The purpose of this Policy is to set forth the University’s process for the use and disclosure of PHI pursuant to a written authorization.

This policy describes the uses and disclosures of protected health information (PHI) that require written authorization prior to use or disclosure. This policy establishes guidelines for obtaining and properly documenting an individual’s authorization for any use and/or disclosure of PHI that requires prior authorization. This policy also identifies the elements of a valid authorization and verification for release of PHI upon receipt of an authorization.

The scope of this policy is all workforce members of Pacific University’s health care component. Pacific University is a hybrid entity. Only the health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University” shall be construed to refer only to the health care component of Pacific University.

Authorization to Disclose FORM - English

Authorization to Disclose FORM - Spanish

Authorization to Disclose Opt Out or Revoke Form - English

Authorization to Disclose Opt Out or Revoke Form - Spanish

PUNet ID Required to review
Policy Updated May 2023; Forms Updated December 2023

Pacific University utilizes a variety of IT equipment to support patient care and communicate with healthcare information systems including desktop computers, servers, laptops, and biomedical devices. Biomedical devices typically measure physiological characteristics of patients and in some cases may not use or look like a traditional computer, yet they may store electronic protected healthcare information (ePHI).

Policy addresses security of devices/equipment while in use by Pacific workforce. Details encryption and physical safety measures as well as removal of PHI from devices.

PUNID required to review policy.

The HIPAA rules generally require that covered entities enter into contracts with their business associates to ensure that each party will appropriately safeguard protected health information. The business associate contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate.  A business associate may use or disclose protected health information only as permitted or required by its business associate contract or as required by law.

The scope of this policy is all workforce members of Pacific University’s health care component. Pacific University is a hybrid entity. Only the health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University” shall be construed to refer only to the health care component of Pacific University.

Business associate agreements must be in writing and must include terms authorized and approved by the Privacy Office and Legal Affairs, in order to maintain compliance with federal and state privacy regulations. When Pacific University enter into agreements with outside vendors involving the vendor’s access or exposure to information considered to be protected health information (PHI), pursuant to the Health Information Privacy and Portability Act (HIPAA), a BAA is required. 

PUNet ID Required to review.

Updated October 2024.

Supplemental Documents:

Business Associate Decision Tree
Business Associate FAQ
Business Associates Procedure Outline
Business Associate Agreement Template

The purpose of this policy is to describe the policy and procedure for requesting and approving access for authorizing short-term access to patient care areas or to view patient care.

Pacific University has established a comprehensive HIPAA privacy and security program to prevent unauthorized access to protected health information (PHI). This policy sets forth Pacific's approach for any person, invited or otherwise authorized to enter Pacific University patient-care areas or to view patient care in any Pacific University Healthcare clinical location, who is not formally associated with the Pacific University Healthcare clinical workforce.

Any person, invited or otherwise authorized to enter Pacific University Healthcare Clinic patient-care areas or to view patient care in any Pacific University Healthcare clinical location, who is not formally associated with the Pacific University Healthcare clinical workforce, must be accounted for, either by a formal registration process, or a more informal approval process for short-term access to patient care areas. Such visitors must be accompanied and/or supervised by a Pacific University representative from the patient care area or location at all times. The Pacific University Healthcare Clinic representative is responsible for the actions of the visitor, including any direct or indirect access to protected health information (PHI).

PUNet ID Required to review.

Updated February 2023.

Form - Request to Observe Patient Care

Form - Request to Volunteer

Form - Pacific University Healthcare Clinic HIPAA Information Guide

Pacific University has adopted this Data Integrity Policy and Procedure to ensure the confidentiality, integrity, and availability of all Protected Data we create, receive, maintain, or transmit as required by federal or state regulatory requirements, including but not limited to FERPA, GLBA, HIPAA, PCI, and other regional or local applicable laws and requirements.

The policy establishes a standard to instruct and guide workforce members in the appropriate access, use, storage, and transmission of protected data. Policy requires audits of user access rights to protected data. The university will leverage appropriate security safeguards to support the integrity of Protected Data.

PUNID required to review policy.

The purpose of this Policy is to set forth Pacific University’s process for determining what patient information can be used and disclosed if information that can identify a person has been removed.

