• OIT Support and Device Security Policies

• Laptop Loan Policy

• Purchase Request Policy

University of Maryland School of Dentistry Social Media Policy

POLICY STATEMENT

It shall be the policy of University of Maryland School of Dentistry that all information regarding individually identifiable health information is maintained as confidential information. Patient care information is the property of the patient; University of Maryland School of Dentistry is the steward or caretaker of that information and owner of the medium of storage. It shall be the policy of University of Maryland School of Dentistry to support and adhere to the rights and responsibilities of patients as specified in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191.

POLICY PURPOSE

The purpose of this policy is to protect University of Maryland School of Dentistry patient privacy from inappropriate disclosure of protected health information regarding care of individual and collective patients. The University of Maryland School of Dentistry defines social media as online communication channels allowing and encouraging collaboration, interaction, and content sharing. These guidelines describe how University of Maryland School of Dentistry makes use of social media. This policy covers all existing and future social networking platforms. Because of the evolving nature of social media platforms, these guidelines do not attempt to name every current and emerging platform. This policy applies to all University of Maryland School of Dentistry personnel.

POLICY STANDARDS

• Every University of Maryland School of Dentistry member shall be responsible for respecting the privacy rights of our patients.
• It shall be the policy to prohibit posting of any content regarding individually identifiable health information, including patient images, on any social platform.
• It shall be the policy to ensure patient privacy is of utmost As a guest posting content to University of Maryland School of Dentistry online sites E.g. Facebook, you agree that you will not:
  • Violate any local, state, or federal laws and regulations regarding any content that you send or receive E.g. Patient photos
  • Transmit any patient data by uploading, posting, or emailing that is unlawful, threatening, abusive, profane, defamatory, harassing, or is an invasion of another’s privacy
  • Store patient confidential information
• University of Maryland School of Dentistry reserves the right to monitor, prohibit, delete, block or restrict access to any University of Maryland online platform.
• It shall be identified on the platform that you are speaking for yourself and not on behalf of University of Maryland School of Dentistry.
• It shall be the responsibility of all faculty, staff, and students to report any violations of this policy to Kent Buckingham, HIPAA Officer, at kbuckingham@umaryland.edu

and/or Christine Livesay, Compliance Manager, clivesay@umaryland.edu

DEFINITIONS

HIPAA Privacy Rule: The rule establishes national standards to protect personal health information. This rule applies to health care providers, health plans, and health care clearinghouses that conduct certain health care transactions electronically. The rule requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosure that may be made of such information without patient authorization. This also gives patients’ rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

Inappropriate Dissemination: Seeking access to and/or disclosing confidential information, regardless of intent, in verbal, written or electronic form:

• To individuals not involved in the care, treatment or clinical operations of the patient; or
• To individuals who have not been authorized by the patient to access the

Patient Information: All information, data and/or or knowledge relating to the care of the University of Maryland School of Dentistry sites and Health Centers’ patients, including but not limited to:

• The medical record, including data recorded on paper, on microfilm, or in a computer data base; or
• Pictorial, graphic, or multimedia representations (e.g. photographs, x-ray films ECG tracings, videotape); or
• Tissue specimens obtained for histological examination; or
• Administrative data, such as the data included in the University of Maryland School of Dentistry clinic management system; or
• Business or Financial Records

• SOD Faculty/Staff Purchase Requests (Log in with your Dental Network username and password)

• SOD Faculty/Staff Poster Printing Requests (Log in with your Dental Network username and password)

• Purchase Software from UMB for Personal or Departmental Use 

• SOD Printer Service Requests (Log in with your Dental Network username and password)

• Student Gmail Setup Information
• Find Your Questionmark Username

Laptop Information

 The School of Dentistry requires all incoming Doctor of Dental Surgery (DDS) students to have a laptop and high-speed internet to access educational materials. Some examples of the software you will be required to use your personal device for are: Blackboard, Mediasite, QuestionMark, Proctorio, WebEx, Zoom, Axium and MiPacs. You are responsible for ensuring your computer is kept up to date with current software updates and ensuring that all functionality is working properly. Use of your laptop or any computing device using the campus network is governed by the University of Maryland, Baltimore (UMB) Information Technology Acceptable Use Policy. As a UMB student, it is your responsibility to read, understand and comply with this policy.

Contact the School of Dentistry Help Desk at 410-706-2084 or sodhelp@umaryland.edu for additional questions.

YOUR LAPTOP MUST MEET THE FOLLOWING SYSTEM MINIMUM SPECIFICATIONS:

REQUIRED SOFTWARE:

• Microsoft Office 2016 or higher (Students are licensed for O365)
• Google Chrome Browser
• Antivirus software
• Both available at the HS/HSL Library at a discount tostudents
• Keep your system up-to-date (Service packs, patches, updates, )
• Mac users may need Boot Camp or Parallels and a copy of Microsoft Windows

The HS/HSL Library offers software discounts to students for Microsoft Windows, Microsoft Office.

Warranty: It is highly recommended that you also have a next-day, onsite repair warranty coverage for the duration of your studies. Standard warranties generally cover mail-to depot repairs, which may take some time before the unit is returned to the user. If accidental damage warranty is available, it is also very highly recommended.

Maintenance of your laptop: You are responsible for your laptop. The Office of Information Technology will work to assist you although we may not be able to fix any issues you may have. Technical support only covers applications that are required as part of your dental educational program such as:

• Configuration and connection to the campus Eduroam wireless
• Installation of the VPN for remote
• Consultation (advice on best practices, discuss computer problems, and possibleremedies)

Setting up your Campus Office 365 Exchange Online Account on your Apple Device

These instructions apply to faculty and staff in the following schools/ departments who use the campus Office 365 Exchange Online email system:

Emails on the Microsoft Office 365 Exchange Online server can be read on mobile Apple devices such as an iPhone, iPad and iPod. 

