Adams School of Dentistry: Choose Your Own Device Policy

Unit Policy

Title

Adams School of Dentistry: Choose Your Own Device Policy

I. Introduction

A. Purpose

The University of North Carolina at Chapel Hill ("UNC-Chapel Hill" or "University") Adams School of Dentistry (ASOD) has a legal and ethical responsibility to safeguard patient information. This responsibility includes ensuring that devices storing Protected Health Information ("PHI") or other Sensitive Information are properly encrypted and are serviced by an appropriate vendor. The purpose of this Policy is to ensure that all Computing Devices used by students will meet institutional security requirements.

B. Scope

This policy applies to all predoctoral dental students, dental hygiene students, and advanced dental education ("ADE") residents. Faculty and staff are subject to the ASOD's University Owned Device Policy.

II. Definitions

  1. Adams School of Dentistry Business - any task or activity relating to an individual's enrollment, employment, or affiliation with the ASOD. This includes but it is not limited to: accessing University systems (e.g., the electronic health record system, Sakai, UNC-Chapel HIll OneDrive, or Outlook), preparing case presentations, or research.
  2. Computing Device - any electronic equipment controlled by a central processing unit (CPU), including desktop and laptop computers, tablets, and smartphones.
  3. Encryption - the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a "key."
  4. Portable Storage Device - small hard drive used to store electronic information that can be connected to or read by a Computing Device. Examples include USB flash drives, external hard drives, or solid state disks.
  5. Sensitive Information - information that must be protected against unwarranted disclosure under applicable laws and/or University policies. For more details on what is considered Sensitive Information, visit the UNC-Chapel Hill ITS Sensitive Data website.
  6. Student - any individual enrolled in an ASOD educational program, including the DDS, Dental Hygiene, and ADE/Resident programs.

III. Policy

Students and Residents are permitted to use personally-owned Computing Devices for ASOD business only if PHI and other Sensitive Information can be adequately safeguarded. In order to ensure that Sensitive Information is adequately protected, the following requirements must be observed:

A. General Requirements

  1. In order to ensure that Computing Devices can be properly encrypted and supported, students will be able to choose from among a number of device models identified by ASOD IT (formerly known as the Office of Computing and Information Systems) as compatible for Adams School of Dentistry Business. For the current approved laptop models refer to the Carolina Computing Initiative ("CCI") website.
  2. Computing Devices are subject to security requirements established by the University and ASOD IT, including encryption and other controls. Students are required to present their Computing Devices to ASOD IT prior to use for Adams School of Dentistry Business so that these controls may be properly deployed and documented. For more information about these controls, reference the University's Information Security Controls Standard.
  3. Students are not permitted to have their Computing Devices serviced by any party other than ASOD IT or the University's Computer Repair Center (e.g., the Apple Store, Geek Squad, or a "tech-savvy" friend or family member). This will ensure that no unauthorized individuals are given access to PHI or other Sensitive Information.
  4. Loss or theft of a Computing Device must be reported immediately to the University's Information Security Office ("ISO") in accordance with the University's Information Security Incident Management Standard.
  5. Computing Devices must be sanitized by University IT prior graduation or separation from the ASOD. Computing Devices must also be sanitized prior to any sale or transfer in ownership.

B. Laptop Purchasing Requirement

1. Predoctoral DDS Students and Dental Hygiene Students

Students enrolled in the DDS and DH program are required to purchase a laptop from CCI.

  1. Not only will this facilitate compliance with the General Requirements set forth above, but it will also ensure that students' have Computing Devices that are adequately protected under warranty for the duration of their time in the four-year program.
  2. Although this will result in greater up-front cost to the student, the likelihood that a student's Computing Device will need major repairs or replacement at some point during this program is high.
  3. This purchasing requirement is intended to eliminate the possibility that a student will end up without a computer (e.g., in the event loss or theft) or facing costly out-of-pocket expenses once the manufacturer warranty has expired.

2.  ADE Residents

For ADE (i.e., graduate) residents, the student's corresponding Program Director will determine whether the requirement to purchase a laptop through CCI will apply, in consultation with the Assistant Dean for IT.

  1. In making this determination, Program Directors should consider the following factors:
    1. What is the duration of the program?
    2. How heavily will your students use or rely on laptops?
    3. Will your students be expected to use laptops in a location other than the ASOD or at home? Working in other locations may increase the likelihood of loss or theft.
  2. Program Directors must inform the Assistant Dean for IT about their determination in writing prior to each academic year. Program Directors should allow enough lead time for their students to purchase laptops in accordance with the applicable rules underlying their respective determinations.
  3. In consultation with the Assistant Dean for IT, Program Directors who "opt-out" of the CCI laptop purchasing requirement are responsible for explaining the downstream risks to their students of purchasing a laptop from a vendor other than CCI (e.g., financial risk to the student that a costly repair or replacement may be needed).
  4. Students enrolled in resident programs that allow them to "opt-out" of the CCI laptop purchasing requirement and choose to exercise that option by using a laptop acquired outside of CCI are still subject to all General Requirements in Section III-A.

IV. Exceptions

A. Smartphones

The use of smartphones for Adams School of Dentistry Business is regulated by the ASOD's Policy on Personally-Owned Smartphones.

B. Portable Storage Devices

The use of Portable Storage Devices for Adams School of Dentistry Business is regulated by the University's Information Security Controls Standard. Please note that the use of Portable Storage Devices is strongly discouraged - instead, personnel are encouraged to use the UNC-Chapel Hill OneDrive for storage needs.

