Policies & Forms Directory

Request for Restrictions of Use and Disclosure of Protected Health Information Policy

POL-COM4827

The purpose of this policy is to describe the patient right to request a restriction of use and disclosure of protected health information (PHI). HIPAA permits a patient to request that the covered entity restrict uses or disclosures of protected health information (PHI) about the patient to carry out treatment, payment, or health care operations.

The scope of this policy is all workforce members of Pacific University’s health care component. Pacific University is a hybrid entity. Only the health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University” shall be construed to refer only to the health care component of Pacific University.

PUNet ID required to review

Form - Request for Restriction Not to Bill Health Plan or Insurance

Form - Request for Restrictions of Use and Disclosure of Protected Health Information

Nov. 1, 2017

Request to Amend Protected Health Information (PHI) Policy

POL-COM4828

The purpose of this policy is to describe a patient’s right to request an amendment of protected health information contained in the designated record set (DRS), and the process and timeline for replying to the request. HIPAA provides patients and their representatives certain rights. This policy describes a patient’s right to request an amendment of protected health information (PHI).

The scope of this policy is all workforce members of Pacific University’s health care component. Pacific University is a hybrid entity. Only the health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University” shall be construed to refer only to the health care component of Pacific University.

PUNet ID required to review

Form - Request to Amend PHI

Nov. 1, 2017

Information Technology Standard - HIPAA File Storage in Box - Policy

POL-COM4819

The purpose of this standard is to define approved methods for using box.com to ensure the integrity and confidentiality of protected health information (PHI) and other Pacific University confidential information while at rest and during transmission. This standard applies to all data that is considered Pacific University confidential information, including PHI, and is being stored in Box, regardless of its storage duration.

Business and instructional needs may require the storage of PHI in the box.com file storage and sharing service (Box). Box provides tools to ensure that PHI remains private and secure. This standard is designed to provide guidelines to Box users who are storing, sharing or accessing PHI in Box, to make best use of those tools to ensure the integrity, privacy and security of that information.

PUNet ID required to review

Feb. 9, 2016

Information Technology Standard - Encryption Policy

POL-COM4820

The purpose of this standard is to define approved methods for using encryption technology to ensure the integrity and confidentiality of electronic protected health information (ePHI) and other Pacific University confidential information while at rest and during transmission. This standard applies to all data that is considered Pacific University confidential information, including ePHI when it is at rest, being processed, or transmitted between information technology resources.

Data encryption technology and mechanisms exist to help ensure the confidentiality and integrity of data.  This standard is designed to help Pacific University’s UIS Department determine when it is necessary to utilize encryption, and what type and/or level of encryption to employ. Pacific University security standards for Encryption Technology are based upon industry standards, HIPAA, National Institute of Standards & Technologies (NIST) security guidelines, and existing Pacific University policies on Information Security.

PUNet ID required to review

 

Dec. 1, 2014

Information Technology Standard – Workstation Configuration Policy

POL-COM4821

This standard establishes a consistent set of minimum security measures required for computer workstations used within Pacific University. This standard also addresses standards for vendor and personally owned workstations when they are connected to Pacific University’s systems and networks.The elements of this standard include requirements for installation and configuration, access control, physical security, document storage, logging and monitoring, and change management. Pacific University security standards are based upon industry standards, HIPAA, National Institute of Standards & Technologies (NIST) security guidelines, and existing Pacific University policies on Information Security.

This standard applies to all Clinical workstation connected to the Pacific University network. All clinical workstations deployed run Windows and will be configured to policy requirements.

PUNet ID required to review

Nov. 14, 2018

HIPAA Privacy Sanctions Policy

POL-COM4815

The purpose of this Policy is to set forth Pacific University’s process for applying sanctions for violations of Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security policies. Pacific University has established a comprehensive HIPAA privacy and security program to prevent unauthorized access to protected health information (PHI). This policy sets forth Pacific's approach to applying consistent sanctions upon completion of investigations. 

This policy applies to the workforce members of Pacific University’s Healthcare Clinics. Pacific University is a hybrid entity. Only the health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University” shall be construed to refer only to the health care components of Pacific University.

PUNet ID required to review.

Pacific University Sanctions MATRIX

Mar. 12, 2019

Posthumous Degree Policy

POL-AA2002

The Posthumous Degree Policy articulates the criteria by which a posthumous degree can be awarded.

A PUNet ID is required to review this policy.