Configuring your Exchange Online Account

 Note: Your device must have iOS4 or later.

• Tap the Settings icon on the device
• Next, tap Mail, Contacts, Calendars.
• Tap Add Account then Microsoft Exchange.
• The Exchange setup screen will open; you'll then enter the following information:

• Email - Enter your entire email address (e.g., user@umaryland.edu), using all lowercase
• Username - Enter your username (e.g., user), using all lowercase
• Password - Enter in the password for your email
• Description - Enter a descriptive name for your account (e.g., My Work Account). This description will only be visible to you.

• Tap the Next The device will attempt to verify the account. If you receive an "Unable to Verify Certificate message," tap the Accept button.
• The device will continue verifying the Once complete, tap the Server field, and enter in

outlook.office365.com

• Tap the Next The device will try to create a secure (SSL) connection to your Exchange server. When connected, you'll see check marks along your settings to confirm that your account has been verified.
• Tap the ON/OFF buttons to select which information to synchronize with the Exchange Tap the Save button when finished.

Note: Your Apple device may take a moment to sync all your information depending on how much you have on the Exchange server. To learn more about the mail settings on your device tap Settings from the home screen, then Mail, Contacts, & Calendars and then select your account. You'll be able to customize how much data you would like to sync from the server.

QUESTIONS?

If you require further assistance Setting up your Campus Office 365 Exchange Online Account on you Apple Device, please contact the IT Help Desk at 410-706-HELP (8:00 a.m. - 5:00 p.m.) or send e-mail to help@umaryland.edu.

• Overview
• OneDrive
• Sharepoint
• Teams

• Overview

• CITS Zoom Guide

Zoom: Quick Start Guide to Meetings

What is Zoom?                                                                                                                                                                          

Zoom is a cloud-based collaboration tool that allows for video/audio conferencing from anywhere using any device.

How do I access Zoom?

You can access Zoom via the web or using the Zoom Workplace app (if installed on your computer).

Access Zoom Online:

Navigate to the UMB web portal at https://umaryland.zoom.us/

Click Sign in and use your UMID and password (you may be required to authenticate with DUO) to log into Zoom.

Access Zoom via the Zoom Workplace App:

Open the Zoom Workplace app on your computer.

Sign in with your UMID and password (you may be required to authenticate with DUO monthly).

How do I set Zoom as my default meeting app in Outlook?

• In Outlook, go to the File menu at the top, then click Info.
• Click on Options towards the bottom of the left blue
• Click on Calendar then click on Meeting Providers.
• Click on Zoom, then click OK to save

How do I schedule a Zoom meeting from Outlook?

Go to your Outlook calendar and click on New Meeting.

The first time you use this feature, you will be prompted to sign into Zoom using your email address and password. You will then be redirected to log in with your UMID and password, then authenticate via DUO.

You will then see the appointment automatically populated with a Zoom link, ID and passcode. You can edit the date and times of the meeting as desired.

Click on the Invite Attendees button to add attendees to the meeting (you can choose to make them either required or optional).

When you have finished adding attendees, click on Send and your attendees will receive the Zoom meeting invitation via email.

How do I schedule a Zoom meeting from the online portal?

• Sign into Zoom and click on Schedule in the upper right
• Configure the settings for your meeting, including date, time, duration,
• When you're done adding the details, click Save.
• Once your meeting is saved, you will see the details of your meeting and be able to invite attendees
• Click on the Outlook Calendar (.ics) link to download the calendar
• Access the .ics file from your downloads via your Recent download history in the browser (or in your Downloads folder).
• Double click the A security notice will pop up in Outlook; click on Yes to proceed to open the calendar event.
• The meeting will open in Click on Invite Attendees and enter their email addresses in the B section, then click Send. Outlook will then automatically send them an email invite to the Zoom meeting.

How do I schedule a meeting using the Zoom Workplace app?                 

• Open the Zoom Workplace app and click Sign
• Click on the SSO icon and you will be redirected to sign in with your UMID and Log in as usual.
• Click on the Home tab at the top.
• First time users will have to connect their Outlook calendar to Click on Add a Calendar.
• A browser window will pop Click on Office 365, then Next. In the next window, click on Authorize.
• A permissions window will pop up; click on Accept.
• You will be directed back to the web portal version of Go back to the Zoom Workplace app on your computer and you can see any upcoming meetings on the home page.

Where can I find more information or request further assistance?                                

CITS has information and videos that you can access here: https://www.umaryland.edu/cits/services/zoom/

If you need further assistance, please contact the SOD Help Desk: dshelp@umaryland.edu

Microsoft Teams: Quick Start Guide to Meetings

What is Microsoft Teams?                                                                                                                                   

Microsoft Teams is a chat-based collaboration tool that provides global, remote, and dispersed teams with the ability to work together and share information via a common space. You can utilize exciting features like document collaboration, one-on-one chat, team chat, and more. It is naturally integrated with other Office applications and uses the Microsoft Office 365 global, secure cloud platform.

How do I access Teams?                                                                                                                                   

Teams can be accessed via the Teams app installed on your computer, via the mobile app installed on your phone, or through the Office 365 Portal at https://portal.office.com.

How do I schedule a meeting from the Teams app?                                                                                                                                   

Meetings can be easily scheduled from Teams or through Outlook. To schedule a meeting from Teams:

• Open Teams and click on the Calendar icon (left side navigation).
• Select New meeting.
• Fill in the details for your meeting

Add attendees, including your external clients Set a date and time

Add location if needed, or choose Online meeting Add any otherdetails you would like to include

When you're done, select Save.

• Your attendee(s) will receive an email invite that they will use to join the meeting. They must click on “Join the meeting now” to join the Attendees do not have to have an Office 365 account to join a meeting. If they are not signed into Office 365, they will be prompted to enter their name, and will then appear in the lobby for you to approve.
• When an attendee outside of UMB joins the meeting, they will be in a lobby, and must be approved before they can In your Teams meeting, click the green checkmark to admit them to your meeting.