Pacific University has a duty to protect the confidentiality and integrity of protected health information (PHI) as required by law, professional ethics, and accreditation requirements therefore this policy outlines the standards that workforce members at Pacific will follow when de-identifying PHI.

This policy applies to the workforce members of Pacific University’s Healthcare Clinics.  Pacific University is a hybrid entity. Only the health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University” shall be construed to refer only to the health care components of Pacific University.

PUNet ID Required to review
Updated April 2023

In support of the physical security safeguards described in NIST standards, Pacific University will implement policies and procedures to prevent unauthorized access to facilities and document the repairs and modifications to the physical components of a facility related to Protected Data security (for example, hardware, walls, doors and locks). This includes access to defined spaces as well as maintenance performed on equipment.

PUNID required to review policy.

The purpose of this policy is to provide practical steps that workforce members can take to achieve the general limitations on the use and disclosure of protected health information (PHI) as required by the Health Insurance Portability and Accountability Act, HIPAA. 

The following guidelines are in accordance with the final Security Rule and consistent with the HIPAA privacy requirement to safeguard protected health information (PHI).  See 45 CFR § 164.530(c).  Use of these guidelines will improve the security of protected health information, and will also increase workforce awareness of the importance of keeping protected health information private.

Pacific University will use reasonable administrative, physical, and technical safeguards to protect the privacy of protected health information and limit incidental uses or disclosures of protected health information. All members of the Pacific University workforce will follow these guidelines in handling protected health information (PHI) in order to protect the privacy of protected health information and limit incidental uses and disclosures.

PUNet ID Required to review
Updated May 2023

Confidentiality Statement for Fax with PHI Template (Updated April 2023)

To provide ethical guidance to healthcare clinic workforce members as it relates to relationships with individuals and entities that supply goods and services to our clinics. To set forth the required standards of conduct for all employees regarding the acceptance of gifts, educational or travel subsidies, entertainment, meals, and any other form of remuneration from suppliers and business partners that refer or are in a position to refer health care business or those that provide products or services used in the delivery of health care.

The scope of this policy is all workforce members of Pacific University’s health care component. Pacific University is a hybrid entity. The health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University” shall be construed to refer only to the health care component of Pacific University. In addition to this policy, Pacific University also requires that designated employees, researchers, and governing board members comply with various Conflict of Interest policies concerning disclosures of financial interests and relationships with vendors, research sponsors, and business partners.

PUNet ID required to view policy.
Updated August 2023.

Pacific University Healthcare Clinic workforce members are committed to quality, honesty and integrity in our handling of billing and coding activities within the healthcare clinics.  We are committed to operate within the laws, rules, regulations, and policies set by the federal and state governments, insurance programs and Medicare/Medicaid carriers, fiscal intermediaries, and others.

There will be both internal and external (i.e. by a contracted independent consultant, or other professional and/or government or regulatory agencies) auditing of proper coding, chart documentation, billing, and data integrity.

Policy last updated in April 2024.
PUNID required for viewing policy.

Pacific University Healthcare Clinic workforce members are committed to quality, honesty and integrity in our handling of billing and coding activities within the healthcare clinics.  We are committed to operate within the laws, rules, regulations, and policies  set  by  the  federal  and  state  governments,  insurance  programs  and Medicare/Medicaid carriers, fiscal intermediaries, and others.

Each clinic will be responsible to inform patients and workforce members of their rights with regard to the billing and coding grievance policy. A grievance must be received in written form. If a billing or coding grievance comes to the clinic and can’t be resolved at the clinic level, the clinic must notify the Compliance Officer within 3 business days, documenting the date the grievance was received, the written grievance, a brief statement of the facts alleged, and any documentation that applies to the disputed item(s). Pacific University Healthcare Clinics will commit to maintain a direct channel of communication and mediation between compliance officer, individual patients, patient’s representative, or advocate to resolve any concerns in a positive and timely manner.

Policy last updated in April 2024.
PUNID required for viewing policy.

Pacific University Healthcare Clinic workforce members are committed to quality, honesty and integrity in our handling of billing and coding activities within the healthcare clinics.  We are committed to operate within the laws, rules, regulations, and policies set by the federal and state governments, insurance programs and Medicare/Medicaid carriers, fiscal intermediaries, and others.

