The assigning of office space and furnishings for academic personnel is a function of the dean of the appropriate college or school in consultation with the Vice President for Finance and Administration.

Office space and furnishings for non-academic administrators and staff are assigned by the appropriate department head in consultation with the Vice President for Finance and administration.

Human Resources maintains the official personnel files for all current and past employees to document benefits and employment related decisions and comply with federal and state recordkeeping requirements.

Supervisors are discouraged from keeping informal files on employees. But supervisors may temporarily maintain records concerning ongoing employee performance. These records will be considered personnel records if they fall within the definition of “personnel records” as defined by ORS 652.750. Supervisors must follow all personnel record retention and confidentiality requirements and must transmit any personnel records to Human Resources in a timely manner and upon request by Human Resources.

Employees have a right to access their personnel records. An employee who wishes to review their personnel file should contact Human Resources to schedule a mutually convenient time when the file can be reviewed at the University. The personnel file cannot be removed from the Human Resources Department. In addition to reviewing their personnel records at the University or in lieu of that, employees may request hard or electronic copies of their personnel records. In accordance with Oregon law, a reasonable charge will be made for hard copies requested by employees.

To ensure the confidentiality of personnel information, access to an employee’s personnel file is limited to the employee, an employee’s authorized representative, and authorized administrators and supervisors.

Pacific University will verify employment and respond to reference requests regarding current and former faculty and staff to outside organizations who request such information for credit or employment purposes.

The purpose of this policy is to provide practical steps that workforce members can take to achieve the general limitations on the use and disclosure of protected health information (PHI) as required by the Health Insurance Portability and Accountability Act, HIPAA. 

The following guidelines are in accordance with the final Security Rule and consistent with the HIPAA privacy requirement to safeguard protected health information (PHI).  See 45 CFR § 164.530(c).  Use of these guidelines will improve the security of protected health information, and will also increase workforce awareness of the importance of keeping protected health information private.

Pacific University will use reasonable administrative, physical, and technical safeguards to protect the privacy of protected health information and limit incidental uses or disclosures of protected health information. All members of the Pacific University workforce will follow these guidelines in handling protected health information (PHI) in order to protect the privacy of protected health information and limit incidental uses and disclosures.

PUNet ID Required to review
Updated May 2023

Confidentiality Statement for Fax with PHI Template (Updated April 2023)

The purpose of this policy is to establish a standard for training for all new and existing members of the Pacific University Healthcare Clinic workforce. This policy will cover initial, as well as periodic re-training standards. All workforce members of Pacific University receive training on current Federal, State and other applicable healthcare regulations. 

The scope of this policy is all workforce members of Pacific University’s Healthcare Clinics. Pacific University is a hybrid entity. Only the health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University Healthcare Clinics” shall be construed to refer only to the health care component of Pacific University.

PUNet ID Required to review
Updated August 2023

The purpose of this policy is to set forth Pacific University’s process for addressing potential breaches of unsecured protected health information from incident discovery to investigation / risk assessment and potential notification. Pacific University has established a comprehensive HIPAA privacy and security program to prevent unauthorized access to protected health information (PHI). This policy sets forth Pacific's approach to investigating and responding to incidents that may involve unauthorized use or disclosure of PHI. 

It is the policy of Pacific University to be prepared for, to prevent and to respond to information security incidents. Once a security incident is suspected and reported to the privacy officer, he/she will analyze the available information in order to determine if the security incident constitutes a data breach as defined by the HIPAA Omnibus Rule. If it is determined that a breach has occurred, procedures to mitigate the harmful effects of the incidents including containing and eradicating the incident, will be put into place. Security incidents and their outcomes will be documented and stored electronically in a secure location.

PUNet ID Required to review
Updated March 2023

The HIPAA rules generally require that covered entities enter into contracts with their business associates to ensure that each party will appropriately safeguard protected health information. The business associate contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate.  A business associate may use or disclose protected health information only as permitted or required by its business associate contract or as required by law.

The scope of this policy is all workforce members of Pacific University’s health care component. Pacific University is a hybrid entity. Only the health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University” shall be construed to refer only to the health care component of Pacific University.

Business associate agreements must be in writing and must include terms authorized and approved by the Privacy Office and Legal Affairs, in order to maintain compliance with federal and state privacy regulations. When Pacific University enter into agreements with outside vendors involving the vendor’s access or exposure to information considered to be protected health information (PHI), pursuant to the Health Information Privacy and Portability Act (HIPAA), a BAA is required. 

PUNet ID Required to review.

Updated June 2022.

Supplemental Documents:

Business Associate Decision Tree
Business Associate FAQ
Business Associates Procedure Outline
Business Associate Agreement Template

The purpose of this policy is to describe the policy and procedure for requesting and approving access for authorizing short-term access to patient care areas or to view patient care.

Pacific University has established a comprehensive HIPAA privacy and security program to prevent unauthorized access to protected health information (PHI). This policy sets forth Pacific's approach for any person, invited or otherwise authorized to enter Pacific University patient-care areas or to view patient care in any Pacific University Healthcare clinical location, who is not formally associated with the Pacific University Healthcare clinical workforce.

Any person, invited or otherwise authorized to enter Pacific University Healthcare Clinic patient-care areas or to view patient care in any Pacific University Healthcare clinical location, who is not formally associated with the Pacific University Healthcare clinical workforce, must be accounted for, either by a formal registration process, or a more informal approval process for short-term access to patient care areas. Such visitors must be accompanied and/or supervised by a Pacific University representative from the patient care area or location at all times. The Pacific University Healthcare Clinic representative is responsible for the actions of the visitor, including any direct or indirect access to protected health information (PHI).