Jul. 10, 2018

Inactivation of Courses Policy

POL-AA2003

The Inactivation of Courses Policy allows for the inactivation of courses that have not been offered in four years. Each year in early spring as part of the catalog update process, the Registrar’s Office will forward to each academic unit courses from that unit that have not been offered in 4 years, for review for inactivation.  Certain courses that may be offered infrequently, such as New/Special Topics courses, Internships and Independent Studies, will be excluded from the list.  If the program does not request that a certain course be kept active, the course will be inactivated when the catalog information is updated. If it is desired at a later date to reactivate the course, the unit will inform its curriculum approval entity, and then notify the Registrar’s Office to reactivate.

PUNet ID required to review policy document.

Jul. 10, 2018

Deceased Student Records Policy

POL-REG3101

The Deceased Student Records Policy articulates when and how education records of a deceased student can be released.

PUNet ID required to review policy document.

 

Jul. 10, 2018

University Travel Policy

POL-BUS4301

In recognition of the important work that Pacific University employees conduct at conferences, presentations, site visits, development trips, and more, the University Travel Policy provides a way to ensure cost effectiveness and accountability while upholding Pacific University’s mission.

This policy has been created to govern spending on travel and expenses related directly to business travel for Pacific University, in compliance with IRS regulations. The University will reimburse individuals for reasonable, necessary, appropriate and approved travel and business expenses incurred in the performance of University business.

All employees must receive approval from their supervisor before traveling to conferences, workshops, and other off-campus events. Documentation showing this approval may differ for some areas and employees should consult their supervisor. If an area does not have a current system in place employees may utilize a Travel Authorization Form (TAF). For travel to other campuses, prior approval is not necessary.

Prior approval must be documented prior to arranging any travel. The University may not reimburse travel plans made without prior approval from the employee’s supervisor. A purchase order is not required for travel expenses.

In adherence with IRS guidelines, when the employee returns from their travel, they are required to submit a Travel Expense Report to the Business Office with the proper documentation and approval paperwork, within 30 days. The 30-day rule is necessary to allow for processing, and given the IRS may now consider later-filed reimbursements as taxable income to the employee and subject to income and withholding taxes, employees are asked to adhere to this deadline. However, fiscal year-end deadlines set by the Business Office may impact this 30-day requirement and forms may be required to be submitted in less than 30 days.

*Note - Policy document was updated on 2/1/19 to clarify procedures related to obtaining travel insurance.

Travel Authorization Form - June 2019

Travel Expense Report & Reconciliation Form - June 2019

Travel Insurance Information, updated 2/1/19  (for questions related to university insurance, contact the executive assistant to the VP of Finance)

PUNet ID required for review of documents.

Dec. 18, 2018

Individual Develpment Plan Policy

POL-OSSP3201

Grounded in the core theme of educating for student success, Individual Development Plans intend to guide graduate and postdoctoral students in their professional development and career planning.

Graduate students and post-doctoral researchers supported by funding from the National Institutes of Health (NIH) are required to develop Individual Development Plans (IDP). Required progress reports submitted to the NIH must include a copy of the University’s IDP policy, a description of whether the university uses IDPs, and how IDPs are used to assist in the career development of graduate students and postdoctoral researchers supported by NIH.  

Pacific University encourages graduate students and postdoctoral researchers to create and use IDPs to formulate academic and career goals and facilitate conversations with faculty advisors and mentors. All graduate students and postdoctoral researchers supported by NIH funding are required to have an IDP. The Office of Scholarship and Sponsored Projects offers graduate students, postdoctoral researchers, faculty advisors and mentors information on IDP resources, including templates and online resources.

PUNet ID required to review policy.

Dec. 18, 2018

Biomedical Device Policy and Procedure | UIS

POL-UIS4504

Pacific University utilizes a variety of IT equipment to support patient care and communicate with healthcare information systems including desktop computers, servers, laptops, and biomedical devices. Biomedical devices typically measure physiological characteristics of patients and in some cases may not use or look like a traditional computer, yet they may store electronic protected healthcare information (ePHI).

Policy addresses security of devices/equipment while in use by Pacific workforce. Details encryption and physical safety measures as well as removal of PHI from devices.

PUNID required to review policy.

Jan. 29, 2019

Data Integrity Policy | UIS

POL-UIS4505

Pacific University has adopted this Data Integrity Policy and Procedure to ensure the confidentiality, integrity, and availability of all Protected Data we create, receive, maintain, or transmit as required by federal or state regulatory requirements, including but not limited to FERPA, GLBA, HIPAA, PCI, and other regional or local applicable laws and requirements.