C. All Other Computing Devices

Program Directors may request an exemption from this Policy on behalf of their students in the following scenarios:

1. No PHI Accessed in Connection with the Program

Program Directors may request an exemption from this Policy on behalf of any student enrolled in their Program who will not access PHI in connection with their assignments. The Assistant Dean for IT may grant an exemption from this Policy if the following conditions are met:

  1. The Assistant Dean for IT determines that there is no reasonable basis to believe that the student(s) of the requesting program will access PHI;
  2. The Program Director for the requesting program signs an attestation that no PHI is accessed by the student(s) in connection with the program; and
  3. The student must signs an attestation acknowledging that no PHI is to be stored on the Computing Device.

2. VPN Only

Program Directors may request an exemption from this Policy on behalf of any student enrolled in their Program who will use a personally-owned Computing Device only to remotely access another, approved Computing Device (e.g., University-owned desktop) through VPN. The Assistant Dean for IT may grant an exemption from this Policy if the following conditions are met:

  1. There are no curricular or Program requirements that may necessitate storing PHI on a student's personally-owned Computing Device (e.g., case presentations, patient photos, or research materials); and
  2. The student signs an attestation acknowledging that no PHI is to be stored on the Computing Device.

Notwithstanding a Program Director's exemption request, any student may voluntarily "opt-in" to this Policy at any time by presenting a Computing Device that is among the approved device list to OCIS to install the appropriate security controls. If a student chooses to "opt-in", then the student will be subject to all General Requirements in Section III-A.

V. Compliance

Students who fail to comply with this Policy are subject to disciplinary action, up to and including dismissal from the Program.

VI. Related Requirements

A. External Regulations and Consequences

  1. 45 CFR Parts 160, 162 & 164 - Administrative Data Standards and Related Requirements
  2. North Carolina General Statutes §130A-12 - Confidentiality of Records
  3. UNC-Chapel Hill Information Security Policy
  4. UNC-Chapel Hill Information Classification Standard
  5. UNC-Chapel Hill Information Security Controls Standard
  6. UNC-Chapel Hill Information Security Incident Management Standard
  7. UNC-Chapel Hill Transmission of Sensitive Information Standard
  8. UNC-Chapel Hill Acceptable Use Policy
  9. UNC-Chapel Hill Policy on Privacy of Electronic Information

B. Unit Policies, Standards, and Procedures

  1. Adams School of Dentistry: Policy on Personally-Owned Smartphones
  2. Adams School of Dentistry: University-Owned Device Policy
  3. Adams School of Dentistry: Policy on Photography of Patients
  4. Adams School of Dentistry: Policy on the Use of Social Media

VII. Contact Information

Name: Doug Edmunds
Email: edmunds@unc.edu

Print Article

Related Articles (11)

The purpose of this Policy is to clarify who is allowed to access or release information stored in Individual User Accounts, why the University needs access to Individual User Accounts, and what safeguards are in place to prevent abuse.
The UNC Adams School of Dentistry has a legal and ethical responsibility to safeguard patient information. This responsibility includes ensuring that devices storing Protected Health Information ("PHI") or other Sensitive Information ("SI") are properly encrypted and are serviced by an appropriate vendor. The purpose of this Policy is to ensure that all Smartphones used by personnel will meet institutional security requirements.
The purpose of this Policy is to establish reasonable measures to regulate the creation, use, and disclosure of patient images at the UNC Adams School of Dentistry. This Policy applies to all UNC Adams School of Dentistry personnel who create or otherwise have access to patient images.
The University of North Carolina at Chapel Hill (UNC) Adams School of Dentistry supports the use of social media platforms as a method of communication with family, friends, colleagues, school alumni and friends.
The UNC Adams School of Dentistry has a legal and ethical responsibility to safeguard patient information. This responsibility includes ensuring that devices storing Protected Health Information ("PHI") or other Sensitive Information are properly encrypted and are serviced by an appropriate vendor. The purpose of this Policy is to ensure that all Computing Devices used by employees will meet institutional security requirements.
The Information Classification Standard gives a structure for the University's information. This structure helps us recognize the types of University Information we handle. It makes it easier to keep the information safe. This Standard considers the University's academic culture, which values sharing information. Classifying information the right way gives everyone at the University, at every level, a structure that supports their University activities.
This Standard defines the minimum security standards “MSS” for Information Technology systems in use at UNC-Chapel Hill including personal and University-owned devices and third-party systems. Units within the University may apply stricter controls to protect information and technology in their areas of responsibility. The standard applies to each person in the University community and their devices. Please see the “Exceptions” section for phased implementation options through 2027.
To describe minimum requirements for members of the University of North Carolina at Chapel Hill ("University" or "UNC-Chapel Hill") experiencing a concern that might indicate a Possible Information Security Incident. To specify Information Security Incident authority and role requirements for Information Security Incident Handlers and Information Security Liaisons.
This policy defines a framework for the Information Security Program. It gives direction for policies, standards, and procedures that relate to security. These documents tell us how to include information security in all the ways we work at the University of North Carolina at Chapel Hill.
All members of the University community who engage with any University information technology (including wireless or other networks) must adhere to this Acceptable Use Policy.
Protected Health Information (PHI) and Sensitive Information (SI) that is transmitted or received on behalf of the University of North Carolina at Chapel Hill by any Constituent must be encrypted in accordance with this Standard, which details required minimum encryption standards for University Tier 2 and Tier 3 information. Particular transmissions may require a heightened encryption requirement or consideration of additional legal or policy requirements.