HIPAA has two relevant standards that must be satisfied. The HIPAA Security Rule Standards and the HIPAA Privacy Rule Standards. The JHPCE adheres to the HIPAA Security Rule Standards. Adhering to the HIPAA Privacy standards is the responsibility of the PI. BSPH is not part of the Johns Hopkins covered entities (As of 1/26/06). Therefore, insofar as data on the JHPCE is concerned, the PI is responsible for ensuring that his or her research is conducted in compliance with HIPAA Privacy Rule Standards. Fortunately, this is not difficult. It means that PIs must not maintain Individually Identifiable Health Information on any JHPCE system. Formally, PIs are restricted to either de-identified datasets or to limited datasets (see links below for details). Examples of limited data sets include dbGaP datasets (assuming a data use agreement is in place) and de-identified insurance claim data. The latter can include dates such as admission, discharge, service, DOB, DOD; and location information such as city, state, five digit or more zip code; and ages in years, months or days or hours.
The following links from the JHPSH IRB, SOM IRB and the US Department of Health & Human Services (HHS) provide details on how to de-identify your data so that you are in compliance with the HIPAA Privacy Rule Standards.