Adams School of Dentistry: University-Owned Device Policy

Unit Policy

Title

Adams School of Dentistry: University-Owned Device Policy

I. Introduction

A. Purpose

The UNC Adams School of Dentistry has a legal and ethical responsibility to safeguard patient information. This responsibility includes ensuring that devices storing Protected Health Information ("PHI") or other Sensitive Information are properly encrypted and are serviced by an appropriate vendor. The purpose of this Policy is to ensure that all Computing Devices used by employees will meet institutional security requirements.

B. Scope

This Policy applies to all Adams School of Dentistry employees. Students, including residents, are subject to the School's Choose Your Own Device Policy.

II. Definitions

1. Adams School of Dentistry Business - any task or activity relating to an individual's enrollment, employment, or affiliation with the Adams School of Dentistry. This includes but it is not limited to: accessing University systems (e.g., the electronic health record system, Sakai, UNC OneDrive, or Outlook), preparing case presentations, or research.
2. Computing Device - any electronic equipment controlled by a central processing unit (CPU), including desktop and laptop computers, tablets, and smartphones.
3. Encryption - the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a "key."
4. Portable Storage Device - small hard drive used to store electronic information that can be connected to or read by a Computing Device. Examples include USB flash drives, external hard drives, or solid state disks.
5. Sensitive Data website.

III. Policy

A. Policy Statement

In order to adequately safeguard Sensitive Information, all Computing Devices used by employees for Adams School of Dentistry business must be owned by the University. Employees are not permitted to use personally-owned Computing Devices for Adams School of Dentistry business.

1. All Computing Devices purchased using University funds shall be purchased through the Carolina Computer Initiative (CCI) contract where possible. If a specialized device purchase is required, contact ASOD IT to determine the appropriate steps (see Adams School of Dentistry Vendor Relations Policy, Section III-C: "Accepting Technology from Vendors").
2. All Computing Devices are subject to security requirements established by the University and by ASOD IT, including encryption and other controls. For more information about these controls, reference the University's Information Security Controls Standard.
3. Employees are not permitted to have their Computing Devices serviced by any party other than ASOD IT or the University's Computer Repair Center (e.g., the Apple Store, Geek Squad, or a "tech-savvy" friend or family member). This will ensure that no unauthorized individuals are given access to PHI or other Sensitive Information.
4. Loss or theft of a Computing Device must be reported immediately to the University's Information Security Office ("ISO") in accordance with the University's Information Security Incident Management Standard.
5. If an employee is expected to work remotely, then the employee must be issued a University-owned Computing Device or use VPN as provided below.
6. Former students and residents who subsequently become employees are subject to this Policy and are no longer permitted to use their personally-owned Computing Device under the School's Choose Your Own Device Policy.

B. Exceptions

1. Smartphones

Employees are permitted to use smartphones for Adams School of Dentistry business consistent with the School's Policy on Personally-Owned Smartphones.

2. Portable Storage Devices

The use of Portable Storage Devices for Adams School of Dentistry business is regulated by the University's Information Security Controls Standard. Please note that the use of Portable Storage Devices is strongly discouraged - instead, personnel are encouraged to use UNC OneDrive for storage needs.

3.Remote Desktop Connection

Employees are permitted to use personally-owned Computing Devices for Adams School of Dentistry business if they are remotely controlling a University-owned Computing Device via VPN. For more information, visit the UNC ITS Help Page for "VPN Installation - Windows."

4. Other Situations

The Assistant Dean for IT, in consultation with the University ISO, may grant other exceptions to this Policy on a case-by-case basis. All exceptions to this Policy must be properly documented.

IV. Related Requirements

A. External Regulations and Consequences

1. 45 CFR Parts 160, 162 & 164 - Administrative Data Standards and Related Requirements
2. N.C.G.S. §130A-12 - Confidentiality of Records
3. UNC-Chapel Hill Information Security Policy
4. UNC-Chapel Hill Information Classification Standard
5. UNC-Chapel Hill Information Security Controls Standard
6. UNC-Chapel Hill Information Security Incident Management Standard
7. UNC-Chapel Hill Transmission of Sensitive Information Standard
8. UNC-Chapel Hill Acceptable Use Policy
9. UNC-Chapel Hill Finance Policy 104 - Policy on Misuse of University Property or Funds
10. UNC-Chapel Hill Policy on Privacy of Electronic Information

B. Unit Policies, Standards, and Procedures

1. Adams School of Dentistry: Policy on Personally-Owned Smartphones
2. Adams School of Dentistry: Choose Your Own Device Policy
3. Adams School of Dentistry: Policy on Photography of Patients
4. Adams School of Dentistry: Policy on the Use of Social Media

V. Contact Information

Name: Doug Edmunds
Email: edmunds@unc.edu