Information Systems Activity Review and Audit Policy and Procedures | UIS

POL-UIS4509

The goal of Information Systems Activity Review is to prevent, detect, contain, and correct security violations and threats to Protected Data such as unauthorized access to the information systems, suspicious data use, or tampering.

Designated workforce members in each college, school or department will review any unauthorized access to the information systems, suspicious data use or tampering. They will take appropriate action regarding potential system vulnerabilities, improve safeguards as needed, and work with the Pacific University Privacy Officer and/or the Information Security Officer on appropriate action items.

PUNID required to review policy.

Implementation Guidance Worksheet:
AA Legal Policies FRM-UIS4509-1 Healthcare System Activity Review and Audit Template 04-19

Jan. 29, 2019

Information Technology Standard - Encryption Policy

POL-COM4820

The purpose of this standard is to define approved methods for using encryption technology to ensure the integrity and confidentiality of electronic protected health information (ePHI) and other Pacific University confidential information while at rest and during transmission. This standard applies to all data that is considered Pacific University confidential information, including ePHI when it is at rest, being processed, or transmitted between information technology resources.

Data encryption technology and mechanisms exist to help ensure the confidentiality and integrity of data.  This standard is designed to help Pacific University’s UIS Department determine when it is necessary to utilize encryption, and what type and/or level of encryption to employ. Pacific University security standards for Encryption Technology are based upon industry standards, HIPAA, National Institute of Standards & Technologies (NIST) security guidelines, and existing Pacific University policies on Information Security.

PUNet ID required to review

 

Dec. 1, 2014

Information Technology Standard - HIPAA File Storage in Box - Policy

POL-COM4819

The purpose of this standard is to define approved methods for using box.com to ensure the integrity and confidentiality of protected health information (PHI) and other Pacific University confidential information while at rest and during transmission. This standard applies to all data that is considered Pacific University confidential information, including PHI, and is being stored in Box, regardless of its storage duration.

Business and instructional needs may require the storage of PHI in the box.com file storage and sharing service (Box). Box provides tools to ensure that PHI remains private and secure. This standard is designed to provide guidelines to Box users who are storing, sharing or accessing PHI in Box, to make best use of those tools to ensure the integrity, privacy and security of that information.

PUNet ID required to review

Feb. 9, 2016

Information Technology Standard – Workstation Configuration Policy

POL-COM4821

This standard establishes a consistent set of minimum security measures required for computer workstations used within Pacific University. This standard also addresses standards for vendor and personally owned workstations when they are connected to Pacific University’s systems and networks.The elements of this standard include requirements for installation and configuration, access control, physical security, document storage, logging and monitoring, and change management. Pacific University security standards are based upon industry standards, HIPAA, National Institute of Standards & Technologies (NIST) security guidelines, and existing Pacific University policies on Information Security.

This standard applies to all Clinical workstation connected to the Pacific University network. All clinical workstations deployed run Windows and will be configured to policy requirements.

PUNet ID required to review

Nov. 14, 2018

Job Shadow Agreement for Minor - Form

FRM-COM4822

Required document for providing a Job Shadow opportunity as a learning experience to a minor student. Form must be signed.

PUNet ID required to review

Nov. 7, 2018

Minimum Necessary Policy

POL-COM4823

The purpose of this policy is to establish Pacific University's compliance with federal HIPAA regulations 45 CFR §§ 164.502(b) and 164.514(d), which require covered entities to make reasonable efforts to limit the use and disclosure of PHI to the minimum necessary. Information systems, including electronic health records contain more protected health information (PHI) than may be needed for a given purpose or disclosure. This policy governs the use and disclosure of PHI so that only the minimum amount of PHI is used when needed.

The scope of this policy is all workforce members of Pacific University’s health care component. Pacific University is a hybrid entity. Only the health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University” shall be construed to refer only to the health care component of Pacific University.

PUNet ID required to review

Nov. 7, 2018

Mobile Device Policy | UIS

POL-UIS4511

Workforce members of Pacific University are generally not issued smart phones or similar mobile devices, which have the ability to connect to the Pacific network and download data. To support mobile access for the workforce, Pacific has adopted a "bring your own device" (BYOD) approach, which permits workforce members to utilize personally owned devices to access Pacific email, calendar, contacts and other resources. This policy applies to both personally owned devices and Pacific-owned devices.

The use of personally owned mobile devices to access Pacific data remotely might inevitably lead to users storing Pacific data on their personally owned devices. While Pacific determines the financial and technical feasibility of implementing technical controls and mobile device security enhancements, the university has adopted the measures described in this policy to safeguard university Protected Data.

PUNID required to review policy.

