The purpose of this Policy is to set forth Pacific University’s process for applying sanctions for violations of Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security policies. Pacific University has established a comprehensive HIPAA privacy and security program to prevent unauthorized access to protected health information (PHI). This policy sets forth Pacific's approach to applying consistent sanctions upon completion of investigations. 

This policy applies to the workforce members of Pacific University’s Healthcare Clinics. Pacific University is a hybrid entity. Only the health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University” shall be construed to refer only to the health care components of Pacific University.

PUNet ID required to review.
Updated March 2023

Pacific University Sanctions MATRIX

Identification (ID) cards (Boxer Cards) are issued to Pacific University employees. An ID card may be required for admission to or participation in University programs.

The University ID card also serves as a library card. ID cards are issued by Campus Public Safety.

Pacific University developed this Identity Theft Prevention Policy pursuant to the Federal Trade Commission’s Red Flags Rule, which implements Section 114 of the Fair and Accurate Credit Transaction (FACT) Act of 2003. The purpose is to establish an Identity Theft Prevention Policy designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or an existing covered account and to provide for continued administration of the policy.

This protection policy applies to students, employees, board members, contractors, consultants, temporary workers, and other workers at the University, service providers, including all personnel affiliated with third parties.

Pacific University shall include policies and procedures to:

1. Identify relevant red flags to ensure the detection of possible risk of identity theft to customers and incorporate those red flags into the policy;
2. Detect red flags that have been incorporated into the policy;
3. Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
4. Ensure the policy is updated periodically to reflect changes in risks to customers and to the safety and soundness of the creditor from identity theft

Administration of the policy is with the Vice President of Finance and Administration in development, implementation and oversight. This includes ongoing staff training and oversight of service provider arrangements to ensure compliance.

PUNID required to see full policy document. 

All employees hired by the University must present documentation establishing their identity and employment authorization in accordance with the immigration laws of the United States prior to hire and upon request of the University at any time after hire.

The Pacific University Libraries seek to advance critical inquiry, collaborative learning, and knowledge creation through dynamic services, spaces, and collections. The Libraries’ enactment of this mission is guided by our core values, which prioritize providing opportunities to engage with diverse ideas, providing services that contribute to equitable access to information, and the use of inclusive approaches to delivering services.

Aligned with this mission and these values, the Libraries provide information technology resources — desktop and laptop computers configured to allow unfiltered access to subscribed and open Internet information resources — that are available both to Pacific University students, staff, and faculty and to external community patrons for use in Libraries facilities. The primary intended purpose of these resources is to support the teaching, learning, research, service, and administrative activities of the Pacific community; a secondary purpose is to support the personal information technology/resource needs of the Pacific community and the academic and personal needs of external community members.

Access to these information technology resources and to subscribed and open Internet resources is provided in compliance with the American Library Association’s (ALA) Library Bill of Rights and the ALA Access to Digital Resources and Services: An Interpretation of the Library Bill of Rights statement.

This Computer/Internet Use Policy is intended to elaborate on and extend the Pacific University Appropriate Use Policy for Information Technology policy; library computer users should refer to that policy as the primary source of parameters, rights, and restrictions on the use of information technology in Libraries facilities.

The Inactivation of Courses Policy allows for the inactivation of courses that have not been offered in four years. Each year in early spring as part of the catalog update process, the Registrar’s Office will forward to each academic unit courses from that unit that have not been offered in 4 years, for review for inactivation.  Certain courses that may be offered infrequently, such as New/Special Topics courses, Internships and Independent Studies, will be excluded from the list.  If the program does not request that a certain course be kept active, the course will be inactivated when the catalog information is updated. If it is desired at a later date to reactivate the course, the unit will inform its curriculum approval entity, and then notify the Registrar’s Office to reactivate.

PUNet ID required to review policy document.

Grounded in the core theme of educating for student success, Individual Development Plans intend to guide graduate and postdoctoral students in their professional development and career planning.

Graduate students and post-doctoral researchers supported by funding from the National Institutes of Health (NIH) are required to develop Individual Development Plans (IDP). Required progress reports submitted to the NIH must include a copy of the University’s IDP policy, a description of whether the university uses IDPs, and how IDPs are used to assist in the career development of graduate students and postdoctoral researchers supported by NIH.  

Pacific University encourages graduate students and postdoctoral researchers to create and use IDPs to formulate academic and career goals and facilitate conversations with faculty advisors and mentors. All graduate students and postdoctoral researchers supported by NIH funding are required to have an IDP. The Office of Scholarship and Sponsored Projects offers graduate students, postdoctoral researchers, faculty advisors and mentors information on IDP resources, including templates and online resources.

PUNet ID required to review policy.

Information security related incidents impact Pacific University's (Pacific) security goals and may also harm its ability to conduct business. These incidents may be malicious in nature or accidental. Pacific has selected and implemented a set of safeguards, which are based on the result of risk assessments and information security standards. In the event of a security related incident, this policy addresses the methods for identifying, responding to and, when possible, preventing security incidents. The Incident Response Team includes the Information Security Officer, the Privacy Officer, the Director of Legal Affairs and may include other department directors as needed.

PUNID required to review this policy.