How do I schedule a Teams meeting from Outlook?

Using Outlook, there are several ways to schedule a meeting. To schedule from your email tab:

• Click on New Items
• Click on Teams Meeting (Create a new Teams Meeting)
• Fill in the details for your meeting, including: Title

Add attendees, including your external clients Set a date and time

Add location if needed

Add any other details you would like to include

• When you're done, click Send and your attendee(s) will be sent an invite they can use to access the

How do I schedule a Teams meeting from the Outlook Calendar?

To schedule a meeting from your Outlook calendar:

• Click on Teams Meeting, then click Schedule Meeting
• Fill in the details for your meeting, including: Title

Add attendees, including your external clients Set a date and time

Add location if needed

Add any other details you would like to include

• When you're done, click Send and your attendee(s) will be sent an invite they can use to access the

Where can I find more information or request further assistance?

CITS has information and videos that you can access here: https://www.umaryland.edu/office365/teams/

If you need further assistance, please contact the SOD Help Desk: dshelp@umaryland.edu

• How to find your computer name

• Reset your Internet Explorer settings

• Update, manage, and change your UMID/Password

• UMB Campus IT Help Desk (Help with Google Apps, SURFS, SIMS, UMID, Eduroam)

• IT Forms on www.dental.umaryland.edu

• Cisco VoIP Desk Telephones - Quick Reference Guide

• Requesting administrative rights to PC

• Requesting access to currently blocked countries (Currently China and Russia)

• Acceptance Amendment Correction Form PDF‌

• Amendment Correction Request Form PDF

• Authorization for Use and Disclosure of Protected Health Information PDF

• Confidentiality Agreement for Visitors PDF

• Denial Amendment Correction Form PDF

• Disagreement with Denial Amendment Correction Form PDF

• ‌Extension to Respond to Amendment Correction PDF

University of Maryland, School of Dentistry Clinical information Management System

User Security Access Policy

1. POLICY STATEMENT

It shall be the policy of the University of Maryland, School of Dentistry that all users of the axiUm application, which houses all of our Patient’s and Faculty’s sensitive information, is regarded as confidential, is secure. Patient care information is the property of the patient with the University of Maryland, School of Dentistry being the gatekeeper of that information and the owner of the medium of storage, our axiUm application. University of Maryland, School of Dentistry shall maintain management processes to ensure that access to axiUm is restricted to authorized users with minimal access rights necessary to perform their role and responsibilities. Account provisioning and monitoring shall be reviewed annually.

1. POLICY PURPOSE

The purpose of this policy is to protect patients from inappropriate dissemination of identifiable information. This policy applies to all clinical staff, employees, vendors, volunteers, students and others who are members of the University of Maryland, School of Dentistry sites and Health Centers, and refers to all information resources, whether verbal, printed, or electronic, and whether individually controlled, shared, stand alone or networked. This policy also provides guidelines on employee access to patient data to ensure confidentiality and integrity of patient information.

1. DEFINITIONS

Access: The ability of a data user or application process to read, write, modify, or communicate information or otherwise make use of an information asset.

Access Profile: A list of the applications and/or databases a user (or application process) is permitted to access and the access levels granted in each of those applications and/or databases.

Audit: A formal review and identification of access to an information asset by an individual, organization, or application process.

Authorization: Documented approval to access University of Maryland, School of Dentistry health information assets based on the user's need to know.

Authorization and Access Control (AAC) Process: The process in which Departmental Directors request access for members of their department based on those members' roles and their role-based need to know, and Data Managers ensure that the needed access to applications is made available.

Need to Know: The principle that states that a user should access only the specific information necessary to complete his or her assigned job functions. This principle is applied in two main contexts:

1. Departmental Directors (or their Delegated Access Coordinators) apply this principle in determining the appropriate level of access to databases and/or applications needed by people in different roles in their department (see University of Maryland, School of Dentistry Policy, "Information Access: Responsibilities of Department Directors or Delegated Access Coordinators").
2. Authorized Data Users apply the principle every time they decide whether to access a specific individual's record or not, even if they have been granted full access to the application in which the record resides.

Once access to a database and/or application has been authorized, the authorized data user is still obligated to assess the appropriateness of each specific access on a need to know basis.

1. POLICY STANDARDS
2. In order to ensure confidentiality, patient information collected and/or generated within the University of Maryland, School of Dentistry shall be maintained in such a manner that access to it is restricted to those with a need to know, and release of it is restricted to those with a legal right to know, as mandated by State and Federal laws. All patient information must be stored in the electronic patient record maintained by the University Of Maryland School Of Dentistry. E.g. axiUm clinical management, MiPACS and Dolphin Imaging.
3. It shall be the responsibility of the department management to determine its’ members user access profile in order to complete their job functions. Viewing or obtaining information not needed for job completion constitutes unauthorized use of that information. It shall be the responsibility of the department management in conjunction with the HIPAA Officer and/or Security Officer to monitor and discipline members in all matters of information security. Authorization and Access Control Process includes:
   • Creating identifier profile accounts for each student, staff, faculty and Dean’s faculty, at the earliest possible point of contact between individual and SOD and upon completion of account application;
   • Defining security access rights to commensurate with user job responsibilities;
   • Onboarding and Off boarding forms to be completed by department management, to keep strict access to Patient Information and to assure that our Patients’ Information is in proper hands during treatment and to inhibit access after dismissal
   • Student user access profiles have an expiry date of June 30^th of graduation year;
   • Users must have limited access to axiUm records containing sensitive data based on scope of responsibility, a student or employee may not access private information if it is not relevant to individual’s function;
   • Student status updates and changes to be updated with the Registrar, to revoke any access due to any withdrawal, leave of absence, or grade retention;
   • User access to accounts in axiUm shall be set to automatically disable November 30^th each year for non-compliant users;

• User shall be granted access after required compliance training and assessments completed and confidentiality pledge signed;
• User access list shall be reviewed with department management at least annually to reflect current user access of user role or any change in employment This review shall be documented and retained by IT Administrators for audit verification purposes.