Jan. 29, 2019

Non-Retaliation/Non-Retribution Policy

POL-COM4838

Pacific University promotes the highest standard of ethical and legal conduct. Code of conduct, policy and procedures for all workforce members guide this effort. Pacific University promotes open dialogue between members of the Pacific University community, and encourages workforce members to report problems, concerns, opinions without fear of retaliation or retribution. The University will use best efforts to protect workforce members against retaliation or retribution from reporting actual or potential wrongdoing, including actual or potential violation of law, regulation, policy or procedure.

All workforce members are responsible for promptly reporting actual or potential wrongdoing, including an actual or potential violation of law, regulation, policy or procedure. Pacific University has assigned Director of Human Resources/Legal Affairs, Privacy Officer and Security Officer to lead compliance efforts as the compliance team.  Pacific University compliance team officers maintain an “open door policy” to allow individuals to report problems and concerns. Reports can be submitted in person, by mail, by phone or email to any person in leadership within Pacific University, including:

Compliance email: compliance@pacificu.edu

Privacy Officer: 503.352.2160; privacyofficer@pacificu.edu; 2043 College Way #118, Forest Grove, OR 97116

Security Officer: ciso@pacificu.edu

Reports are acted upon promptly and in the appropriate manner. Workforce members who report concerns in good faith will not be subjected to retaliation, retribution or harassment. No workforce member is permitted to engage in retaliation, retribution or any form of harassment against another person for reporting compliance-related concerns. Any retribution, retaliation or harassment will be met with disciplinary action. Employees can not exempt themselves from the consequences of wrongdoing by self-reporting, although self-reporting may be taken into account in determining the appropriate course of action.

PUNID Required to view policy.

Oct. 15, 2019

Notice of Privacy Practices

POL-COM4801

Pacific University is committed to preserving the privacy of your health information. We are required by law to keep your health information private and provide you with this Notice of Privacy Practices. We are also required to provide you with this Notice describing our legal duties and our practices concerning your health information. We reserve the right to change this Notice and to make the revised or changed Notice effective for health information we already have about you, as well as any information we receive in the future. We will have a copy of the current Notice with an effective date in clinical locations and any changes made to the Notice will be posted in the Patient Registration area, posted on our website and given to you at your next appointment. Pacific University is required to notify you if your protected health information is breached.

Notice of Privacy Practices - Spanish

Notice of Privacy Practices Acknowledgement - English

Notice of Privacy Practices Acknowledgement - Spanish

Notice of Privacy Practices Handout - English

Notice of Privacy Practices Handout - Spanish

Request to Inspect or Copy Protected Health Information Form

 

Jul. 10, 2018

Pacific University Password Policy | UIS

POL-UIS4501

The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.

Passwords are an important aspect of computer security. A poorly chosen password may result in the compromise of Pacific University's entire university network.

Jan. 29, 2019

Patient Complaints About Privacy Practices - Policy and Procedure

POL-COM4825

In accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pacific University patients may complain about how Pacific University uses and discloses their Protected Health Information (PHI). All patient complaints will be submitted to the HIPAA Privacy Officer for investigation and resolution. (See the policy document for procedures on submitting a complaint.)

Pacific University has established a comprehensive HIPAA privacy and security program to prevent unauthorized access to protected health information (PHI). This policy sets forth Pacific's approach to investigating and responding to patient complaints about privacy practices. This policy applies to the workforce members of Pacific University’s Healthcare Clinics.  Pacific University is a hybrid entity. Only the health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University” shall be construed to refer only to the health care components of Pacific University.

 

Nov. 1, 2017

Policy Governing Identity Theft Prevention Program and Red Flag Guidelines

POL-FA4001

The purpose of this policy is to establish an Identity Theft Prevention Program designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or an existing covered account and to provide for continued administration of the Program. Further, the efforts and resources committed must be appropriate to the size and complexity of the organization and the nature and scope of its activities. The Program shall include reasonable policies and procedures to:

  1. Identify relevant red flags to ensure the detection of possible risk of identity theft to customers and incorporate those red flags into the Program;
  2. Detect red flags that have been incorporated into the Program;
  3. Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
  4. Ensure the Program is updated periodically to reflect changes in risks to customers and to the safety and soundness of the creditor from identity theft

Administration of the Program is with the Vice President of Finance and Administration in development, implementation and oversight. This includes ongoing staff training and oversight of service provider arrangements to ensure compliance.

Pacific University developed this identity Theft Prevention Program (“Program”) pursuant to the Federal Trade Commission’s Red Flags Rule, which implements Section 114 of the Fair and Accurate Credit Transactions Act (FACT ACT) of 2003. This program was received and reviewed by the Executive Committee of the Board of Trustees on April 13th, 2009. The program was then sent to the Finance Committee to review on May 22, 2009. The Finance Committee forwarded the policy to the Audit Committee for approval. After consideration of the size of the University’s operations and accounting systems, and the nature and scope of the University’s activities, the Audit Committee determined that this Program was appropriate for Pacific University, and therefore approved this Program on June 10, 2009.

