Skip to main content

BSPH, HIPAA & Research

The BSPH IRB has revised its HIPAA Policy to provide greater clarity about how BSPH researchers may access protected health information (PHI).  Note:  Only BSPH researchers with joint appointment with the School of Medicine and clinical responsibilities there may access the JHHS Epic system unless the IRB approves a HIPAA Workforce Agreement for that researcher. 

BSPH Policy authorizes the BSPH IRB as a HIPAA Privacy Board.  This means that the BSPH IRB may review and approve the access to and use of Protected Health Information (PHI) (e.g., medical record information, clinical billing records, insurance information, Medicare information, pharmacy records, etc.) in research conducted by its faculty, staff, and students. Please review our HIPAA FAQs before submitting a research application that involves accessing PHI.

Select from the documents and guides below to help prepare your research application, to access PHI from Johns Hopkins Medicine (JHM) and from non-JHM sources.  All investigators and research staff who are working with protected health information must complete the CITI module on HIPAA: Health Privacy Issues for Researchers.


(See an updated list of JHM covered entities)

Human Subjects Research Data: Federal and State Laws Related to Privacy, Rights of Subject and Sharing

HIPAA Authorization

Researchers will ask participants to sign a HIPAA Authorization permitting access to medical/billing record information.




Research seeking access to medical records for sole purpose of identifying potentially eligible study participants Preparatory to Research


  • HIPAA Workforce Agreement – This document is needed for any individual BSPH researcher who will work under the direction of a JHHS credentialed clinician to access Epic for this limited purpose.  No agreement is needed unless accessing Epic.  The Workforce Agreement must be co-signed by the JHHS credentialed clinician.  These documents must be stamped “IRB approved” and submitted to the JHM Privacy Office.

Secondary Data Analysis

Research using existing PHI from Johns Hopkins Medicine, including:

  • Identifiable datasets via a HIPAA Waiver;
  • Limited Data Sets and
  • De-Identified Data Sets


  • If your study involves access to more than 500 records it requires BSPH IT and Data Trust Research Data Subcouncil Review.  Review the:

 and submit with your BSPH IRB application:

Research involving PHI of Decedents
  • JHM HIPAA Form 5:  Representations for Research Involving Only Decedents’ Information



All types of PHI disclosures

Questions? Please contact the BSPH IRB Office at