1. In order to safeguard patient confidentiality and integrity, annual reviews of user access to information resources is restricted to only authorized Validations shall be done annually that any User of axiUm is indeed updated in their Annual Compliance training, pass assessments and sign our Confidentiality Pledge. Validation safeguards include:
   • Annual audits shall be reported to ascertain incomplete required yearly compliance training;
   • Annual Compliance assessments are completed by November 30^th of each year;
   • Reminder email notifications to all axiUm users to advise of ANNUAL Compliance training and assessment completion by Nov. 30 of each year;
   • Enforcing compliance, notices shall be sent prior to November 1^st to departmental management to encourage their axiUm user compliancy timing;
   • User access revoked to non-compliant individuals December 1^st of each year;
   • HIPAA Officer and/or Compliance Manager shall monitor access to confidential data and logged into user identifier accounts upon completion of annual compliance training and granted access of axiUm until the following November 30^th date;
   • Revoking user access to account, lock-outs, shall be implemented to non-compliant users;
2. It shall be the responsibility of management staff in each department in conjunction with the HIPAA Officer and/or Security Officer to inform their employees of this policy, and to develop and maintain, if appropriate, data confidentiality policies specific to their department, which are consistent with this To assure knowledge of these policies, it shall be the responsibility of the department supervisors to assure that current policies be addressed at departmental staff meetings periodically. In addition, these policies shall be referred to and addressed in each orientation program and shall be included in any orientation “information packet" provided for new employees, trainees, volunteers, vendors, and clinical staff.
3. To maintain access for clinical users, the following entries must be entered for each patient appointment prior to 11p.m that day:
   • Progress note
   • In process or completed treatment
   • Medical history update
4. Every clinical staff member, employee, trainee, student, vendor, and volunteer at the University of Maryland, School of Dentistry shall be responsible for maintaining confidentiality of all information entrusted to them. All personnel of the School of Dentistry is expected to exercise due care in any discussion or use of patient information. Limiting access to ONLY persons providing patient services in axiUm protects and guards against impermissible access and dissemination of confidential information.

Confidentiality of Patient Information Policy

 I.  POLICY STATEMENT

 It shall be the policy of the University of Maryland, School of Dentistry that all information regarding care of the individual patient be maintained as confidential information. Patient care information is the property of the patient; University of Maryland, School of Dentistry is the steward or caretaker of that information and the owner of the medium of storage.

II.   POLICY PURPOSE

The purpose of this policy is to protect the patient, the clinical team, and the University of Maryland, School of Dentistry from inappropriate dissemination of information regarding care of individual and collective patients. This policy applies to all clinical staff, employees, vendors, volunteers, students and others who are members of the University of Maryland, School of Dentistry sites and Health Centers, and refers to all information resources, whether verbal, printed, or electronic, and whether individually controlled, shared, stand alone or networked. Proper handling of external requests for patient information is addressed in the Privacy Policy. This policy also provides guidelines and examples on employee access to patient identifiable information to ensure confidentiality and integrity of patient information.

III.  DEFINITIONS

Aggregate Data: A collection of patient care or clinical information which does not reveal the identity of individual patients.

Central Repository of Patient Information: A physical archive or storage area where one or more of the several components of patient information are permanently maintained.

E.g. Axium, Dolphin Imaging and Romexis.

Clinical Staff: Attending, courtesy, honorary, and visiting physicians, house officers and fellows, special purpose trainee staff members and nurses having practice privileges for the diagnosis and treatment of patients at the University of Maryland, School of Dentistry clinics.

Confidential Information: Any individually identifiable health information received, used or accessed by personnel of the School of Dentistry or its affiliated entities must be treated as protected and confidential.

Data Steward: Individual or department having access to patient information and having capability of providing for storage or transfer of patient information subject to this policy.

Due Care: That degree of care which other prudent, competent, persons providing patient services would exercise in similar circumstances.

Inappropriate Dissemination: Seeking access to and/or disclosing confidential information, regardless of intent, in verbal, written or electronic form:

• To individuals not involved in the care, treatment or clinical operations of that the University of Maryland Dental School patient; or
• To individuals who are involved with or know the patient but have no need to know the information; or
• In a setting where that information could be overheard by individuals who have no need to know (e.g., in elevators, lobbies, waiting rooms, hallways, dining rooms, etc.); or
• In a setting where information can be read or transferred from an unattended computer monitor; or
• Through sharing another person's electronic

Need to Know: Necessary to fulfill the mission or charge of the University of Maryland, School of Dentistry and its clinical staff, employees, trainees, students, volunteers, or vendors to provide quality patient care, education and research.

Patient Information: All information, data and/or knowledge relating to the care of a the University of Maryland, School of Dentistry sites and Health Centers patients, including but not limited to:

• The medical record, including data recorded on paper, on microfilm, or in a computer data base; or
• Pictorial, graphic, or multimedia representations (e.g. photographs, x-ray films ECG tracings, videotape); or
• Tissue specimens obtained for histological examination; or
• Administrative data, such as the data included in the University of Maryland School of Dentistry clinic management system; or
• Business or Financial

Personnel: Any faculty, staff, students, and visitors of the School of Dentistry.

Trainee: Any individual involved, directly or indirectly, in the provision of patient care, one aspect of which is to further that individual’s knowledge; includes house officers, dentistry students, nursing students, and other health care professions students. A trainee may or may not receive financial compensation from the University of Maryland, School of Dentistry.

Vendor: Any individual or organization that sells or otherwise provides a good or service to the University of Maryland, School of Dentistry.

