Attachment 26 HIPPA Waiver

Approved January 17, 2015
_____________________________________________________________________________________________
HIPAA IRB Form 4
(7/14 Revision)

APPLICATION FOR IRB WAIVER OF HIPAA PRIVACY AUTHORIZATION
To grant a waiver of the HIPAA Privacy Authorization requirement, the IRB must determine that
your project involves no more than minimal risk to the privacy of individual participants and
meets all of the criteria listed in the Privacy Rule.


Submit this form if you will access identifiable records (e.g., medical, research, billing
records) without written authorization
o To abstract identifiable information for research,
o To create a limited data set, or
o To de-identify data for use in research (unless the data sources are limited to
your own patients or research subjects). Data are identifiable unless fully deidentified according to the HIPAA standard (see page 3) and you can’t reidentify the data subjects.



Do not submit this form if you will access or receive de-identified data only, and will
have no ability to re-identify data subjects.



Do not submit this form if you are receiving or sending (but not creating) a limited data
set (use the Hopkins data use agreement instead).

PLEASE NOTE: If the IRB approves this application, approval does not include permission to
contact individuals whose records are reviewed. You may not use any information in the
requested records to recruit subjects without separate IRB approval of the recruitment plan
described in the eIRB application. Except as permitted in an IRB-approved recruitment plan,
PHI may not be presented, published, or otherwise disclosed to third parties under an approved
HIPAA waiver.
IRB Application Number (if available): IRB_00052743
Research Project Title: CEIRS: Human Influenza Surveillance of Health Care Centers in the
United States and Taiwan
Principal Investigator: Andrea Dugas, MD PhD
Department/School: Department of Emergency Medicine
A. Data collection points (check at least one):
_X_ Data collection form has been uploaded in the eIRB application (required for retrospective
chart reviews)
_X_ Minimum amount of data necessary to determine inclusion/exclusion criteria as defined in
the protocol
_X_ I plan to collect or access the following data:

Approved January 17, 2015
HIPAA IRB Form 4
(07/2014 Revision)

This HIPAA waiver is to identify potential study subjects. We will evaluate basic clinical
data (e.g. demographics, comorbidities, risk factors, and presenting symptoms), treatment
data (e.g. antibiotics or antivirals) and laboratory results (e.g. influenza tests).
B. Describe the source(s) of the information (e.g., EPR, records from previous study, pathology
archive) that you want to access:
We would evaluate the chart from the patient’s Emergency Department visit using EPIC,
including the medical record, pathology and laboratory results. Additionally, referring
physicians who identify potential patients for the study are a source of information.
C. Describe the plan to destroy the participant identifiers at the earliest opportunity consistent
with the conduct of research, unless retention is required for reasons of health, research, or
law. Please explain if the participant identifiers will be stored or retained and the length of
time they will be stored or retained:
If a patient declines to participate in the study, no PHI will ever be recorded. If a patient
agrees to participate, they will undergo a written consent process, and their PHI will be
handled as described in remainder of this application.

D. Explain why the research could not practicably be conducted without the waiver:
Collection of this data would not be practical without a waiver because patients will be
screened for inclusion and exclusion criteria before we obtain written consent.

E. Explain why the research could not practicably be conducted without access to and use of the
identifiers (PHI):
The initial data collected in the proposed research are necessary to determine study eligible
Emergency Department patients, i.e., to review who meets study inclusion and exclusion
criteria.
F. In applying for waiver of the HIPAA authorization requirement, you are assuring the IRB
that the identifiers you request will not be used for any other purpose or disclosed to any
other person or entity (apart from research team members listed in this application), except as
required by law, for authorized oversight of the research study, or for use in future IRBapproved research.

Page 2 of 4

Approved January 17, 2015
HIPAA IRB Form 4
(07/2014 Revision)

AGREEMENT:
By electronically submitting this form, you agree that you and your research team will comply
with Johns Hopkins HIPAA policies and the use and disclosure restrictions described above.
Specifically, you acknowledge and agree that you may share PHI obtained under a HIPAA
waiver only with IRB-approved members of your study team, and you assume responsibility for
all uses and disclosures of the PHI by members of your study team.
This application form does not replace the requirement to submit an application for Human
Subjects Research to the JHM IRBs for an individual research project.
Definitions of HIPAA Terms
De-identified Data:

To “de-identify” data under the Privacy Rule safe harbor, you must ensure the
following:
(1) Each of the data elements listed below is removed from the data; AND
(2) You do not know that any recipient of the data could re-identify a data
subject, using the information alone or in combination with other
publicly-available information.
Data elements that must be removed:


Names



Geographic subdivisions smaller than a state (including street, city
county, precinct), except first three digits of the zip code if, according to
current Bureau of Census data:
(1) The geographic unit formed by combining all ZIP codes with
the same three initial digits contains more than 20,000
people, and
(2) The initial three digits of ZIP code for all such geographic
units containing 20,000 or fewer people are changed to 000.



All elements of dates (except year) for dates directly related to an
individual, and all ages over 89 and elements of date (including year)
indicative of such age, except that ages and elements may be aggregated
into a single category of age 90 or older.



Telephone numbers;



Fax numbers;



E-mail addresses;



Social security numbers;



Medical record numbers;



Health plan beneficiary numbers;
Page 3 of 4

Approved January 17, 2015
HIPAA IRB Form 4
(07/2014 Revision)



Account numbers;



Certificate/license numbers;



Vehicle identifiers and serial numbers, including license plate numbers;



Device identifiers and serial numbers;



Web Universal Resource Locators (URLs);



Internet protocol address numbers;



Biometric identifiers, including voice and finger prints;



Full face photographic images and any comparable images;



Any other unique, identifying number characteristic, or code, except for
a unique code that meets the following criteria:
(1) Is not derived from any other code (e.g., MRN or SSN) and is
not used for any other purpose; and
(2) Persons using the data for research have no access to the code
key and the key is held by a source that is not part of the research
team. An investigator (or her study team members) may not
create the code for de-identified data that she will use in her own
research.

Page 4 of 4