HIPAA

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

 

HIPAA 

HIPAA regulations are applicable to anyone at Rowan University, depending upon their job responsibilities, which include having direct or indirect access to patients or their health information. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains provisions to protect the confidentiality and security of personally-identifiable information that arises in the course of providing health care. Faculty, staff, students and residents must complete the HIPAA basic training and HIPAA and Medical Research training if their study involves access to patients and health information with or without the use of identifiers.
 

HIPAA and Medical Research

Health Insurance Portability and Accountability Act (HIPAA) Data / Protected Health Information (PHI)

If your research will access and/or use patient HIPAA/PHI data, whether it is from a RowanMedicine clinical practice or external, non-Rowan entity, in a prospective or retrospective chart review IRB study, then HIPAA training must be completed and certficates attached for each researcher in the IRB submission.
 

HIPAA Training Requirements Guidance – Rowan University

This page outlines HIPAA training requirements for individuals involved in human subjects research at Rowan University. It includes guidance for Rowan-affiliated researchers, external collaborators, and affiliated health entities, and reflects recent updates due to the Virtua Health affiliation.
 
If your research will access and/or use patient HIPAA/PHI data, whether it is from a RowanMedicine clinical practice or external, non-Rowan entity, in a prospective or retrospective chart review IRB study, then HIPAA training must be completed and certificates attached for each researcher in the IRB submission.

Rowan University Office of Compliance & Corporate Integrity (OCCI) is the office responsible for oversight related to the access and use of RowanMedicine HIPAA/PHI data and information. Any HIPAA/PHI data that will be used for research purposes and coming from a non-Rowan, external institution may require a Data Use Agreement. Access, use, storage and disposal of HIPAA/PHI data governed by a Data Use Agreement between Rowan and the non-Rowan, external institution must be incorporated into the IRB protocol and submission.
 

Who Needs HIPAA Training?

HIPAA/PHI training is required for researchers listed on Rowan IRB submissions who:
  • Interact with patients for research purposes (e.g., consent, intervention, manipulation of environment)
  • Access or use Protected Health Information (PHI)
  • Analyze identifiable data
  • Perform IRB-approved procedures
Note: Individuals involved only in recruitment (e.g., distributing flyers without engaging in consent or accessing PHI) may not require training.
 

Training Requirements Summary

Role Required Modules Platform Frequency
Students
HIPAA 101
HIPAA Research
KnowBe4 HIPAA 101: AnnualHIPAA Research: Every 3 years
Employees (Faculty, Staff, PIs) HIPAA 109 HealthStream HIPAA 109: Every 3 years
Affiliates (Students, Faculty, PIs)
HIPAA 101
HIPAA Research
KnowBe4
HIPAA 101: Annual
HIPAA Research: Every 3 years
Advance Users (e.g., researcher with high-level PHI access)
HIPAA 109
HIPAA 113
OCCI 103
HealthStream
HIPAA 109: Every 3 years
HIPAA 113: Annual
OCCI 103: Every 2 years
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Module Descriptions

Faculty and Staff Training

Faculty and staff complete HIPAA training (113 and 109) via Rowan University Office of Compliance & Corporate Integrity Training Portal and more information can be found about how to gain access to and complete HIPAA training via the link below. HIPAA training should cover the following topics:
  1. HIPAA Research
  2. Law Enforcement Uses and Disclosures
  3. Patient Rights
  4. Privacy Rule
  5. Security Rule
  6. Violations and Penalties
Note: HIPAA 113 training is composed of five (5) separate modules, titled as in Rowan OCCI's online learning platform, HealthStream:
  • HIPAA Privacy Rule
  • HIPAA Security Rule
  • HIPAA Patient Rights
  • HIPAA Violations and Penalties
  • HIPAA Law Enforcement Uses and Disclosures
HIPAA Research (109) focuses on HIPAA regulations specific to research.
HIPAA 113 is a comprehensive training for faculty/staff covering privacy, security, patient rights, and law enforcement disclosures.

In addition to HIPAA 113 and 109, faculty and staff who require enhanced access to PHI or are involved in complex data handling scenarios may be assigned OCCI 103 – HIPAA Privacy & Security Compliance Training. This advanced course covers:
  • HIPAA Privacy Rule
  • HIPAA Security Rule
  • Safeguards for PHI
  • Breach notification requirements
  • Data handling and protection protocols
OCCI 103 is typically assigned to advanced users and is available through the HealthStream platform. It supplements the standard HIPAA training and ensures comprehensive understanding of privacy and security compliance.

Note: HIPAA 101 ≈ HIPAA 113 (different platforms)
HIPAA Research ≈ HIPAA 109 (different platforms)
 

Student Training

Student HIPAA 101 and 109 training can be completed via KnowBe4. For student training, the Rowan faculty Principal Investigator (PI) or designee of PI must submit a list of students that will be identified as research personnel in an IRB submission and submit a request to Rowan IRT Support. HIPAA training (101 and 109) will be assigned to student(s).
 

Requesting Access to HIPAA Training Modules

To request access to HIPAA training modules, including HIPAA 109, HIPAA 113, and OCCI 103 on HealthStream, or HIPAA 101 and HIPAA Research (109) on KnowBe4, please contact:
 
Kathy Alburger, Compliance Manager
Phone: (856) 566-6299
Email: alburgka@rowan.edu
 
When contacting Kathy, please include the following information:
  • Rowan NetID username
  • Banner ID number
  • Rowan email address
  • Contact phone number
 

External Collaborators & Affiliated Entities

  • External (non-Rowan) collaborators may submit their institution’s HIPAA/PHI training certificate
  • If their institution does not offer training, Rowan’s HIPAA/PHI training may be used. Researchers will need to contact the Rowan Office of Compliance and Corporate Integrity (OCCI)
  • Rowan HIPAA/PHI training is required for access to RowanSOM patient charts prior to June 6, 2023
  • Affiliated entities (Virtua, Cooper, Inspira): Rowan IRB accepts their HIPAA/PHI training for researchers listed on submissions
 

Important Notes

  • Before releasing such data, Rowan-VirtuaSOM requires Rowan HIPAA/PHI training
  • Researchers must clearly identify their roles in IRB submissions (e.g., recruitment, consent, intervention, data analysis)
 

Links for information and access to training applications