This policy sets forth Pacific's approach to applying sanctions upon completion of investigations regarding misuse of Protected Data. Attempting to obtain or use, actually obtaining or using, or assisting others to obtain or use Protected Data, when unauthorized or improper, will result in counseling and/or disciplinary action up to and including termination.

Pacific University has adopted this Information Security Sanctions Policy to ensure the confidentiality, integrity, and availability of all Protected Data we create, receive, maintain, or transmit as required by federal or state regulatory requirements, and other regional or local applicable laws and requirements.

Supplemental Document: FRM-UIS4508-1 Pacific University Sanctions Matrix

PUNID required to review this policy.

Appropriate management of access to protected health information is an important aspect of Pacific University's information security strategy.  Pacific University has adopted this Access Control Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”).

The purpose of this policy is to establish a standard for HIPAA access control activities related to the Pacific University HIPAA Program.  Pacific is committed to take reasonable and appropriate steps to ensure that workforce members have the appropriate authorization to access ePHI.  This policy will cover initial, as well as periodic access control activities. 

PUNID required to review policy.

Information Systems Access Control and Management

Appropriate management of access to Protected Data is an important aspect of Pacific University's information security strategy. The policy outlines requirements and process for granting members of the workforce appropriate levels of access to electronic Protected Date based on study or work-related duties and responsibilities. Policy also outlines the documented process for granting authorization and access to Protected Data.

PUNID required to review policy.

Most information systems, including electronic health records that contain ePHI have the ability to create log files, which describe the activity occurring to, or within the system. A timely review of system activity can give insight into potential issues that may negatively impact the security of protected health information.

The purpose of this policy is to establish Pacific University's compliance with federal HIPAA regulations including standard practices for reviewing system activity within information systems. These types of reviews may include the activity and access logs of Pacific University medical record systems which store ePHI.

PUNID required to review policy.

Information Systems Activity Review and Audit Policy

The goal of Information Systems Activity Review is to prevent, detect, contain, and correct security violations and threats to Protected Data such as unauthorized access to the information systems, suspicious data use, or tampering.

Designated workforce members in each college, school or department will review any unauthorized access to the information systems, suspicious data use or tampering. They will take appropriate action regarding potential system vulnerabilities, improve safeguards as needed, and work with the Pacific University Privacy Officer and/or the Information Security Officer on appropriate action items.

PUNID required to review policy.

Implementation Guidance Worksheet:
AA Legal Policies FRM-UIS4509-1 Healthcare System Activity Review and Audit Template 04-19

The purpose of this standard is to define approved methods for using encryption technology to ensure the integrity and confidentiality of electronic protected health information (ePHI) and other Pacific University confidential information while at rest and during transmission. This standard applies to all data that is considered Pacific University confidential information, including ePHI when it is at rest, being processed, or transmitted between information technology resources.

Data encryption technology and mechanisms exist to help ensure the confidentiality and integrity of data.  This standard is designed to help Pacific University’s UIS Department determine when it is necessary to utilize encryption, and what type and/or level of encryption to employ. Pacific University security standards for Encryption Technology are based upon industry standards, HIPAA, National Institute of Standards & Technologies (NIST) security guidelines, and existing Pacific University policies on Information Security.

PUNet ID required to review

Revised 2/8/2022

The purpose of this standard is to define approved methods for using box.com to ensure the integrity and confidentiality of protected health information (PHI) and other Pacific University confidential information while at rest and during transmission. This standard applies to all data that is considered Pacific University confidential information, including PHI, and is being stored in Box, regardless of its storage duration.

Business and instructional needs may require the storage of PHI in the box.com file storage and sharing service (Box). Box provides tools to ensure that PHI remains private and secure. This standard is designed to provide guidelines to Box users who are storing, sharing or accessing PHI in Box, to make best use of those tools to ensure the integrity, privacy and security of that information.

PUNet ID required to review
Updated September 2023

This standard establishes a consistent set of minimum security measures required for computer workstations used within Pacific University. This standard also addresses standards for vendor and personally owned workstations when they are connected to Pacific University’s systems and networks.The elements of this standard include requirements for installation and configuration, access control, physical security, document storage, logging and monitoring, and change management. Pacific University security standards are based upon industry standards, HIPAA, National Institute of Standards & Technologies (NIST) security guidelines, and existing Pacific University policies on Information Security.

This standard applies to all Clinical workstation connected to the Pacific University network. All clinical workstations deployed run Windows and will be configured to policy requirements.

Updated 3-08-2022

PUNet ID required to review

The policies and procedures of the Pacific University Institutional Review Board (IRB) describe the day-to-day operations of the IRB, as required by the Code of Federal Regulations (CFR), Title 45 Part 46 (45 CFR 46), Title 21 Part 56 (21 CFR 56), and Title 21 Part 50 (21 CFR 50). The IRB is constituted for the purpose of ensuring the ethical conduct of research regarding human subjects (or any data or biological materials derived from human subjects) and protecting the rights of such research subjects.

The creation, and use, of intellectual property is at the core of the academic enterprise at Pacific University. The intellectual contributions of faculty, staff and students to the University community enrich our common knowledge, and they foster our shared spirit of innovation. More information on copyright law and guidelines can be found through the United States Copyright Office.