Policy requires PUNet ID to review.

Jun. 10, 2009

Protected Data Communication via Conferencing and Video Services

POL-COM4833

This policy establishes the required guidelines for the use of HIPAA/FERPA protected healthcare conferencing and video services (e.g. Healthcare Zoom) by workforce members to discuss Protected Data.  Permitted uses are: case conferences, preceptor consultations, HIPAA/FERPA protected conferencing and video services, student performance measures, care coordination, student advising sessions, and administrative meetings.

PUNID required to review policy.

Mar. 12, 2019

Remote Access Policy | UIS

POL-UIS4513

This policy applies universally to all remote access, regardless of ownership of the equipment used to perform the remote access. Pacific University determines the financial and technical feasibility of implementing technical controls and remote workstation security enhancements. This policy sets the standards for assigning remote access and user responsibilities to protect data. Pacific University’s Information Security Officer or designee shall confirm all Protected Data in motion over a public network is encrypted according to current technology standards.  

PUNID required to review policy.

Jan. 29, 2019

Request for Confidential Communications

POL-COM4805

The purpose of this policy is to ensure patients the right to request Confidential Communications as required by HIPAA.

HIPAA permits a patient to request that the covered entity communicate by alternative means or to alternative locations.

The scope of this policy is all workforce members of Pacific University’s health care component. Pacific University is a hybrid entity. Only the health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University” shall be construed to refer only to the health care component of Pacific University.

Request for Confidential Communications Form

Confidential Communications Revocation Form

Nov. 1, 2017

Request for Restrictions of Use and Disclosure of Protected Health Information Policy

POL-COM4827

The purpose of this policy is to describe the patient right to request a restriction of use and disclosure of protected health information (PHI). HIPAA permits a patient to request that the covered entity restrict uses or disclosures of protected health information (PHI) about the patient to carry out treatment, payment, or health care operations.

The scope of this policy is all workforce members of Pacific University’s health care component. Pacific University is a hybrid entity. Only the health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University” shall be construed to refer only to the health care component of Pacific University.

PUNet ID required to review

Form - Request for Restriction Not to Bill Health Plan or Insurance

Form - Request for Restrictions of Use and Disclosure of Protected Health Information

Nov. 1, 2017

Request to Amend Protected Health Information (PHI) Policy

POL-COM4828

The purpose of this policy is to describe a patient’s right to request an amendment of protected health information contained in the designated record set (DRS), and the process and timeline for replying to the request. HIPAA provides patients and their representatives certain rights. This policy describes a patient’s right to request an amendment of protected health information (PHI).

The scope of this policy is all workforce members of Pacific University’s health care component. Pacific University is a hybrid entity. Only the health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University” shall be construed to refer only to the health care component of Pacific University.

PUNet ID required to review

Form - Request to Amend PHI

Nov. 1, 2017

Risk Analysis and Management Policy and Procedures | UIS

POL-UIS4514

Pacific University has adopted this Risk Analysis and Management Policy in order to recognize the requirement to comply with Information Security Requirements. Under the guidance of Senior Leadership, Pacific University will conduct periodic assessments of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic Protected Data of which we have been entrusted.

Senior Leadership will be responsible for receiving, reviewing and acting upon the risk analysis, including assessing assignment of risk, prioritizing risk mitigation, and advocating for resources needed to implement a risk mitigation plan.

PUNID required to review policy.

Feb. 12, 2019

Security Evaluation Policy and Procedures | UIS

POL-UIS4515

Pacific University takes reasonable and appropriate steps to conduct periodic technical and non-technical evaluations of its security safeguards in order to demonstrate and document the extent of the university’s compliance with its security policies and applicable laws and regulations. These safeguards include policies, controls, and processes, which are updated in response to environmental or operational changes affecting the security of Protected Data. The evaluations will be completed by a team or individual designated by Pacific University's Information Security Officer.

PUNID required to review this policy.

 

Jan. 29, 2019

Workforce Security Policy and Procedures | UIS

POL-UIS4516

Pacific University has adopted this Workforce Security Policy to ensure the confidentiality, integrity, and availability of all Protected Data we create, receive, maintain, or transmit as required by federal or state regulatory requirements, including but not limited to FERPA, GLBA, HIPAA, PCI, and other regional or local applicable laws and regulations. During the course of normal operations, it will be necessary to provide Pacific University workforce members with access to electronic Protected Data. Access to sensitive materials such as this should be restricted to those individuals who have been vetted and authorized for such access and possess a need to know to perform the course of their duties. Workforce clearance procedures screen access to Protected Data and ensure that only those individuals who should possess access have access.

PUNID required to review policy.

Jan. 29, 2019

Pages