Data Scientists and researchers from the Applied Physics Lab (APL), the Johns Hopkins Bloomberg School of Public Health (SPH), and other schools across Johns Hopkins University play an important role in many research projects involving Johns Hopkins Medicine (JHM) patient data. HIPAA and Common Rule regulations impact what data these Data Scientists and researchers can see and under what circumstances. This document answers questions related to collaboration with JHU researchers outside the JHM covered entity so that studies teams may structure their studies in a compliant manner.
What is the JHM Covered Entity?
A key concept in understanding healthcare regulations is that of the HIPAA covered entity, an entity that is “covered” by the HIPAA regulations. HIPAA regulations apply to health plans, health care providers that bill electronically for services, health care clearinghouses, Medicare Part D Pharmaceutical Providers, and Business Associates . See About HIPAA for information about the JHM covered entity. Note that the JHU Schools of Medicine (SOM) and Nursing (SON) are part of the JHM Covered Entity, while APL, SPH and the Homewood Schools (e.g. Whiting School of Engineering) are not.
Is APL able to access PHI in relation to the Precision Medicine infrastructure?
Due to its unique legal structure, a Business Associates Agreement (BAA) with APL allows APL workforce members to have access to Protected Health Information (PHI) to perform services on behalf of the JHM Covered Entity. Developing the Precision Medicine Analytics Platform (PMAP) infrastructure is an example of a service that is permitted under the BAA. Notably, conducting research is not considered a business service on behalf of the covered entity, and access to PHI for research purposes is not permitted by the BAA. The Institutional Review Board (IRB) must approve APL researcher access to JHM data for research purposes.
What is a Disclosure?
Any time an individual outside the Covered Entity accesses a patient’s facial identifiers (e.g. name, medical record number, address, etc. – see Definition of Limited data set to understand what identifiers must be removed for data to be considered a limited data set), it is considered a HIPAA disclosure. Therefore, sharing of PHI with facial identifiers with APL or SPH data scientists is considered a disclosure regardless of whether or not the data leaves the PMAP environment. Patients may authorize the sharing of their data with outside researchers in the consent and authorization that they sign to participate in a study. In the absence of a patient authorization, which is typically the case with large datasets, HIPAA mandates that disclosure of PHI for research purposes be the minimum necessary to conduct the research and it must be impractical to obtain patient authorization for the disclosure. The IRB requires a HIPAA Waiver of Authorization and reviews each data element shared with the outside organization to ensure there is a scientific justification for the disclosure. Such evaluations take time and may involve several questions from the IRB to the study team to establish whether sharing of direct identifiers is necessary to accomplish the research. In most cases such sharing is not required and the research may be accomplished by removing direct identifiers prior to sharing.
What data can JHU researchers outside the JHM covered entity access without patient authorization?
Research uses of data require IRB approval. In many cases, researchers outside the covered entity do not need access to direct identifiers included in the data; rather, they can use a subset of the data that consists of a limited dataset or a deidentified dataset for analysis. In the majority of cases, when data is shared outside of the covered entity without patient authorization, the IRB will require that the data to be shared be reduced to a limited data set in order to meet the minimum necessary standard.
HIPAA allows for the disclosure of limited datasets for IRB-approved research collaborations. To request a limited dataset for research, contact the CCDA.
Are JHU students able to access PHI for research purposes?
Research uses of data require IRB approval. Students from across JHU are able to access PHI for research purposes provided they complete Johns Hopkins HIPAA training courses and access data under the oversight of an SOM or SON faculty member serving as Principal Investigator (PI) of an IRB approved research protocol. Because the student is under the oversight of an employee within the JHM covered entity (the PI), they are considered a part of the JHM Covered Entity for HIPAA purposes. SOM and SON faculty providing oversight for student access to PHI take full responsibility for the student’s access and actions.
See Are faculty with Joint Appointments part of the JHM Covered Entity? for information regarding joint appointments). The IRB is responsible for approving study team members and their roles and will consider these factors. If the student has a role within the covered entity and a role outside the covered entity, the IRB will consider the role under which the student is participating in the research.
Are JHU faculty outside the JHM Covered Entity able to access PHI?
Faculty members outside the JHM Covered Entity are not under the oversight of a JHM Covered Entity employee and therefore require a HIPAA Waiver or signed HIPAA Authorization and approved IRB protocol to access PHI for research. Researchers should, to the maxim extent possible, design their studies to obtain prospective consent and authorization from research subjects for access to their PHI. In some cases where consent and authorization cannot be obtained prospectively, the IRB may determine that access to PHI by a JHU researcher outside the JHM covered entity is justifiable, in that the research cannot be practicably done without the access to PHI, and grant a HIPAA Waiver of Authorization.