Volunteer: Any individual providing a service to the University of Maryland, School of Dentistry, coordinated through the Director of Volunteers in each corporate area, who receives no financial compensation from the University of Maryland, School of Dentistry for that service.

IV.   POLICY STANDARDS

• In order to ensure confidentiality, patient information collected and/or generated within the University of Maryland, School of Dentistry shall be maintained in such a manner that access to it is restricted to those with a need to know, and release of it is restricted to those with a legal right to know, as mandated by State and Federal laws. All patient information must be stored in the electronic patient record maintained by the University of Maryland School of Dentistry. E.g. Axium, Dolphin Imaging and MiPACS.
• It shall be the responsibility of management in each department to determine what information its members need access to in order to complete their job Viewing or obtaining information not needed for job completion, regardless of the medium of storage, constitutes unauthorized use of that information. It shall be the responsibility of department management in conjunction with the HIPAA Officer and/or Security Officer to monitor and discipline members in all matters of information security.
• It shall be the responsibility of management staff in each department in conjunction with the HIPAA Officer and/or Security Officer to inform their employees of this policy, and to develop and maintain, if appropriate, data confidentiality policies specific to their department which are consistent with this To assure knowledge of these policies, it shall be the responsibility of the department supervisors to assure that current policies are addressed at departmental staff meetings periodically. In addition, these policies shall be referred to and addressed in each orientation program and shall be included in any orientation “information packet" provided for new employees, trainees, volunteers, vendors, and clinical staff.
• It shall be the responsibility of respective data stewards in conjunction with the HIPAA Officer and/or Security Officer to maintain secure access to their electronic data and to provide such information in response to questions regarding potential breach of confidentiality. When feasible, audit trails shall be maintained of access to both aggregate and patient-identifiable electronic data.
• In order to help ensure that only those employees with a need to know patient identifiable information are granted access to such information, data stewards will, on an annual basis, review who has access to patient identifiable information in central repositories of patient information under their purview.
• Hard copy printouts and patient-identifiable electronic data will be stored in a secure area and maintained in a confidential manner as is currently required of paper medical
• Every clinical staff member, employee, trainee, student, vendor, and volunteer at the University of Maryland, School of Dentistry shall be responsible for maintaining confidentiality of all information entrusted to them. All personnel of the School of Dentistry is expected to exercise due care in any discussion or use of patient
• Every clinical staff member, faculty, trainee, student, vendor, and volunteer at the University of Maryland, School of Dentistry shall be responsible for taking annual HIPAA training and passing the HIPAA quiz in order to have access to clinical systems.
• The University of Maryland, School of Dentistry characterizes as unethical and unacceptable any activity through which an individual:
  1. Voluntarily allows or participates in inappropriate dissemination of confidential patient information; or
  2. Interferes with the intended use of the information resources; or
  3. Without authorization, destroys, alters, dismantles, disfigures, prevents rightful access to or otherwise interferes with the integrity of patient information and/or information resources; or
  4. Without authorization invades the privacy of individuals or entities that are creators, authors, users, or subjects of the information resources.

• Infractions of this confidentiality policy shall be subject to the disciplinary action of the University of Maryland, School of Dentistry, up to and including dismissal and/or loss of privileges. Invasion of another person's right to privacy can have legal consequences in addition to disciplinary action from the University of Maryland, School of Dentistry.
• Requests for access to patient identifiable data needed for research purposes must be accompanied by IRB approval.
• Communication regarding confidentiality policies and monitoring of these policies for clinical staff shall be channeled through the Clinical Affairs Office or the Office of Information Technology.

Credit Card Security Policies

PCI DSS 2.0

Version 1.0 - February, 18, 2014

CONFIDENTIAL INFORMATION

This document is the property of ABC Corporation; it contains information that is proprietary, confidential, or otherwise restricted from disclosure. If you are not an authorized recipient, please return this document to the above-named owner. Dissemination, distribution, copying or use of this document in whole or in part by anyone other than the intended recipient is strictly prohibited without prior written permission of School of Dentistry, University of Maryland.

HIPAA & IT Security Officer, School of Dentistry - Kent Buckingham

Chief Information Security Officer - Frederick W. Smith

Introduction and Scope

Introduction

This document explains School of Dentistry, University of Maryland’s credit card security requirements as required by the Payment Card Industry Data Security Standard (PCI DSS) Program. School of Dentistry, University of Maryland management is committed to these security policies to protect information utilized by School of Dentistry, University of Maryland in attaining its business goals. All employees are required to adhere to the policies described within this document.

Scope of Compliance

The PCI requirements apply to all systems that store, process, or transmit cardholder data. Currently, School of Dentistry, University of Maryland’s cardholder environment consists only of imprint machines or standalone dial-out terminals. The environment does not include storage of cardholder data on any computer system.

Due to the limited nature of the in-scope environment, this document is intended to meet the PCI requirements as defined in Self-Assessment Questionnaire (SAQ) B, ver. 2.0, October, 2010. Should School of Dentistry, University of Maryland implement additional acceptance channels, begin storing, processing, or transmitting cardholder data in electronic format, or otherwise become ineligible to validate compliance under SAQ B, it will be the responsibility of School of Dentistry, University of Maryland to determine the appropriate compliance criteria and implement additional policies and controls as needed.

