Access to Facilities and Secure Spaces with ePHI - Policy and Procedures

POL-COM4811

The purpose of this Policy is to set forth the University’s process for the protection of and authorized access to secure spaces that have Electronic Protected Health Information (“ePHI”), and requirements for retaining facility maintenance records pertaining to the security safeguards of identified areas.

In support of the physical security safeguards described in the HIPAA Security Rule CFR §164.310, Pacific University will implement policies and procedures to prevent unauthorized access to facilities, and document the repairs and modifications to the physical components of a facility related to ePHI security (for example, hardware, walls, doors and locks).  This includes access to defined spaces as well as maintenance performed on equipment. 

PUNet ID Required to review

Mar. 25, 2014

Accounting of Disclosures of Protected Health Information Policy

POL-COM4803

The purpose of this policy is to describe patients’ rights to request an accounting of disclosures of their protected health information.

One of the rights granted to patients under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the right of the patient to request and receive an accounting of the disclosures of the patient’s PHI. The patient’s right to request and receive an Accounting of Disclosures is described within the Notice of Privacy Practices. This policy describes how Pacific University must to be able to provide the patient with an accurate Accounting of Disclosures.

The scope of this policy is all workforce members of Pacific University’s health care component. Pacific University is a hybrid entity. Only the health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University” shall be construed to refer only to the health care component of Pacific University.

PUNet ID Required to review

Form - Request for Accounting of Disclosures of Protected Health Information

Nov. 1, 2017

Authorization for Use and Disclosure of Protected Health Information

POL-COM4804

The purpose of this Policy is to set forth the University’s process for the use and disclosure of PHI pursuant to a written authorization.

This policy describes the uses and disclosures of protected health information (PHI) that require written authorization prior to use or disclosure. This policy establishes guidelines for obtaining and properly documenting an individual’s authorization for any use and/or disclosure of PHI that requires prior authorization. This policy also identifies the elements of a valid authorization and verification for release of PHI upon receipt of an authorization.

The scope of this policy is all workforce members of Pacific University’s health care component. Pacific University is a hybrid entity. Only the health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University” shall be construed to refer only to the health care component of Pacific University.

Authorization to Disclose FORM English 12_2018

Authorization to Disclose FORM Spanish 12_2018

PUNet ID Required to review

Nov. 1, 2017

Biomedical Device Policy and Procedure

POL-COM4810

The purpose of this policy and procedure is to confirm Pacific University’s compliance with federal HIPAA regulation 45 CFR § 164.310(d)(1 & 2) and 164.312, which directs Pacific University to implement physical and technical safeguards to protect access and maintain the technical security of biomedical devices involved in the creation, maintenance, modification, or storage of Protected Health Information (PHI).

It is Pacific University’s policy that the Pacific University Information Security Officer or a designee will be responsible for performing the appropriate physical and technical safeguarding activities to all biomedical devices which access or store Pacific University PHI. This policy provides guidance on the security of PHI when created, maintained, transported, modified, or destroyed by biomedical devices or equipment while in use by the Pacific University Workforce.

PUNet ID Required to review

Nov. 25, 2014

Biomedical Device Policy and Procedure | UIS

POL-UIS4504

Pacific University utilizes a variety of IT equipment to support patient care and communicate with healthcare information systems including desktop computers, servers, laptops, and biomedical devices. Biomedical devices typically measure physiological characteristics of patients and in some cases may not use or look like a traditional computer, yet they may store electronic protected healthcare information (ePHI).

Policy addresses security of devices/equipment while in use by Pacific workforce. Details encryption and physical safety measures as well as removal of PHI from devices.

PUNID required to review policy.

Jan. 29, 2019

Business Associate Agreements (BAAs) Policy

POL-COM4808

The HIPAA rules generally require that covered entities enter into contracts with their business associates to ensure that each party will appropriately safeguard protected health information. The business associate contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate.  A business associate may use or disclose protected health information only as permitted or required by its business associate contract or as required by law.

The scope of this policy is all workforce members of Pacific University’s health care component. Pacific University is a hybrid entity. Only the health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University” shall be construed to refer only to the health care component of Pacific University.

Business associate agreements must be in writing and must include terms authorized and approved by the Privacy Office and Legal Affairs, in order to maintain compliance with federal and state privacy regulations. When Pacific University enter into agreements with outside vendors involving the vendor’s access or exposure to information considered to be protected health information (PHI), pursuant to the Health Information Privacy and Portability Act (HIPAA), a BAA is required. 

PUNet ID Required to review

Supplemental Documents:

Business Associate Decision Tree
Business Associate FAQ
Business Associates Procedure Outline
Business Associate Agreement Template

Nov. 7, 2018

Clinical Observers, Visitors, and Volunteers Policy

POL-COM4809

The purpose of this policy is to describe the policy and procedure for requesting and approving access for authorizing short-term access to patient care areas or to view patient care.

