Appropriate management of access to Protected Data is an important aspect of Pacific University's information security strategy. The policy outlines requirements and process for granting members of the workforce appropriate levels of access to electronic Protected Date based on study or work-related duties and responsibilities. Policy also outlines the documented process for granting authorization and access to Protected Data.

PUNID required to review policy.

Most information systems, including electronic health records that contain ePHI have the ability to create log files, which describe the activity occurring to, or within the system. A timely review of system activity can give insight into potential issues that may negatively impact the security of protected health information.

The purpose of this policy is to establish Pacific University's compliance with federal HIPAA regulations including standard practices for reviewing system activity within information systems. These types of reviews may include the activity and access logs of Pacific University medical record systems which store ePHI.

PUNID required to review policy.

Information Systems Activity Review and Audit Policy

The goal of Information Systems Activity Review is to prevent, detect, contain, and correct security violations and threats to Protected Data such as unauthorized access to the information systems, suspicious data use, or tampering.

Designated workforce members in each college, school or department will review any unauthorized access to the information systems, suspicious data use or tampering. They will take appropriate action regarding potential system vulnerabilities, improve safeguards as needed, and work with the Pacific University Privacy Officer and/or the Information Security Officer on appropriate action items.

PUNID required to review policy.

Implementation Guidance Worksheet:
AA Legal Policies FRM-UIS4509-1 Healthcare System Activity Review and Audit Template 04-19

The purpose of this standard is to define approved methods for using encryption technology to ensure the integrity and confidentiality of electronic protected health information (ePHI) and other Pacific University confidential information while at rest and during transmission. This standard applies to all data that is considered Pacific University confidential information, including ePHI when it is at rest, being processed, or transmitted between information technology resources.

Data encryption technology and mechanisms exist to help ensure the confidentiality and integrity of data.  This standard is designed to help Pacific University’s UIS Department determine when it is necessary to utilize encryption, and what type and/or level of encryption to employ. Pacific University security standards for Encryption Technology are based upon industry standards, HIPAA, National Institute of Standards & Technologies (NIST) security guidelines, and existing Pacific University policies on Information Security.

PUNet ID required to review

Revised 2/8/2022

The purpose of this standard is to define approved methods for using box.com to ensure the integrity and confidentiality of protected health information (PHI) and other Pacific University confidential information while at rest and during transmission. This standard applies to all data that is considered Pacific University confidential information, including PHI, and is being stored in Box, regardless of its storage duration.

Business and instructional needs may require the storage of PHI in the box.com file storage and sharing service (Box). Box provides tools to ensure that PHI remains private and secure. This standard is designed to provide guidelines to Box users who are storing, sharing or accessing PHI in Box, to make best use of those tools to ensure the integrity, privacy and security of that information.

PUNet ID required to review
Updated September 2023

This standard establishes a consistent set of minimum security measures required for computer workstations used within Pacific University. This standard also addresses standards for vendor and personally owned workstations when they are connected to Pacific University’s systems and networks.The elements of this standard include requirements for installation and configuration, access control, physical security, document storage, logging and monitoring, and change management. Pacific University security standards are based upon industry standards, HIPAA, National Institute of Standards & Technologies (NIST) security guidelines, and existing Pacific University policies on Information Security.

This standard applies to all Clinical workstation connected to the Pacific University network. All clinical workstations deployed run Windows and will be configured to policy requirements.

Updated 3-08-2022

PUNet ID required to review

Required document for providing a Job Shadow opportunity as a learning experience to a minor student. Form must be signed.

Updated 3-8-2022

PUNet ID required to review

The purpose of this policy is to establish language proficiency requirements for Providers in accordance with OHA 333.002.0250.

Pacific University will allow Providers to interpret from English to the target language, when arranging for or providing services to a person with Limited English Proficiency (LEP), when the Provider meets the proficiency standard, prior to acting as interpreter. Patient requests for a certified or qualified interpreter from the Health Care Interpreters Registry will be honored by Pacific University.

This policy applies to Providers within Pacific University’s Healthcare Clinics. Pacific University is a hybrid entity. Only the health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University” shall be construed to refer only to the health care components of Pacific University.

Updated October 2024.

The purpose of this policy is to establish Pacific University's compliance with federal HIPAA regulations 45 CFR §§ 164.502(b) and 164.514(d), which require covered entities to make reasonable efforts to limit the use and disclosure of PHI to the minimum necessary. Information systems, including electronic health records contain more protected health information (PHI) than may be needed for a given purpose or disclosure. This policy governs the use and disclosure of PHI so that only the minimum amount of PHI is used when needed.

The scope of this policy is all workforce members of Pacific University’s health care component. Pacific University is a hybrid entity. Only the health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University” shall be construed to refer only to the health care component of Pacific University.