Requirement 3: Protect Stored Cardholder Data

Prohibited Data

Processes must be in place to securely delete sensitive authentication data post-authorization so that the data is unrecoverable. (PCI Requirement 3.2)

Payment systems must adhere to the following requirements regarding non-storage of sensitive authentication data after authorization (even if encrypted):

The full contents of any track data from the magnetic stripe (located on the back of a card, equivalent data contained on a chip, or elsewhere) are not stored under any circumstance. (PCI Requirement 3.2.1)

The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) is not stored under any circumstance. (PCI Requirement 3.2.2)

The personal identification number (PIN) or the encrypted PIN block are not stored under any circumstance. (PCI Requirement 3.2.3)

Displaying PAN

School of Dentistry, University of Maryland will mask the display of PANs (primary account numbers), and limit viewing of PANs to only those employees and other parties with a legitimate need. A properly masked number will show only the first six and the last four digits of the PAN. (PCI requirement 3.3)

Requirement 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks

Transmission of Cardholder Data

Sending unencrypted PANs by end-user messaging technologies is prohibited. Examples of end-user technologies include email, instant messaging and chat. (PCI requirement 4.2)

Requirement 7: Restrict Access to Cardholder Data by Business Need to Know

Limit Access to Cardholder Data

Access to School of Dentistry, University of Maryland’s cardholder system components and data is limited to only those individuals whose jobs require such access. (PCI Requirement 7.1)

Access limitations must include the following:

Access rights for privileged user IDs must be restricted to the least privileges necessary to perform job responsibilities. (PCI Requirement 7.1.1)

Privileges must be assigned to individuals based on job classification and function (also called “role-based access control). (PCI Requirement 7.1.2)

Requirement 9: Restrict Physical Access to Cardholder Data

Physically Secure all Media Containing Cardholder Data

Hard copy materials containing confidential or sensitive information (e.g., paper receipts, paper reports, faxes, etc.) are subject to the following storage guidelines:

All media must be physically secured. (PCI requirement 9.6)

Strict control must be maintained over the internal or external distribution of any kind of media containing cardholder data. These controls shall include:

Media must be classified so the sensitivity of the data can be determined. (PCI Requirement 9.7.1)

Media must be sent by a secure carrier or other delivery method that can be accurately tracked. (PCI Requirement 9.7.2)

Logs must be maintained to track all media that is moved from a secured area, and management approval must be obtained prior to moving the media. (PCI Requirement 9.8)

Strict control must be maintained over the storage and accessibility of media containing cardholder data. (PCI Requirement 9.9)

Destruction of Data

All media containing cardholder data must be destroyed when no longer needed for business or legal reasons. (PCI requirement 9.10)

Hardcopy media must be destroyed by shredding, incineration or pulping so that cardholder data cannot be reconstructed. Container storing information waiting to be destroyed must be secured to prevent access to the contents. (PCI requirement 9.10.1)

Requirement 12: Maintain a Policy that Addresses Information Security for Employees and Contractors

Security Policy

School of Dentistry, University of Maryland shall establish, publish, maintain, and disseminate a security policy that addresses how the company will protect cardholder data. (PCI Requirement 12.1)

This policy must be reviewed at least annually, and must be updated as needed to reflect changes to business objectives or the risk environment. (PCI requirement 12.1.3)

Critical Technologies

School of Dentistry, University of Maryland shall establish usage policies for critical technologies (for example, remote-access technologies, wireless technologies, removable electronic media, laptops, tablets, personal data/digital assistants (PDAs), email, and internet usage. (PCI requirement 12.3)

These policies must include the following:

Explicit approval by authorized parties to use the technologies (PCI Requirement 12.3.1) A list of all such devices and personnel with access (PCI Requirement 12.3.3) Acceptable uses of the technologies (PCI Requirement 12.3.5)

Security Responsibilities

School of Dentistry, University of Maryland’s policies and procedures must clearly define information security responsibilities for all personnel. (PCI Requirement 12.4)

Incident Response Policy

The IT Security Officer [A1] shall establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations. (PCI requirement 12.5.3)

Incident Identification

Employees must be aware of their responsibilities in detecting security incidents to facilitate the incident response plan and procedures. All employees have the responsibility to assist in the incident response procedures within their particular areas of responsibility. Some examples of security incidents that an employee might recognize in their day to day activities include, but are not limited to,

• Theft, damage, or unauthorized access (e.g., papers missing from their desk, broken locks, missing log files, alert from a security guard, video evidence of a break-in or unscheduled/unauthorized physical entry)
• Fraud – Inaccurate information within databases, logs, files or paper records

Reporting an Incident

The  IT Security Officer [A2]should be notified immediately of any suspected or real security incidents involving cardholder data:

Contact the IT Security Officer [A3]to report any suspected or actual incidents. The Internal Audit’s phone number should be well known to all employees and should page someone during non-business hours.

No one should communicate with anyone outside of their supervisor(s) or the  IT Security Officer  [A4]about any details or generalities surrounding any suspected or actual incident. All communications with law enforcement or the public will be coordinated by the  IT Security Officer .[A5]

Document any information you know while waiting for the  IT Security Officer [A6]to respond to the incident. If known, this must include date, time, and the nature of the incident. Any information you can provide will aid in responding in an appropriate manner.

Incident Response

Responses can include or proceed through the following stages: identification, severity classification, containment, eradication, recovery and root cause analysis resulting in improvement of security controls.

Contain, Eradicate, Recover and perform Root Cause Analysis

1. Notify applicable card

Visa

Provide the compromised Visa accounts to Visa Fraud Control Group within ten (10) business days. For assistance, contact 1-(650)-432-2978. Account numbers must be securely sent to Visa as instructed by the Visa Fraud Control Group. It is critical that all potentially compromised accounts are provided. Visa will distribute the compromised Visa account numbers to issuers and ensure the confidentiality of entity and non-public information. See Visa’s “What to do if compromised” documentation for additional activities that must be performed. That documentation can be found at http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_what_to_do_if_compr omised.pdf

MasterCard

Contact your merchant bank for specific details on what to do following a compromise. Details on the merchant bank (aka. the acquirer) can be found in the Merchant Manual at http://www.mastercard.com/us/wce/PDF/12999_MERC-Entire_Manual.pdf. Your merchant bank will assist when you call MasterCard at 1-(636)-722-4100.

