HIPAA¶
Basics¶
HIPAA has two relevant standards that must be satisfied. The HIPAA Security Rule Standards and the HIPAA Privacy Rule Standards. The JHPCE adheres to the HIPAA Security Rule Standards. Adhering to the HIPAA Privacy standards is the responsibility of the PI. BSPH is not part of the Johns Hopkins covered entities (As of 1/26/06). Therefore, insofar as data on the JHPCE is concerned, the PI is responsible for ensuring that his or her research is conducted in compliance with HIPAA Privacy Rule Standards. Fortunately, this is not difficult. Formally, PIs are restricted to either deidentified datasets or to limited datasets (see links below for details). Examples of limited data sets include dbGaP datasets (assuming a data use agreement is in place) and deidentified insurance claim data. The latter can include dates such as admission, discharge, service, DOB, DOD; and location information such as city, state, five digit or more zip code; and ages in years, months or days or hours.
Using PHI or PII on JHPCE¶
The JHPCE cluster may be able to meet the requirements specified by the data provider for the handling of PHI data. There may be additional steps that the data analysts will need to go through in order to access the data, but this is typically a matter of running a few extra steps to access the data. If you have a dataset with sensitive data, please reach out to us at bitsupport@jhu.edu and we can review the data handling requirements to assess whether the JHPCE cluster can meet them.
CSUB¶
The JHPCE maintains a small sub-cluster for handling CMS Medicare and Medicaid claims data. This sub-cluster has a number of additional security features in place to ensure the security of this more sensitive data. If you are interested in accessing the CMS data, please email support@harp-csub.freshdesk.com for more information. We have additional information in our CSUB Section.
Links¶
The following links from the JHPSH IRB, SOM IRB and the US Department of Health & Human Services (HHS) provide details on how to de-identify your data so that you are in compliance with the HIPAA Privacy Rule Standards.