Adams School of Dentistry: Choose Your Own Device Policy

Title

Adams School of Dentistry: Choose Your Own Device Policy

I. Introduction

A. Purpose

The UNC Adams School of Dentistry has a legal and ethical responsibility to safeguard patient information. This responsibility includes ensuring that devices storing Protected Health Information ("PHI") or other Sensitive Information are properly encrypted and are serviced by an appropriate vendor. The purpose of this Policy is to ensure that all Computing Devices used by students will meet institutional security requirements.

B. Scope of Applicability

This policy applies to all predoctoral dental students, dental hygiene students, and advanced dental education ("ADE") residents. Faculty and staff are subject to the School's University Owned Device Policy.

II. Definitions

  1. Adams School of Dentistry Business - any task or activity relating to an individual's enrollment, employment, or affiliation with the Adams School of Dentistry. This includes but it is not limited to: accessing University systems (e.g., the electronic health record system, Sakai, UNC OneDrive, or Outlook), preparing case presentations, or research.
  2. Computing Device - any electronic equipment controlled by a central processing unit (CPU), including desktop and laptop computers, tablets, and smartphones.
  3. Encryption - the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a "key."
  4. Portable Storage Device - small hard drive used to store electronic information that can be connected to or read by a Computing Device. Examples include USB flash drives, external hard drives, or solid state disks.
  5. Sensitive Information - information that must be protected against unwarranted disclosure under applicable laws and/or University policies. For more details on what is considered Sensitive Information, visit the UNC ITS Sensitive Data website.
  6. Student - any individual enrolled in an Adams School of Dentistry educational program, including the DDS, Dental Hygiene, ADE/Resident programs.

III. Policy

Students and Residents are permitted to use personally-owned Computing Devices for Adams School of Dentistry business only if PHI and other Sensitive Information can be adequately safeguarded. In order to ensure that Sensitive Information is adequately protected, the following requirements must be observed:

A. General Requirements

  1. In order to ensure that Computing Devices can be properly encrypted and supported, students will be able to choose from among a number of device models identified by ASOD Information Systems (formerly known as the Office of Computing and Information Systems) as compatible for Adams School of Dentistry business. For the current approved laptop models refer to the Carolina Computing Initiative ("CCI") website.
  2. Computing Devices are subject to security requirements established by the University and ASOD Information Systems, including encryption and other controls. Students are required to present their Computing Devices to ASOD Information Systems prior to use for Adams School of Dentistry business so that these controls may be properly deployed and documented. For more information about these controls, reference the University's Information Security Controls Standard.
  3. Students are not permitted to have their Computing Devices serviced by any party other than ASOD Information Systems or the University's Computer Repair Center (e.g., the Apple Store, Geek Squad, or a "tech-savvy" friend or family member). This will ensure that no unauthorized individuals are given access to PHI or other Sensitive Information.
  4. Loss or theft of a Computing Device must be reported immediately to the University's Information Security Office ("ISO") in accordance with the University's Incident Management Policy.
  5. Computing Devices must be sanitized by University IT prior graduation or separation from the School. Computing Devices must also be sanitized prior to any sale or transfer in ownership.

B. Laptop Purchasing Requirement

1. Predoctoral DDS Students

Students enrolled in the DDS program are required to purchase a laptop from CCI.

  1. Not only will this facilitate compliance with the General Requirements set forth above, but it will also ensure that students' have Computing Devices that are adequately protected under warranty for the duration of their time in the four-year program.
  2. Although this will result in greater up-front cost to the student, the likelihood that a student's Computing Device will need major repairs or replacement at some point during this program is high.
  3. This purchasing requirement is intended to eliminate the possibility that a student will end up without a computer (e.g., in the event loss or theft) or facing costly out-of-pocket expenses once the manufacturer warranty has expired.

2. Dental Hygiene Students & ADE Residents

For dental hygiene students and ADE residents, the corresponding the student's Program Director will determine whether the requirement to purchase a laptop through CCI shall apply, in consultation with the Assistant Dean for ASOD Information Systems.

  1. In making this determination, Program Directors should consider the following factors:
    1. What is the duration of the program?
    2. How heavily will your students use or rely on laptops?
    3. Will your students be expected to use laptops in a location other than the School or at home? Working in other locations may increase the likelihood of loss or theft.
  2. Program Directors must inform the Assistant Dean for ASOD Information Systems about their determination in writing prior to each academic year. Program Directors should allow enough lead time for their students to purchase laptops in accordance with the applicable rules underlying their respective determinations.
  3. In consultation with the Assistant Dean for ASOD Information Systems, Program Directors who "opt-out" of the CCI laptop purchasing requirement are responsible for explaining the downstream risks to their students of purchasing a laptop from a vendor other than CCI (e.g., financial risk to the student that a costly repair or replacement may be needed).
  4. Dental hygiene student and resident programs that allows them to "opt-out" of the CCI laptop purchasing requirement and choose to exercise that option by using a laptop acquired outside of CCI are still subject to all General Requirements in Section III-A.

