the covered entity”
  3. Clinician with treatment relationship must first contact potential participant to get permission for disclosure
  4. Clinicians must record patient permission to disclose PHI to researcher in patient medical record
  5. Disclosure to researcher is limited to “minimum necessary” information for eligibility and contact

Who qualifies as a “JHHS HIPAA Workforce Member”?

•Credentialed JHHS-privileged professional or staff who have access to EPIC for patient care (credentialed JHHS Workforce Member)

•Students in health care professions (SON, SOM, SPH) who access PHI under direction of credentialed JHHS Workforce Member and who have signed a HIPAA Workforce Agreement

•JHU Research Personnel (faculty, staff) working under direction of credentialed JHHS Workforce Member who have signed HIPAA Workforce Agreement

•JHU Research Personnel serving as JH Privacy Office credentialed “Honest Brokers”

Once the JHHS HIPAA Workforce Member obtains the PHI for recruitment, how may a researcher contact the patient?

There are two approved mechanisms for patient contact using PHI that the Privacy Rule allows – one may be used when the patient is present in the covered entity for recruitment contact, and one when the patient is not. The information below covers JHHS recruitment policy; for other covered entities, researchers must follow local HIPAA policy.

  1. Contacting apotential participant who is present (e.g., within the ‘covered entity’) at JHHS

•Clinician with a treatment relationship must ask the patient for permission to disclose PHI to researcher

•Clinician must document permission to disclose “minimum necessary” PHI (name, eligibility criteria) to researcher in medical record

•Researcher contact with potential participant must occur in the covered entity

•PHI cannot leave the covered entity

  1. Contacting a potential participant who is NOT PRESENT (e.g., outside the ‘covered entity’) at JHHS.
  2. Clinician with a treatment relationship must contact potential participant (by mail, phone, etc.) to ask permission to disclose PHI to researcher
  3. Clinician must be added to study as co-investigator
  4. Researcher must ask the IRB to waive/alter the signature requirement for consent/authorization, allowing record of patient permission in medical record to serve as documentation
  5. Researcher may use the PHI to contact the potential participant outside the covered entity
  6. If the research will involve clinical activities in the covered entity and/or additional access to PHI, the researcher must obtain a signed consent/authorization from participants to enroll participant

What constitutes PHI?

Under the HIPAA Privacy Rule, PHI is health information which is accompanied by one or more of the following identifiers. Any one of the following identifiers associated with the name of a covered entity provider or health plan also constitutes PHI:

Name / Certificate or license numbers
Geographic information smaller than State, including city, county, and zip code and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
(2)The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
All elements of dates except years (e.g., birth date, admission date, date of death, age by year if >89 years of age) / Vehicle identifiers and serial numbers, including license plate numbers
Telephone numbers / Device identifiers and serial numbers
FAX numbers / Internet Protocol (IP) address and Web URLs
Email address / Biometric identifiers, including finger and voice prints
Social Security Number / Full face photographic images and comparable images
Medical record numbers / Health Plan beneficiary numbers
Account numbers / Any other unique identifying number, characteristic or code

Questions? Please contact the JHSPH IRB Office at .

10Aug2017