Disclosure means the release, transfer, provision of, access to, or divulging in any other manner of PHI to persons or entities outside of the Johns Hopkins Covered Entities and Related OHCA Participants.
HIPAA means the Health Insurance Portability and Accountability Act of 1996.
Johns Hopkins Covered Entities and Related OHCA Participants -- see Johns Hopkins Privacy Office website for HIPAA Forms/Policies Templates or http://intranet.insidehopkinsmedicine.org/privacy_office.
Protected health information or PHI means protected health information, i.e., individually identifiable health information, as defined under the Privacy Regulations promulgated under HIPAA.
Use means the sharing, employment, application, utilization, examination or analysis of PHI within the Johns Hopkins Covered Entities and Related OHCA Participants.
Workforce members, for purposes of this policy only, are persons under the direct control of Johns Hopkins, including, but not limited to, all employees, medical and other students, interns, residents, fellows, researchers, staff, faculty, trainees, volunteers, temporary personnel, consultants, contractors and subcontractors. “Workforce members” also includes all physicians and allied health professionals, whether or not employed by Johns Hopkins.
Scope of Policy
This policy applies to all Johns Hopkins workforce members conducting research where protected health information is or may be used or disclosed.
Statement of Policy
Protected health information received or maintained by Johns Hopkins may not be used internally or disclosed to any persons or organizations outside of Johns Hopkins for human subjects research purposes without the prior approval of an Institutional Review Board approved by Johns Hopkins (“IRB”), Privacy Board (“PB”) or its designee (the “IRB/PB”). All persons requesting access to protected health information for human subjects research purposes should be directed to submit his or her request to the IRB/PB. The IRB/PB will be responsible for implementing policies and procedures regarding the access, use and disclosure of protected health information for human subjects research purposes. (See Policy 164.2 Organization Policy on IRBs and Privacy Boards – Research) Protected health information relating to decedents received or maintained by Johns Hopkins may not be used internally or externally for research purposes without the researcher filing a “Representations Form for Research Involving Only Decedents’ Information” . All Johns Hopkins research activities also must comply with other applicable Johns Hopkins policies relating to research (such as Johns Hopkins policies addressing Common Rule and FDA requirements for research) and with any additional requirements that apply to specific types of information involved in the research. Finally, to the extent members of the Johns Hopkins workforce provide treatment to subjects as part of a research study, they must follow other Johns Hopkins policies to the extent those policies apply to the provision of health care to individuals.
Non-compliance with HIPAA Regulations During the Conduct of Human Subjects Research
The IRB/OHSR has general responsibility for implementation of this policy. If an IRB or the Office of Human Subjects Research (OHSR) receives a complaint or allegation of non-compliance with HIPAA requirements that occurs in the context of a research protocol, the matter will be referred to the Vice Dean for Clinical Investigation and the HIPAA Privacy Officer for coordination of an investigation. OHSR will assist the Privacy Officer in the investigation of the complaint. If the investigation concludes that a HIPAA violation occurred the responsible employer/supervisor, with input from the HIPAA Office, will direct disciplinary action if warranted. Disciplinary action taken may include termination of employment. The Vice Dean for Clinical Investigation will determine the HIPAA violation meets the criteria for significant human subject research non-compliance with the Organization’s policy. The Vice Dean for Clinical Investigation may take additional actions to prevent future human subject research non-compliance on the part of the individual(s) found to have committed a HIPAA violation. Whenever the IRB/OHSR learns of a violation or possible violation, Johns Hopkins will attempt, to the extent permitted by law and institutional policy, to handle the reported matter confidentially. Any attempt to retaliate against a person for reporting a violation of this policy will itself be considered a violation of this policy that may result in disciplinary action by the person’s employer up to and including termination of employment or contract with Johns Hopkins.