PUNet ID Required to review.

Updated February 2023.

Form - Request to Observe Patient Care

Form - Request to Volunteer

Form - Pacific University Healthcare Clinic HIPAA Information Guide

Required document for providing a Job Shadow opportunity as a learning experience to a minor student. Form must be signed.

Updated 3-8-2022

PUNet ID required to review

The purpose of this policy is to establish Pacific University's compliance with federal HIPAA regulations 45 CFR §§ 164.502(b) and 164.514(d), which require covered entities to make reasonable efforts to limit the use and disclosure of PHI to the minimum necessary. Information systems, including electronic health records contain more protected health information (PHI) than may be needed for a given purpose or disclosure. This policy governs the use and disclosure of PHI so that only the minimum amount of PHI is used when needed.

The scope of this policy is all workforce members of Pacific University’s health care component. Pacific University is a hybrid entity. Only the health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University” shall be construed to refer only to the health care component of Pacific University.

PUNet ID required to review
Updated April 2023

In accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pacific University patients may complain about how Pacific University uses and discloses their Protected Health Information (PHI). All patient complaints will be submitted to the HIPAA Privacy Officer for investigation and resolution. (See the policy document for procedures on submitting a complaint.)

Pacific University has established a comprehensive HIPAA privacy and security program to prevent unauthorized access to protected health information (PHI). This policy sets forth Pacific's approach to investigating and responding to patient complaints about privacy practices. This policy applies to the workforce members of Pacific University’s Healthcare Clinics.  Pacific University is a hybrid entity. Only the health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University” shall be construed to refer only to the health care components of Pacific University.

Updated August 2023

The purpose of this policy is to describe the patient right to request a restriction of use and disclosure of protected health information (PHI). HIPAA permits a patient to request that the covered entity restrict uses or disclosures of protected health information (PHI) about the patient to carry out treatment, payment, or health care operations.

The scope of this policy is all workforce members of Pacific University’s health care component. Pacific University is a hybrid entity. Only the health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University” shall be construed to refer only to the health care component of Pacific University.

PUNet ID required to review
Updated March 2023

Form - Request for Restriction Not to Bill Health Plan or Insurance (Updated August 2023)

Form - Request for Restrictions of Use and Disclosure of Protected Health Information (Updated September 2023)

The purpose of this policy is to describe a patient’s right to request an amendment of protected health information contained in the designated record set (DRS), and the process and timeline for replying to the request. HIPAA provides patients and their representatives certain rights. This policy describes a patient’s right to request an amendment of protected health information (PHI).

The scope of this policy is all workforce members of Pacific University’s health care component. Pacific University is a hybrid entity. Only the health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University” shall be construed to refer only to the health care component of Pacific University.

PUNet ID required to review
Updated August 2023

Form - Request to Amend PHI (Updated August 2023)

The purpose of this standard is to define approved methods for using box.com to ensure the integrity and confidentiality of protected health information (PHI) and other Pacific University confidential information while at rest and during transmission. This standard applies to all data that is considered Pacific University confidential information, including PHI, and is being stored in Box, regardless of its storage duration.

Business and instructional needs may require the storage of PHI in the box.com file storage and sharing service (Box). Box provides tools to ensure that PHI remains private and secure. This standard is designed to provide guidelines to Box users who are storing, sharing or accessing PHI in Box, to make best use of those tools to ensure the integrity, privacy and security of that information.

PUNet ID required to review
Updated September 2023

The purpose of this standard is to define approved methods for using encryption technology to ensure the integrity and confidentiality of electronic protected health information (ePHI) and other Pacific University confidential information while at rest and during transmission. This standard applies to all data that is considered Pacific University confidential information, including ePHI when it is at rest, being processed, or transmitted between information technology resources.

Data encryption technology and mechanisms exist to help ensure the confidentiality and integrity of data.  This standard is designed to help Pacific University’s UIS Department determine when it is necessary to utilize encryption, and what type and/or level of encryption to employ. Pacific University security standards for Encryption Technology are based upon industry standards, HIPAA, National Institute of Standards & Technologies (NIST) security guidelines, and existing Pacific University policies on Information Security.

PUNet ID required to review

Revised 2/8/2022

This standard establishes a consistent set of minimum security measures required for computer workstations used within Pacific University. This standard also addresses standards for vendor and personally owned workstations when they are connected to Pacific University’s systems and networks.The elements of this standard include requirements for installation and configuration, access control, physical security, document storage, logging and monitoring, and change management. Pacific University security standards are based upon industry standards, HIPAA, National Institute of Standards & Technologies (NIST) security guidelines, and existing Pacific University policies on Information Security.

This standard applies to all Clinical workstation connected to the Pacific University network. All clinical workstations deployed run Windows and will be configured to policy requirements.

Updated 3-08-2022

PUNet ID required to review

The purpose of this Policy is to set forth Pacific University’s process for applying sanctions for violations of Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security policies. Pacific University has established a comprehensive HIPAA privacy and security program to prevent unauthorized access to protected health information (PHI). This policy sets forth Pacific's approach to applying consistent sanctions upon completion of investigations. 

This policy applies to the workforce members of Pacific University’s Healthcare Clinics. Pacific University is a hybrid entity. Only the health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University” shall be construed to refer only to the health care components of Pacific University.

PUNet ID required to review.
Updated March 2023

Pacific University Sanctions MATRIX

The Posthumous Degree Policy articulates the criteria by which a posthumous degree can be awarded.

A PUNet ID is required to review this policy.