The policy establishes a standard to instruct and guide workforce members in the appropriate access, use, storage, and transmission of protected data. Policy requires audits of user access rights to protected data. The university will leverage appropriate security safeguards to support the integrity of Protected Data.

PUNID required to review policy.

Jan. 29, 2019

Facilities Access and Maintenance Control Policy and Procedures | UIS

POL-UIS4506

In support of the physical security safeguards described in NIST standards, Pacific University will implement policies and procedures to prevent unauthorized access to facilities and document the repairs and modifications to the physical components of a facility related to Protected Data security (for example, hardware, walls, doors and locks). This includes access to defined spaces as well as maintenance performed on equipment.

PUNID required to review policy.

Jan. 29, 2019

Information Security - Incident Security Response Policy and Procedures | UIS

POL-UIS4507

Information security related incidents impact Pacific University's (Pacific) security goals and may also harm its ability to conduct business. These incidents may be malicious in nature or accidental. Pacific has selected and implemented a set of safeguards, which are based on the result of risk assessments and information security standards. In the event of a security related incident, this policy addresses the methods for identifying, responding to and, when possible, preventing security incidents. The Incident Response Team includes the Information Security Officer, the Privacy Officer, the Director of Legal Affairs and may include other department directors as needed.

PUNID required to review this policy.

 

Jan. 29, 2019

Information Security Sanctions Policy | UIS

POL - UIS4508

This policy sets forth Pacific's approach to applying sanctions upon completion of investigations regarding misuse of Protected Data. Attempting to obtain or use, actually obtaining or using, or assisting others to obtain or use Protected Data, when unauthorized or improper, will result in counseling and/or disciplinary action up to and including termination.

Pacific University has adopted this Information Security Sanctions Policy to ensure the confidentiality, integrity, and availability of all Protected Data we create, receive, maintain, or transmit as required by federal or state regulatory requirements, and other regional or local applicable laws and requirements.

Supplemental Document: FRM-UIS4508-1 Pacific University Sanctions Matrix

PUNID required to review this policy.

Jan. 29, 2019

Information Systems Activity Review and Audit Policy and Procedures | UIS

POL-UIS4509

The goal of Information Systems Activity Review is to prevent, detect, contain, and correct security violations and threats to Protected Data such as unauthorized access to the information systems, suspicious data use, or tampering.

Designated workforce members in each college, school or department will review any unauthorized access to the information systems, suspicious data use or tampering. They will take appropriate action regarding potential system vulnerabilities, improve safeguards as needed, and work with the Pacific University Privacy Officer and/or the Information Security Officer on appropriate action items.

PUNID required to review policy.

Implementation Guidance Worksheet:
AA Legal Policies FRM-UIS4509-1 Healthcare System Activity Review and Audit Template 04-19

Jan. 29, 2019

Information Systems Access Control and Management Policy and Procedures | UIS

POL-UIS4510

Appropriate management of access to Protected Data is an important aspect of Pacific University's information security strategy. The policy outlines requirements and process for granting members of the workforce appropriate levels of access to electronic Protected Date based on study or work-related duties and responsibilities. Policy also outlines the documented process for granting authorization and access to Protected Data.

PUNID required to review policy.

Jan. 29, 2019

Mobile Device Policy | UIS

POL-UIS4511

Workforce members of Pacific University are generally not issued smart phones or similar mobile devices, which have the ability to connect to the Pacific network and download data. To support mobile access for the workforce, Pacific has adopted a "bring your own device" (BYOD) approach, which permits workforce members to utilize personally owned devices to access Pacific email, calendar, contacts and other resources. This policy applies to both personally owned devices and Pacific-owned devices.

The use of personally owned mobile devices to access Pacific data remotely might inevitably lead to users storing Pacific data on their personally owned devices. While Pacific determines the financial and technical feasibility of implementing technical controls and mobile device security enhancements, the university has adopted the measures described in this policy to safeguard university Protected Data.

PUNID required to review policy.

Jan. 29, 2019

Remote Access Policy | UIS

POL-UIS4513

This policy applies universally to all remote access, regardless of ownership of the equipment used to perform the remote access. Pacific University determines the financial and technical feasibility of implementing technical controls and remote workstation security enhancements. This policy sets the standards for assigning remote access and user responsibilities to protect data. Pacific University’s Information Security Officer or designee shall confirm all Protected Data in motion over a public network is encrypted according to current technology standards.  

PUNID required to review policy.

Jan. 29, 2019

Pages