IV. Exceptions

A. Smartphones

The use of smartphones for Adams School of Dentistry business is regulated by the School's Policy on Personally-Owned Smartphones.

B. Portable Storage Devices

The use of Portable Storage Devices for Adams School of Dentistry business is regulated by the University's Information Security Controls Standard. Please note that the use of Portable Storage Devices is strongly discouraged - instead, personnel are encouraged to use UNC OneDrive for storage needs.

C. All Other Computing Devices

Program Directors may request an exemption from this Policy on behalf of their students in the following scenarios:

1. No PHI Accessed in Connection with the Program

Program Directors may request an exemption from this Policy on behalf of any student enrolled in their Program who will not access PHI in connection with their assignments. The Assistant Dean for ASOD Information Systems may grant an exemption from this Policy if the following conditions are met:

  1. The Assistant Dean for ASOD Information Systems determines that there is no reasonable basis to believe that the student(s) of the requesting program will access PHI;
  2. The Program Director for the requesting program signs an attestation that no PHI is accessed by the student(s) in connection with the program; and
  3. The student must signs an attestation acknowledging that no PHI is to be stored on the Computing Device.

2. VPN Only

Program Directors may request an exemption from this Policy on behalf of any student enrolled in their Program who will use a personally-owned Computing Device only to remotely access another, approved Computing Device (e.g., University-owned desktop) through VPN. The Assistant Dean for ASOD Information Systems may grant an exemption from this Policy if the following conditions are met:

  1. There are no curricular or Program requirements that may necessitate storing PHI on a student's personally-owned Computing Device (e.g., case presentations, patient photos, or research materials); and
  2. The student signs an attestation acknowledging that no PHI is to be stored on the Computing Device.

Notwithstanding a Program Director's exemption request, any student may voluntarily "opt-in" to this Policy at any time by presenting a Computing Device that is among the approved device list to OCIS to install the appropriate security controls. If a student chooses to "opt-in", then he or she will be subject to all General Requirements in Section III-A.

V. Compliance

Students who fail to comply with this Policy are subject to disciplinary action, up to and including dismissal from the Program.

VI. Related Requirements

A. External Regulations and Consequences

  1. 45 CFR Parts 160, 162 & 164
  2. N.C.G.S. §130A-12 - Confidentiality of Records
  3. UNC-CH Information Security Policy
  4. UNC-CH Information Classification Standard
  5. UNC-CH Information Security Controls Standard
  6. UNC-CH Incident Management Policy
  7. UNC-CH Policy on the Transmission of Protected Health Information and Sensitive Information over External Networks or an Unsecure Medium
  8. UNC-CH Acceptable Use Policy
  9. UNC-CH Policy on Privacy of Electronic Information

B. Unit Policies, Standards, and Procedures

  1. Adams School of Dentistry: Policy on Personally-Owned Smartphones
  2. Adams School of Dentistry: University-Owned Device Policy
  3. Adams School of Dentistry: Policy on Photography of Patients
  4. Adams School of Dentistry: Policy on the Use of Social Media

VII. Contact Information

Contact Information
Topic Title Contact
Questions about this Policy Assistant Dean for ASOD Information Systems david_rankin@unc.edu

Details

Article ID: 131266
Created
Thu 4/8/21 9:05 PM
Modified
Fri 5/6/22 12:17 PM
Effective Date
If the date on which this document became/becomes enforceable differs from the Origination or Last Revision, this attribute reflects the date on which it is/was enforcable.
03/02/2022 9:04 AM
Issuing Officer
Name of the document Issuing Officer. This is the individual whose organizational authority covers the policy scope and who is primarily responsible for the policy.
Issuing Officer Title
Title of the person who is primarily responsible for issuing this policy.
Assistant Dean, ASOD Information Systems
Last Review
Date on which the most recent document review was completed.
03/02/2022 9:04 AM
Last Revised
Date on which the most recent changes to this document were approved.
03/02/2022 9:04 AM
Next Review
Date on which the next document review is due.
03/01/2023 9:05 AM
Origination
Date on which the original version of this document was first made official.
02/25/2016 12:00 AM
Responsible Unit
School, Department, or other organizational unit issuing this document.
Clinical Compliance