Pacific University has established a comprehensive HIPAA privacy and security program to prevent unauthorized access to protected health information (PHI). This policy sets forth Pacific's approach for any person, invited or otherwise authorized to enter Pacific University patient-care areas or to view patient care in any Pacific University Healthcare clinical location, who is not formally associated with the Pacific University Healthcare clinical workforce.

Any person, invited or otherwise authorized to enter Pacific University Healthcare Clinic patient-care areas or to view patient care in any Pacific University Healthcare clinical location, who is not formally associated with the Pacific University Healthcare clinical workforce, must be accounted for, either by a formal registration process, or a more informal approval process for short-term access to patient care areas. Such visitors must be accompanied and/or supervised by a Pacific University representative from the patient care area or location at all times. The Pacific University Healthcare Clinic representative is responsible for the actions of the visitor, including any direct or indirect access to protected health information (PHI).

PUNet ID Required to review

Form - Request to Observe Patient Care

Feb. 1, 2018

Data Integrity Policy

POL-COM4806

The purpose of this policy is to establish a standard for HIPAA data integrity control activities related to the Pacific University HIPAA Program.  Pacific is committed to take reasonable and appropriate steps to ensure that the integrity of protected health information is safeguarded.

Appropriate management of access to protected health information is an important aspect of Pacific University's information security strategy.  Pacific University has adopted this Access Control Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”).

The scope of this policy is all systems which support the operations of Pacific University’s Healthcare Clinics.  Pacific University is a hybrid entity. Only the health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University Healthcare Clinics” shall be construed to refer only to the health care component of Pacific University.

PUNet ID Required to review

Nov. 1, 2017

Data Integrity Policy | UIS

POL-UIS4505

Pacific University has adopted this Data Integrity Policy and Procedure to ensure the confidentiality, integrity, and availability of all Protected Data we create, receive, maintain, or transmit as required by federal or state regulatory requirements, including but not limited to FERPA, GLBA, HIPAA, PCI, and other regional or local applicable laws and requirements.

The policy establishes a standard to instruct and guide workforce members in the appropriate access, use, storage, and transmission of protected data. Policy requires audits of user access rights to protected data. The university will leverage appropriate security safeguards to support the integrity of Protected Data.

PUNID required to review policy.

Jan. 29, 2019

De-Identification of Protected Health Information Policy

POL-COM4807

The purpose of this Policy is to set forth Pacific University’s process for determining what patient information can be used and disclosed if information that can identify a person has been removed.

Pacific University has a duty to protect the confidentiality and integrity of protected health information (PHI) as required by law, professional ethics, and accreditation requirements therefore this policy outlines the standards that workforce members at Pacific will follow when de-identifying PHI.

This policy applies to the workforce members of Pacific University’s Healthcare Clinics.  Pacific University is a hybrid entity. Only the health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University” shall be construed to refer only to the health care components of Pacific University.

PUNet ID Required to review

Nov. 1, 2017

Facilities Access and Maintenance Control Policy and Procedures | UIS

POL-UIS4506

In support of the physical security safeguards described in NIST standards, Pacific University will implement policies and procedures to prevent unauthorized access to facilities and document the repairs and modifications to the physical components of a facility related to Protected Data security (for example, hardware, walls, doors and locks). This includes access to defined spaces as well as maintenance performed on equipment.

PUNID required to review policy.

Jan. 29, 2019

General Guidelines to Safeguard Protected Health Information - Policy

POL-COM4812

The purpose of this policy is to provide practical steps that workforce members can take to achieve the general limitations on the use and disclosure of protected health information (PHI) as required by the Health Insurance Portability and Accountability Act, HIPAA. 

The following guidelines are in accordance with the final Security Rule and consistent with the HIPAA privacy requirement to safeguard protected health information (PHI).  See 45 CFR § 164.530(c).  Use of these guidelines will improve the security of protected health information, and will also increase workforce awareness of the importance of keeping protected health information private.

Pacific University will use reasonable administrative, physical, and technical safeguards to protect the privacy of protected health information and limit incidental uses or disclosures of protected health information. All members of the Pacific University workforce will follow these guidelines in handling protected health information (PHI) in order to protect the privacy of protected health information and limit incidental uses and disclosures.

PUNet ID Required to review

Confidentiality Statement for Fax with PHI Template

Nov. 1, 2017

Healthcare Clinic Code of Conduct

POL-COM4802

The Code of Conduct provides guidance for professional conduct. The success and reputation of the university in fulfilling its mission depends on the ethical behavior, honesty, integrity and good judgment of each member of the community.

The Code of Conduct outlines principles, policies and some of the laws that govern the activities of the University and to which our employees who represent the University must adhere.Those acting on behalf of Pacific University Healthcare Clinic Operations have a general duty to conduct themselves in a manner that will maintain and strengthen the public’s trust and confidence in the integrity of the University and take no actions incompatible with their obligations to the University.

Those acting on behalf of the University in a capacity related to Health Care Clinics must practice and annually attest to and sign the Code of Conduct, Confidentiality of Records Agreement and Acknowledgement of Pacific University Healthcare Clinic Policies and Procedures.

