Adams School of Dentistry: University-Owned Device Policy

Summary

The UNC Adams School of Dentistry has a legal and ethical responsibility to safeguard patient information. This responsibility includes ensuring that devices storing Protected Health Information ("PHI") or other Sensitive Information are properly encrypted and are serviced by an appropriate vendor. The purpose of this Policy is to ensure that all Computing Devices used by employees will meet institutional security requirements.

Body

Unit Policy

Title

Adams School of Dentistry: University-Owned Device Policy

I. Introduction

A. Purpose

The UNC Adams School of Dentistry has a legal and ethical responsibility to safeguard patient information. This responsibility includes ensuring that devices storing Protected Health Information ("PHI") or other Sensitive Information are properly encrypted and are serviced by an appropriate vendor. The purpose of this Policy is to ensure that all Computing Devices used by employees will meet institutional security requirements.

B. Scope

This Policy applies to all Adams School of Dentistry employees. Students, including residents, are subject to the School's Choose Your Own Device Policy.

II. Definitions

  1. Adams School of Dentistry Business - any task or activity relating to an individual's enrollment, employment, or affiliation with the Adams School of Dentistry. This includes but it is not limited to: accessing University systems (e.g., the electronic health record system, Sakai, UNC OneDrive, or Outlook), preparing case presentations, or research.
  2. Computing Device - any electronic equipment controlled by a central processing unit (CPU), including desktop and laptop computers, tablets, and smartphones.
  3. Encryption - the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a "key."
  4. Portable Storage Device - small hard drive used to store electronic information that can be connected to or read by a Computing Device. Examples include USB flash drives, external hard drives, or solid state disks.
  5. Sensitive Data website.

III. Policy

A. Policy Statement

In order to adequately safeguard Sensitive Information, all Computing Devices used by employees for Adams School of Dentistry business must be owned by the University. Employees are not permitted to use personally-owned Computing Devices for Adams School of Dentistry business.

  1. All Computing Devices purchased using University funds shall be purchased through the Carolina Computer Initiative (CCI) contract where possible. If a specialized device purchase is required, contact ASOD IT to determine the appropriate steps (see Adams School of Dentistry Vendor Relations Policy, Section III-C: "Accepting Technology from Vendors").
  2. All Computing Devices are subject to security requirements established by the University and by ASOD IT, including encryption and other controls. For more information about these controls, reference the University's Information Security Controls Standard.
  3. Employees are not permitted to have their Computing Devices serviced by any party other than ASOD IT or the University's Computer Repair Center (e.g., the Apple Store, Geek Squad, or a "tech-savvy" friend or family member). This will ensure that no unauthorized individuals are given access to PHI or other Sensitive Information.
  4. Loss or theft of a Computing Device must be reported immediately to the University's Information Security Office ("ISO") in accordance with the University's Information Security Incident Management Standard.
  5. If an employee is expected to work remotely, then the employee must be issued a University-owned Computing Device or use VPN as provided below.
  6. Former students and residents who subsequently become employees are subject to this Policy and are no longer permitted to use their personally-owned Computing Device under the School's Choose Your Own Device Policy.

B. Exceptions

1. Smartphones

Employees are permitted to use smartphones for Adams School of Dentistry business consistent with the School's Policy on Personally-Owned Smartphones.

2. Portable Storage Devices

The use of Portable Storage Devices for Adams School of Dentistry business is regulated by the University's Information Security Controls Standard. Please note that the use of Portable Storage Devices is strongly discouraged - instead, personnel are encouraged to use UNC OneDrive for storage needs.

3.Remote Desktop Connection

Employees are permitted to use personally-owned Computing Devices for Adams School of Dentistry business if they are remotely controlling a University-owned Computing Device via VPN. For more information, visit the UNC ITS Help Page for "VPN Installation - Windows."

4. Other Situations

The Assistant Dean for IT, in consultation with the University ISO, may grant other exceptions to this Policy on a case-by-case basis. All exceptions to this Policy must be properly documented.

IV. Related Requirements

A. External Regulations and Consequences

  1. 45 CFR Parts 160, 162 & 164 - Administrative Data Standards and Related Requirements
  2. N.C.G.S. §130A-12 - Confidentiality of Records
  3. UNC-Chapel Hill Information Security Policy
  4. UNC-Chapel Hill Information Classification Standard
  5. UNC-Chapel Hill Information Security Controls Standard
  6. UNC-Chapel Hill Information Security Incident Management Standard
  7. UNC-Chapel Hill Transmission of Sensitive Information Standard
  8. UNC-Chapel Hill Acceptable Use Policy
  9. UNC-Chapel Hill Finance Policy 104 - Policy on Misuse of University Property or Funds
  10. UNC-Chapel Hill Policy on Privacy of Electronic Information

B. Unit Policies, Standards, and Procedures

  1. Adams School of Dentistry: Policy on Personally-Owned Smartphones
  2. Adams School of Dentistry: Choose Your Own Device Policy
  3. Adams School of Dentistry: Policy on Photography of Patients
  4. Adams School of Dentistry: Policy on the Use of Social Media

V. Contact Information

Name: Doug Edmunds
Email: edmunds@unc.edu

Details

Details

Article ID: 131318
Created
Thu 4/8/21 9:06 PM
Modified
Thu 4/4/24 8:47 AM
Responsible Unit
School, Department, or other organizational unit issuing this document.
Adams School of Dentistry
Issuing Officer
Name of the document Issuing Officer. This is the individual whose organizational authority covers the policy scope and who is primarily responsible for the policy.
Issuing Officer Title
Title of the person who is primarily responsible for issuing this policy.
Assistant Dean for IT
Policy Contact
Person who handles document management. Best person to contact for information about this policy. In many cases this is not the Issuing Officer. It may be the Policy Liaison, or another staff member.
Next Review
Date on which the next document review is due.
04/03/2025 12:00 AM
Last Review
Date on which the most recent document review was completed.
04/03/2024 12:00 AM
Last Revised
Date on which the most recent changes to this document were approved.
07/22/2020 12:39 PM
Effective Date
If the date on which this document became/becomes enforceable differs from the Origination or Last Revision, this attribute reflects the date on which it is/was enforcable.
07/22/2020 12:39 PM
Origination
Date on which the original version of this document was first made official.
07/23/2015 11:00 PM

Related Articles

Related Articles (1)

The UNC-Chapel Hill Adams School of Dentistry has a legal and ethical responsibility to safeguard patient information. This responsibility includes ensuring that devices storing Protected Health Information ("PHI") or other Sensitive Information are properly encrypted and are serviced by an appropriate vendor. The purpose of this Policy is to ensure that all Computing Devices used by students will meet institutional security requirements.