In other cases, access to full PHI is not required for the researcher outside the JHM covered entity. The IRB may determine that work done by researchers outside the covered entity can be accomplished using a limited dataset. The protocol should explain the need for the limited data set as opposed to fully de-identified data.
How can JHU researchers outside the JHM covered entity participate in research projects using PMAP?
In cases where there is express patient authorization and consent, named members of the IRB research protocol may access a registry with PHI. In cases without patient authorization and consent, where the PMAP registry protocol has been approved by the IRB, a protocol for secondary data use may be submitted using an eformS (see forms) that establishes a projection of a subset of the PMAP registry, or even subsets of multiple registries, to answer specific research questions. The subset projected should be a limited dataset, which may include dates. APL and SPH data scientists and other researchers outside the JHM Covered Entity may be included as study team members on the protocol for secondary data use. JH Investigators outside the JHM covered entity receiving an LDS must include in their IRB application a data specification from the CCDA or a CCDA certified data manager that describes the data to be provisioned OR a document certifying the status of the dataset as a limited dataset provided by an individual certified in de-identification by the CCDA. If the team is a mix of JHM and JHU Non-JHM researchers, the specification should indicate that a limited data set is being shared with researchers outside the covered entity.
Do collaborations with researchers outside the JHM Covered Entity require Data Use Agreements?
A Data Use Agreement (DUA) establishes the terms under which data may be used by a third party collaborating on research involving patient data. The School of Medicine Office of Research Administration (ORA) negotiates and executes DUAs and other research agreements with data use terms for JHM PIs when research involves JHM patients or their data. A DUA or other agreement with terms for data use is required whenever JHM patient data is shared outside JH under a waiver of consent, even if the data is fully de-identified. JH Investigators outside the JHM covered entity receiving an LDS or full PHI pursuant to an IRB waiver of HIPAA authorization must complete the IRB requirements for study team members and agree to the Data Protection Attestation terms. APL Investigators receiving an LDS or full PHI require a DUA. The COEUS PD number for the DUA should be entered in section 36 of the IRB application. APL investigators receiving an LDS through PMAP may use the APL Master agreement; contact Suma Subbarao for more information.
Are faculty with Joint Appointments part of the JHM Covered Entity?
Faculty who have a joint appointment in the SOM or SON and who have clinical privileges are considered part of the JHM Covered Entity and do not need to request a DUA from ORA or JHURA to participate in research projects involving JHM data. The activity must be related to their SOM or SON role to be considered an activity within the JHM covered entity. The joint appointment does not need to be a dual primary appointment
Note that PHI used by such faculty must be stored and accessed in a HIPAA-compliant manner and described in the IRB-approved protocol. See Best Practices for Storage of Data for Research and Quality Improvement for details. Are there special considerations for PMAP Registries?
A Precision Medicine Center of Excellence (PMCOE) must submit an IRB application using an eForm R (see forms) for the creation of a PMAP registry supporting a PMCOE to the IRB. PMAP registries often have identifiers that enable joining of identified data across different datasets. The ability to join disparate datasets is one of the benefits of using the PMAP environment. Adding APL or SPH data scientists or other researchers outside the JHM Covered Entity to the protocol for the creation of a PMAP registry that includes such identifiers could constitute a disclosure and require the IRB to review the data elements shared to ensure that the minimum necessary for the research would be shared. For that reason, consider the following options.
- Leave faculty and staff outside the covered entity off the protocol for the creation of a registry that includes identifiers. These faculty and staff may offer guidance on the elements to be included in the registry, without looking at data from specific individuals.
- Bar access to PHI within the registry for study team members outside the covered entity. The PMAP team can separate out the PHI, making it accessible to a subset of the study team that excludes those outside the JHM covered entity.
- Create a secondary use protocol using an eform S that creates a derivative projection of the registry that is a limited dataset. Faculty and staff from outside the covered entity may be listed on the secondary use protocol and analyze the limited dataset. See How can JHU researchers outside the JHM covered entity participate in research projects using PMAP?
When is it appropriate for the HIPAA workforce member agreement to be used for personnel outside of the JHM covered entity who are working on a research registry?
The HIPAA workforce member agreement is appropriate when the personnel are performing a covered healthcare operations service for or on behalf of the covered entity. This would apply in cases where the personnel are designing broad, general infrastructure that might be used for many different research registries such as PMAP infrastructure.
When a person outside of the covered entity is performing registry specific work for a registry covered by an eForm R, a HIPAA workforce member agreement is not appropriate. Instead, the person should be listed on the protocol and the research team must seek a HIPAA waiver from the IRB or request access to a limited data set only and request a DUA if needed (see Do collaborations with researchers outside the JHM Covered Entity require Data Use Agreements?