To be completed by the Principal Investigator
Institutional Review Board Office
615 N. Wolfe Street / Room E1100
Baltimore, Maryland 21205-2179
Phone:
410-955-3193
Toll Free: 1-888-262-3242
Fax:
410-502-0584
Email:
jhsph.irboffice@jhu.edu
Website:
JHSPH IRB HIPAA Application for Disclosure
of Protected Health Information
Through a Signed Privacy Authorization or
www.jhsph.edu/irb
Waiver of Privacy Authorization
PI Name
IRB Number
Study Title
Date
1. Identify the source(s) of Protected Health Information (PHI) you want to use in your study. Choose
all that apply.
i.
Directly from the study participant
With a signed IRB Approved HIPAA Privacy Authorization
Using an oral consent script with HIPAA language and an IRB approved HIPAA
Waiver of the requirement to obtain a signed privacy authorization
ii.
From the participant’s clinical care provider or an existing clinical/billing record or research
database under an IRB approved HIPAA waiver of the requirement to obtain a signed privacy
authorization
iii.
Clinical/billing records containing only information about decedents. Confirming that the
representations listed below are true for my study:
 I am seeking disclosure of PHI solely from deceased persons
 Documentation of death of each individual will be available to the covered entity and the
IRB upon request.
 The PHI is necessary for research purposes
2. Select the personal identifiers you seek to access/use in your research project.
Name
Geographic information smaller than State
Elements of dates (birth date, admission date,
date of death, ages >89 years of age
Telephone numbers
JHSPH IRB HIPAA Application
V5, 26Feb2016
Certificate or license numbers
Vehicle identifiers and serial numbers including
license plate
Device identifiers and serial numbers
URLs
To be completed by the Principal Investigator
FAX numbers
Electronic mail address
Social Security Number
Medical record numbers
Account numbers
IP address numbers
Biometric identifiers
Full face photographic images and comparable
images
Health Plan beneficiary numbers
Any other unique identifying number,
characteristic or code
3. Describe the types of health information you will collect (e.g. diagnosis, test results, treatments,
etc.)
I.
HIPAA PRIVACY AUTHORIZATION
1. Will you obtain a signed HIPAA Authorization from your study participants?
Yes
If yes, indicate what form you plan to use:
Combined consent/HIPAA authorization document
Stand-alone Medical Records Release form with HIPAA authorization document
Stand-alone HIPAA authorization document
II.
No
REQUEST FOR WAIVER OF HIPAA PRIVACY AUTHORIZATION
1. Are you requesting a waiver of the HIPAA Authorization requirement for study recruitment, oral
consent/authorization, and/or for secondary data analysis?
Yes No
2. Explain why the research and/or recruitment could not practicably be conducted without the
waiver. Be as specific as possible.
3. Explain why the research and/or recruitment could not practicably be conducted without access
to/use of the PHI. Be as specific as possible.
4. Are you recruiting participants or obtaining PHI from a Johns Hopkins covered entity (e.g. Johns
Hopkins Hospital, Johns Hopkins Community Physicians, etc.)?
Yes
No
Please identify the source institution, e.g. “Johns Hopkins Hospital Emergency Department”
If you are obtaining PHI from a Johns Hopkins covered entity for fewer than 50 participants:
You must “track” this disclosure from the covered entity’s health records to you in the SPH JH
HIPAA Compliance System. Contact the IRB Office to register for the database. The database
may be accessed at https://cfapps.jhsph.edu/SPH-JH-HIPAA-Compliance/.
JHSPH IRB HIPAA Application
V5, 26Feb2016
To be completed by the Principal Investigator
5. Do you intend to use a Limited Data Set?
Note: A limited data set may include only the following identifiers:
 Dates, such as admission, discharge, service, DOB, DOD;
 City, state, five digit or more zip code; and
 Ages in years, months, days, or hours.
Yes
No
If you checked yes, you must enter into a Data Use Agreement with the covered entity to gain
access to the data. If you will receive or will abstract identifiable data from the covered entity
and you will reduce the data to a limited data set yourself, you must also enter into a Business
Associate Agreement with the covered entity. Please complete this form and contact the JHSPH
IRB Office at jhsph.irboffice@jhu.edu to discuss obtaining Business Associate Agreements and
Data Use Agreements.
6. Please check the appropriate box below that best describes how the data will be extracted from
the record system.
The covered entity will extract the data and provide it to the research team.
Research team staff will extract the data directly from the covered entity. The research team
represents that it has the covered entity’s permission to extract the records and will access and
extract only the records described in the research application and in this HIPAA application for
disclosure of PHI. If the source of the data is a Johns Hopkins covered entity, a Business
Associate Agreement will be in place.
7. When will you destroy the identifiers? (Must be at earliest opportunity)
8. Confirm the following: The PHI will not be reused or disclosed to any other person or entity,
except:
 As required by law
 For authorized oversight of this research
 For other research for which use or disclosure of PHI is permitted under HIPAA. I will not
proceed with any such use without consultation with the HIPAA Privacy Office.
Confirm
JHSPH IRB HIPAA Application
V5, 26Feb2016