The University requires full compliance with all relevant health care billing and coding regulations. All billing and coding workforce members are required to have a strong knowledge of, and to stay current with, applicable laws and regulations as well as University policies and procedures relevant to their areas of responsibility.

Policy last updated in April 2024.
PUNID Required to view policy.

Pacific University Healthcare Clinic workforce members are committed to quality, honesty and integrity in our handling of billing and coding activities within the healthcare clinics.  We are committed to operate within the laws, rules, regulations, and policies set by the federal and state governments, insurance programs and Medicare/Medicaid carriers, fiscal intermediaries, and others.

All clinical billing and coding will be done in compliance with all applicable state and federal laws and regulations.  Pacific University follows the standards set forth by the Office of Inspector General (OIG) to identify areas of billing and coding at risk for non-compliance.  Pacific University workforce members will ensure their billing and coding is compliant with these standards.

Policy last updated in April 2024.
PUNID required to view policy.

The Code of Conduct provides guidance for professional conduct. The success and reputation of the university in fulfilling its mission depends on the ethical behavior, honesty, integrity and good judgment of each member of the community.

The Code of Conduct outlines principles, policies and some of the laws that govern the activities of the University and to which our employees who represent the University must adhere. Those acting on behalf of Pacific University Healthcare Clinic Operations have a general duty to conduct themselves in a manner that will maintain and strengthen the public’s trust and confidence in the integrity of the University and take no actions incompatible with their obligations to the University.

Those acting on behalf of the University in a capacity related to Health Care Clinics must practice and annually attest to and sign the Code of Conduct, Confidentiality of Records Agreement and Acknowledgement of Pacific University Healthcare Clinic Policies and Procedures.

PUNet ID Required to review
The form & policy were updated June 2024.

Healthcare Code of Conduct Form for Signature (6/2024)

The purpose of this policy is to establish a standard for training for all new and existing members of the Pacific University Healthcare Clinic workforce. This policy will cover initial, as well as periodic re-training standards. All workforce members of Pacific University receive training on current Federal, State and other applicable healthcare regulations. 

The scope of this policy is all workforce members of Pacific University’s Healthcare Clinics. Pacific University is a hybrid entity. Only the health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University Healthcare Clinics” shall be construed to refer only to the health care component of Pacific University.

PUNet ID Required to review
Updated August 2023

The purpose of this policy is to set forth Pacific University’s process for addressing potential breaches of unsecured protected health information from incident discovery to investigation / risk assessment and potential notification. Pacific University has established a comprehensive HIPAA privacy and security program to prevent unauthorized access to protected health information (PHI). This policy sets forth Pacific's approach to investigating and responding to incidents that may involve unauthorized use or disclosure of PHI. 

It is the policy of Pacific University to be prepared for, to prevent and to respond to information security incidents. Once a security incident is suspected and reported to the privacy officer, he/she will analyze the available information in order to determine if the security incident constitutes a data breach as defined by the HIPAA Omnibus Rule. If it is determined that a breach has occurred, procedures to mitigate the harmful effects of the incidents including containing and eradicating the incident, will be put into place. Security incidents and their outcomes will be documented and stored electronically in a secure location.

PUNet ID Required to review
Updated March 2023

The purpose of this Policy is to set forth Pacific University’s process for applying sanctions for violations of Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security policies. Pacific University has established a comprehensive HIPAA privacy and security program to prevent unauthorized access to protected health information (PHI). This policy sets forth Pacific's approach to applying consistent sanctions upon completion of investigations. 

This policy applies to the workforce members of Pacific University’s Healthcare Clinics. Pacific University is a hybrid entity. Only the health care component (i.e., the covered functions) of Pacific University must comply with this policy. All references in this policy to “Pacific University” shall be construed to refer only to the health care components of Pacific University.

PUNet ID required to review.
Updated March 2023

Pacific University Sanctions MATRIX

Information security related incidents impact Pacific University's (Pacific) security goals and may also harm its ability to conduct business. These incidents may be malicious in nature or accidental. Pacific has selected and implemented a set of safeguards, which are based on the result of risk assessments and information security standards. In the event of a security related incident, this policy addresses the methods for identifying, responding to and, when possible, preventing security incidents. The Incident Response Team includes the Information Security Officer, the Privacy Officer, the Director of Legal Affairs and may include other department directors as needed.

PUNID required to review this policy.