Check with your divisional IRB office if you are unsure what you can share and review applicable government policies and guidance on protecting PHI.

Divisional JHU IRBs

• Johns Hopkins Medicine Institutional Review Board
• Homewood IRB: for Krieger School of Arts and Sciences, Whiting School of Engineering, School of Education, Carey Business School, Nitze School of Advanced International Studies, and Peabody Institute.
• School of Public Health IRB

Policies on Human Participants and Data Sharing

• HIPAA for Professionals by US Health and Human Services: U.S. Department of Health and Human Services  provides information regarding patient privacy, de-identification methods, security, etc., for people who work with data containing Protected Health Information/Personal Identifiable Information. If you plan to work with PHI/PII data, their Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule defines 18 personal identifiers and acceptable methods to de-identify patient information.  

• FERPA policies resource site from Dept. of Education regarding sharing and accessing student data for educational research

• CITI Training on Human Subjects Research: Core training in human subjects research and includes the historical development of human subject protections, ethical issues, and current regulatory and guidance information. 

• HHS Policy for the Protection of Human Subjects ('Common Rule'): This policy regulates the protection of human subjects in research by providing a robust set of protections for research subjects.

• JHM Data Trust: The Johns Hopkins Medicine Data Trust Council has been established to provide JHM researchers with the technical infrastructure, standards, policies and procedures, and organization needed to bring together patient and member-related data from across the health system to support our mission. The goals of the Data Trust are to: Ensure security and privacy of our patients’ data, consolidate teams to address organizational priorities and reduce redundancy, and increase the value of data through better integration and analytics.

  • Accessing data from JH Medicine clinical enterprise systems such as EPIC or PMAP requires approval from the Data Trust Reseach Subcouncil, following their procedures for requesting data. 
  • Sharing JH Medicine Data (patient- or member-related data stored in clinical enterprise systems) with researchers outside of JHM (including other JHU divisions such as School of Public Health, and Krieger Arts & Sciences), or data repositories such as Johns Hopkins Research Data Repository, may require Data Trust review, including IRB-approved protocols for data sharing and data de-identification if needed. More information.

With researchers increasingly encouraged or required to share their data, preparing to share datasets with confidential identifiers of people and organizations is particularly challenging.

JHU Data Services Resources

Protecting Human Subject Identifiers Guide: A very comprehensive guide that will introduce you to concepts and basic techniques for disclosure analysis and protection of personal and health identifiers in research data for public or restricted access, following applicable JHU data governance policies.

Webinars: Go to our calendar to find the next live webinar about of common privacy disclosure risks from personal and health identifiers in data and techniques for de-identifying data for external collaborators and public databases. We also discuss preparing consent forms that facilitate data sharing, and keeping identifier data secure during and after projects.

Interactive, online training: JHU Data Services has developed an online training to be taken at your convenience. It provides an overview of the types of identifiers, and how to determine if your data have disclosure risk. You will also learn about available JHU resources to help you with de-identifying data. 

Applications to Assist in De-identification of Human Subjects Research Data: A list of de-identification software tools and applications that researchers can use in de-identifying their research data for more public sharing.

Additional Resources

NIH: Protecting Privacy When Sharing Human Research Participant Data: This supplemental information was created to assisting researchers in addressing privacy considerations when sharing human research participant data. It provides a set of principles, best practices, and points to consider for creating a robust framework for protecting the privacy of research participants when sharing data.

NIST de-identification tools: National Institute of Standards and Technology has compiled a list of de-identification tools and also descriptions of each of the tools.

Cancer Image Archive: https://wiki.cancerimagingarchive.net/display/Public/Submission+and+De-identification+Overview

National Library of Medicine Scrubber: a freely available clinical text deidentification tool designed and developed at the National Library of Medicine.  Watch this presentation to learn more. 

Research participant consent forms should detail specifically what data will be shared and how broadly it will be shared, such as by restricted access or in a public data repository. Funders and Institutional Review Boards may offer sample consent language to facilitate ethical compliance with data sharing requirements. Consent should indicate whether shared data are de-identified and any information Participants should know whether the data are de-identified, and consent to any specific data that could reveal their identity, such as audio recordings of their voice.  The researcher must ensure that the language aligns with the planned sharing of data.

• Homewood IRB – Investigators: Contains guidance and other resources for investigators using the Homewood IRB. 
  • HIRB Consent Form Checklist: Use this checklist to make sure that you include all elements in a consent form
• Johns Hopkins Medicine Institutional Review Board Forms: Contains links to protocol and consent forms that help researchers plan for data sharing. 
• School of Public Health IRB Guidance Contains links to education, guidance and forms for consent and special research topics related to ethics and compliance.
• Clinical Sequencing Evidence-Generating Research (CSER) consortium research materials, including example consent forms for participants): 
• NIH Office of Science Policy: Informed Consent for Secondary Research with Data and Biospecimens.

Many indigenous and tribal communities in the U.S. and in other countries have preferred guidelines and ethical considerations for conducting research and sharing data. Here are guidance resources and selected publications: 

• National Congress of the American Indians (NCAI) Policy Research Center  Provides resources to facilitate ethical research involving tribal communities in the United States
• Webinar Follow-up: Data Sharing in Research with American Indians and Alaska Natives: Informed Practices, Considerations, and Case Studies
• Collecting and Analyzing Tribal Data: 2010 National Institute of Justice
• Research Regulation in American Indian/Alaska Native Communities: Policy and Practice Considerations (PDF) 
• How to Conduct Research in American Indian/ Alaska Native Communities (PDF). The Partnership for Native American Cancer Prevention 
• Carroll, Stephanie Russo, Desi Rodriguez-Lonebear, and Andrew Martinez. 2019. “Indigenous Data Governance: Strategies from United States Native Nations.” Data Science Journal 18 (1): 31. https://doi.org/10.5334/dsj-2019-031.
• Harding, Anna, Barbara Harper, Dave Stone, ’Neill Catherine O, Patricia Berger, Stuart Harris, and Jamie Donatuto. 2012. “Conducting Research with Tribal Communities: Sovereignty, Ethics, and Data-Sharing Issues.” Environmental Health Perspectives 120 (1): 6–10. https://doi.org/10.1289/ehp.1103904.