PUNet ID required to review
Updated April 2023

Workforce members of Pacific University are generally not issued smart phones or similar mobile devices, which have the ability to connect to the Pacific network and download data. To support mobile access for the workforce, Pacific has adopted a "bring your own device" (BYOD) approach, which permits workforce members to utilize personally owned devices to access Pacific email, calendar, contacts and other resources. This policy applies to both personally owned devices and Pacific-owned devices.

The use of personally owned mobile devices to access Pacific data remotely might inevitably lead to users storing Pacific data on their personally owned devices. While Pacific determines the financial and technical feasibility of implementing technical controls and mobile device security enhancements, the university has adopted the measures described in this policy to safeguard university Protected Data.

PUNID required to review policy.

Revised 2/8/2022

Pacific University promotes the highest standard of ethical and legal conduct. The Code of Conduct, policy and procedures for all workforce members guide this effort. Pacific University promotes open dialogue between members of the Pacific University community, and encourages workforce members to report problems, concerns, opinions without fear of retaliation or retribution.

The University will use best efforts to protect workforce members against retaliation or retribution from reporting actual or potential wrongdoing, including actual or potential violation of law, regulation, policy or procedure.

All workforce members are responsible for promptly reporting actual or potential wrongdoing, including an actual or potential violation of law, regulation, policy or procedure. Workforce members who report concerns in good faith will not be subjected to retaliation, retribution or harassment.

Pacific University maintains an “open door policy” to allow individuals to report problems and concerns. Reports can be submitted in person, by mail, by phone or email to any person in leadership within Pacific University, including:

General Counsel, Associate VP of HR, Legal and Compliance, or
Vice President for Finance and Administration, or
Provost and Vice President for Academic Affairs
2043 College Way
Forest Grove, OR 97116

Pacific University is committed to preserving the privacy of your health information. We are required by law to keep your health information private and provide you with this Notice of Privacy Practices. We are also required to provide you with this Notice describing our legal duties and our practices concerning your health information. We reserve the right to change this Notice and to make the revised or changed Notice effective for health information we already have about you, as well as any information we receive in the future. We will have a copy of the current Notice with an effective date in clinical locations and any changes made to the Notice will be posted in the Patient Registration area, posted on our website and given to you at your next appointment. Pacific University is required to notify you if your protected health information is breached.

Notice of Privacy Practices — English

Notificación de Prácticas de Privacidad — Spanish

Request to Inspect or Copy Protected Health Information Form

For Clinic Use: 

Notice of Privacy Practices Acknowledgement - English

Notice of Privacy Practices Acknowledgement - Spanish

Notice of Privacy Practices Handout - English

Notice of Privacy Practices Handout - Spanish

The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.

Passwords are an important aspect of computer security. A poorly chosen password may result in the compromise of Pacific University's entire university network.

In accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pacific University patients may complain about how Pacific University uses and discloses their Protected Health Information (PHI). All patient complaints will be submitted to the HIPAA Privacy Officer for investigation and resolution. (See the policy document for procedures on submitting a complaint.)

Pacific University has established a comprehensive HIPAA privacy and security program to prevent unauthorized access to protected health information (PHI). This policy sets forth Pacific's approach to investigating and responding to patient complaints about privacy practices. This policy applies to the workforce members of Pacific University’s Healthcare Clinics.  Pacific University is a hybrid entity. Only the health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University” shall be construed to refer only to the health care components of Pacific University.

Updated August 2023

The purpose of this policy is to ensure credit balances are appropriately returned to the payer, patient, or properly accounted for by each clinic.

This policy establishes the required guidelines for the use of HIPAA/FERPA protected healthcare conferencing and video services (e.g. Healthcare Zoom) by workforce members to discuss Protected Data.  Permitted uses are: case conferences, preceptor consultations, HIPAA/FERPA protected conferencing and video services, student performance measures, care coordination, student advising sessions, and administrative meetings.

PUNID required to review policy.

Updated October 2024.

This policy describes and defines the retention and destruction of Protected Health Information (PHI) of patients of the healthcare component of Pacific University. The entire record must be maintained for the required period.

This policy is in accordance with all regulations related to the retention and storage of PHI, including but not limited to the follow healthcare regulations: HIPAA, HITECH, Oregon Administrative Rules, Oregon Revised Statutes and Oregon Medical Board.  In cases where regulation and laws offer conflicting retention schedules, Pacific University will comply with the most restrictive requirement.

Additional Key Documents
HCOCC Record Retention Schedule
FRM-4840-1 Certificate of Destruction - On Site
FRM-4840-2 Certificate of Destruction - Vendor

This policy applies universally to all remote access, regardless of ownership of the equipment used to perform the remote access. Pacific University determines the financial and technical feasibility of implementing technical controls and remote workstation security enhancements.

PUNID required to review policy.

Revised 2/8/2022