Discover Card

Contact your relationship manager or call the support line at 1-(800)-347-3083 for further guidance.

2. Alert all necessary Be sure to notify:
   1. Merchant bank
   2. Local FBI Office
   3. S. Secret Service (if Visa payment data is compromised)
   4. Local authorities (if appropriate)
3. Perform an analysis of legal requirements for reporting compromises in every state where clients were affected. The following source of information must be used: http://www.ncsl.org/programs/lis/cip/priv/breach.htm
4. Collect and protect information associated with the intrusion. In the event that forensic investigation is required the IT Security Officer [A7]will work with legal and management to identify appropriate forensic
5. Eliminate the intruder's means of access and any related
6. Research potential risks related to or damage caused by intrusion method

Root Cause Analysis and Lessons Learned

Not more than one week following the incident, members of the  IT Security Officer [A8]and all affected parties will meet to review the results of any investigation to determine the root cause of the compromise and evaluate the effectiveness of the Incident Response Plan. Review other security controls to determine their appropriateness for the current risks. Any identified areas in which the plan, policy or security control can be made more effective or efficient, must be updated accordingly.

Security Awareness

School of Dentistry, University of Maryland shall establish and maintain a formal security awareness program to make all personnel aware of the importance of cardholder data security. (PCI Requirement 12.6)

Service Providers

School of Dentistry, University of Maryland shall implement and maintain policies and procedures to manage service providers. (PCI requirement 12.8)

This process must include the following:

• Maintain a list of service providers (PCI requirement 8.1)
• Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of the cardholder data the service providers possess (PCI requirement 8.2)
• Implement a process to perform proper due diligence prior to engaging a service provider (PCI requirement 12.8.3)
  • Monitor service providers’ PCI DSS compliance status (PCI requirement 8.4)

Health Record Amendment-Correction Policy

I. POLICY STATEMENT

It shall be the policy of the University of Maryland, School of Dentistry to capture, share, secure, maintain, and enhance the value of University of Maryland, School of Dentistry health information assets in all mediums through appropriate information management policies and actions that meet applicable Federal, State, regulatory, or contractual requirements and support the University of Maryland, School of Dentistry mission, vision, and values. Furthermore, it shall be the policy of University of Maryland, School of Dentistry to support and adhere to the rights and responsibilities of patients as specified in the State of Maryland Public Health and Mental Health Codes. It is the responsibility of the University of Maryland, School of Dentistry to ensure that these principles and policies are upheld. Patients have the right to request that information contained in their patient record be updated. If information in the custody of University of Maryland, School of Dentistry needs to be updated it will be done through a formal process which provides documentation to support the inclusion or denial of these requests.

II.  POLICY PURPOSE

The purpose of this policy is to inform University of Maryland, School of Dentistry personnel of the procedures that must be followed when a patient requests that their Health Record be amended or corrected.

III.  STANDARDS

1. Patients have the right to request an amendment of their health
   1. Patients must complete the “Amendment-Correction of Health Record Request”
   2. Requests should be sent to the:

Assistant Dean of Clinical Affairs, Room 5209,

650 West Baltimore Street, Baltimore, MD 21201.

3. A response is required within 60 days from the date the request was A one-time extension of 30 days may be granted under extenuating circumstances. The patient should be notified via the “Extension Notification” form.

1. If the responsible faculty determines that the amendment is appropriate and the current information is incomplete or inaccurate without the patient’s requested amendment, the amendment should be made in the patient’s record.
   1. The “Notice of Approval of Amendment” form should be sent to the
   2. Standard medical record procedures should be followed when making an amendment to a patient’s record.
   3. Any future disclosures of the amended PHI must include the amended information or a link to the amended information.
2. The responsible faculty may deny a patient’s request to amend his/ her health
3. Clinic Administration staff should send the “Notice of Denial Letter” to the patient, indicating the grounds for the denial.
4. The patient may submit a statement of disagreement, limited to two
5. The responsible faculty, in conjunction with Clinic Administration staff, may prepare a rebuttal statement, if necessary to clarify School of Dentistry’s A copy of the rebuttal must be provided to the patient.
6. The following documents must be included in any future disclosures of the patient’s information:
   1. Patient’s written amendment request;
   2. School of Dentistry’s Notice of Denial;
   3. Patient’s statement of disagreement (if any) and rebuttal statement(if any);

Information Management Policy

I.  POLICY STATEMENT

It shall be the policy of the University of Maryland, School of Dentistry to capture, share, secure, maintain, and enhance the value of University of Maryland, School of Dentistry health information assets in all mediums through appropriate information management policies and actions that meet applicable Federal, State, regulatory, or contractual requirements and support the University of Maryland, School of Dentistry mission, vision, and values. Furthermore, it shall be the policy of University of Maryland, School of Dentistry to support and adhere to the rights and responsibilities of patients as specified in the State of Maryland Public Health and Mental Health Codes.

II.  POLICY PURPOSE

The purpose of this policy is to identify and disseminate the University of Maryland, School of Dentistry’s framework and principles for information management that guide our institutional actions and operations in protecting, generating, and sharing individually identifiable health information in support of the University of Maryland, School of Dentistry’s mission, vision, and values.

III.  DEFINITIONS

Access: The ability of a data user or application process to read, write, modify, or communicate information or otherwise make use of an information asset.

Access Profile: A list of the applications and/or databases a user (or application process) is permitted to access and the access levels granted in each of those applications and/or databases.

Account Administration: The process by which authorized data users are assigned accounts (sign-ons) to University of Maryland, School of Dentistry health information assets using the access controls (profiles) prepared by Data Managers.

Account Administrator: The individual acting at the direction of the Data Manager who implements controls on access to information assets by applying formal guidelines and practices to functions such as assigning user access codes, revoking user access privileges, and setting file protection parameters. (The roles of account and system administrator may be combined for smaller databases.)