PUNet ID Required to review

Healthcare Code of Conduct Form for Signature (10/2018)

Oct. 9, 2018

Healthcare Clinic Operations Workforce Training Policy

POL-COM4813

The purpose of this policy is to establish a standard for training for all new and existing members of the Pacific University Healthcare Clinic workforce. This policy will cover initial, as well as periodic re-training standards. All workforce members of Pacific University receive training on current Federal, State and other applicable healthcare regulations. 

The scope of this policy is all workforce members of Pacific University’s Healthcare Clinics. Pacific University is a hybrid entity. Only the health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University Healthcare Clinics” shall be construed to refer only to the health care component of Pacific University.

PUNet ID Required to review

Nov. 6, 2018

HIPAA Breach Notification Policy and Procedure

POL-COM4814

The purpose of this Policy is to set forth Pacific University’s process for addressing potential breaches of unsecured protected health information from incident discovery to investigation / risk assessment and potential notification. Pacific University has established a comprehensive HIPAA privacy and security program to prevent unauthorized access to protected health information (PHI). This policy sets forth Pacific's approach to investigating and responding to incidents that may involve unauthorized use or disclosure of PHI. 

It is the policy of Pacific University to be prepared for, to prevent and to respond to information security incidents. Once a security incident is suspected and reported to the privacy officer, he/she will analyze the available information in order to determine if the security incident constitutes a data breach as defined by the HIPAA Omnibus Rule. If it is determined that a breach has occurred, procedures to mitigate the harmful effects of the incidents including containing and eradicating the incident, will be put into place. Security incidents and their outcomes will be documented and stored electronically in a secure location.

PUNet ID Required to review

Nov. 6, 2018

HIPAA Privacy and Security Sanctions Policy

POL-COM4815

The purpose of this Policy is to set forth Pacific University’s process for applying sanctions for violations of Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security policies. Pacific University has established a comprehensive HIPAA privacy and security program to prevent unauthorized access to protected health information (PHI). This policy sets forth Pacific's approach to applying consistent sanctions upon completion of investigations. 

This policy applies to the workforce members of Pacific University’s Healthcare Clinics. Pacific University is a hybrid entity. Only the health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University” shall be construed to refer only to the health care components of Pacific University.

PUNet ID required to review.

HIPAA Violation Discipline MATRIX Clinics

Nov. 1, 2017

HIPAA Risk Analysis and Management Policy

POL-COM4829

Pacific University has adopted this Risk Analysis Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”). The purpose of this policy is to establish a standard for HIPAA Risk Analysis and management for the Pacific University HIPAA Program. This policy will cover initial, as well as periodic risk analysis activities.

The scope of this policy is all systems which support the operations of Pacific University’s Healthcare Clinics. Pacific University is a hybrid entity. Only the health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University Healthcare Clinics” shall be construed to refer only to the health care component of Pacific University.

PUNet ID required to review

Nov. 1, 2017

Information Security - Incident Security Response Policy

POL-COM4816

The purpose of this document is to describe Pacific’s plan to respond to information security incidents, as they may be costly in terms of financial loss, organizational disruption, reputation and resources. With this plan in place, Pacific can incidents, understand the extent and source of a security incident, protect high value and sensitive data, collect information and determine course of action, recover systems to operational mode and support legal investigations. Lessons learned from incidents will be used to enhance safeguards with the goal of preventing future incidents from occurring.

The scope of this policy is all workforce members of Pacific University’s Healthcare Clinics. Pacific University is a hybrid entity. Only the health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University Healthcare Clinics” shall be construed to refer only to the health care component of Pacific University.

PUNet ID required to review

Dec. 1, 2017

Information Security - Incident Security Response Policy and Procedures | UIS

POL-UIS4507

Information security related incidents impact Pacific University's (Pacific) security goals and may also harm its ability to conduct business. These incidents may be malicious in nature or accidental. Pacific has selected and implemented a set of safeguards, which are based on the result of risk assessments and information security standards. In the event of a security related incident, this policy addresses the methods for identifying, responding to and, when possible, preventing security incidents. The Incident Response Team includes the Information Security Officer, the Privacy Officer, the Director of Legal Affairs and may include other department directors as needed.

PUNID required to review this policy.

 

Jan. 29, 2019

Information Security Sanctions Policy | UIS

POL - UIS4508

This policy sets forth Pacific's approach to applying sanctions upon completion of investigations regarding misuse of Protected Data. Attempting to obtain or use, actually obtaining or using, or assisting others to obtain or use Protected Data, when unauthorized or improper, will result in counseling and/or disciplinary action up to and including termination.

Pacific University has adopted this Information Security Sanctions Policy to ensure the confidentiality, integrity, and availability of all Protected Data we create, receive, maintain, or transmit as required by federal or state regulatory requirements, and other regional or local applicable laws and requirements.

Supplemental Document: FRM-UIS4508-1 Pacific University Sanctions Matrix

PUNID required to review this policy.

Jan. 29, 2019

Pages