Audit: A formal review and identification of access to an information asset by an individual, organization, or application process.

Authentication: The process by which a user (or application process) identifies her or himself to an information system or resource. The user is required to provide at least one (often a combination) of the following unique elements:

1. Something that the user knows (such as a password or a personal identification number);
2. Something that the user has in her possession (such as a token or access card);
3. Something that is a characteristic or an expression of the user’s physical being (such as finger or voice prints).

Authorization: Documented approval to access University of Maryland, School of Dentistry health information assets based on the user's need to know.

Authorization and Access Control (AAC) Process: The process in which Departmental Directors request access for members of their department based on those members' roles and their role-based need to know, and Data Managers ensure that the needed access to applications is made available.

Authorized Access Database (AAD): The centralized repository of information about all University of Maryland, School of Dentistry Authorized Data Users, under the responsibility of one administrator. The Authorized Access Database must include at a minimum:

1. User name and a unique identifier
2. User login ID
3. Date access last changed, and start and stop date for authorized use of an account and/or application
4. User's Departmental Director or Delegated Access Coordinator
5. Application ID for each application
6. User's authorized access profile for each application

Authorized Data User (ADU): Individuals who have been granted authorization through the Authorization and Access Process to access specific University of Maryland, School of Dentistry health information assets in the performance of their assigned duties or in fulfillment of their role in the University of Maryland, School of Dentistry community.

Authorized Data Users include, but are not limited to, faculty and staff members, employees, trainees, students, vendors, volunteers, contractors, and other affiliates of the University of Maryland, School of Dentistry as well as external users who have been granted accounts on University of Maryland, School of Dentistry health information assets under the terms of an information sharing agreement.

Business Owner: The senior University of Maryland, School of Dentistry official (and his/her staff) having policy-level responsibility for managing a segment of the University of Maryland, School of Dentistry information assets by the Data Steward, e.g.

Departmental Chairs, Directors of Units.

Certification: Evaluation of the computer system(s), storage media, network(s), information transmissions, operating systems, and applications design supporting the University of Maryland, School of Dentistry health information assets which confirms

that the appropriate security measures have been implemented in accordance with University of Maryland, School of Dentistry policies.

Consent: The voluntary agreement of an informed and competent individual or their legal guardian for a given action relative to the individual (including the release of information). See individual entity policies.

Contingency Plan: A routinely updated plan for responding to an emergency. At a minimum, it must include a data backup and disaster recovery plan.

Data Manager: University of Maryland Dental School Official and their staff who have been given operational level responsibility for the capture, maintenance, and dissemination of specific data by the appropriate Data Steward or Business Owner (Delegated Data Steward).

Data Steward: The University of Maryland, School of Dentistry Executive Officer having policy-level responsibility for managing a segment of the University of Maryland, School of Dentistry’s information resource as designated by the Regental by-laws. For the University of Maryland, School of Dentistry Health System, the official data steward is the Assistant Dean for Clinical Affairs.

Delegated Access Coordinator: An individual within a department or external entity designated by the Department Director (or Information Sharing Agreement, in the case of external entities) to:

1. Define, in consultation with the appropriate Data Managers, departmental access profiles for members of their department/unit by listing roles within the department and the appropriate level of access for individuals in those roles based on their need to know.
2. Notify the AAD Administrator when personnel status changes require access changes (e.g. hiring, termination, suspension, transfer). For detailed information, see University of Maryland, School of Dentistry Policy, "Information Access: Responsibilities of Department Directors or Delegated Access Coordinators".

Directed Communication/Solicitations: The use of individually identifiable health information to promote fund raising, educational opportunities, special research or clinical activities, new forms of treatment, or notification of University of Maryland, School of Dentistry events. Contact with a patient to discuss or provide information related to the above activities is not considered directed communication/solicitations if the inquiry is initiated by the patient. See University of Maryland, School of Dentistry Policy “Directed Communication/Solicitations”.

Disclosure: The release of information to third parties about an individual which requires the individual's consent or release due to a legal or regulatory requirement.

Encryption: The reversible conversion of readable information into an unreadable protected form so that only a recipient who has the appropriate "key" can convert the information back into its original readable form.

Health Information Asset: Any individually identifiable health information, in any form, on any medium.

Health Insurance Portability and Accountability Act (HIPAA): Federal statute requiring, among other things, the adoption of standards for the security and privacy of individually identifiable health information. Individually Identifiable Health Information - any information, including demographic and/or scheduling information collected about an individual, that:

1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse or any employee of the above; and
2. Relates to the past, present or future physical and/or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and (i) Identifies the individual, or (ii) With respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

All of the following are considered by University of Maryland, School of Dentistry to fall into this category:

• Patient information collected by the University of Maryland, School of Dentistry or member information collected (e.g. transferred medical records, correspondence, telephone calls, e-mail, etc.); or
• Patient information generated by the University of Maryland, School of Dentistry or member information generated; or
• Information entrusted by the individual to a clinical staff member, employee, vendor, volunteer, student or other affiliate of University of Maryland Dental School; or
• Any knowledge a clinical staff member, employee, vendor, volunteer, student or other affiliate of University of Maryland, School of Dentistry gains in the course of fulfillment of his or her appointed role in the University of Maryland, School of Dentistry regarding the individual; or
• Research information collected, generated, maintained or disseminated by the University of Maryland, School of Dentistry that identifies individuals, or when combined with other data can reasonably lead to the identification of

Information Asset: Any data in any form on any media.

Information Security Officer (ISO): That University of Maryland, School of Dentistry entity documented as formally assigned the responsibility for defining procedures to assure the security, integrity, and confidentiality of University of Maryland, School of Dentistry health information assets. This responsibility includes but is not limited to the oversight of:

• The use of security measures to protect

• The conduct of personnel in relation to the protection of
• The coordination of the AAC process and procedures with other operational entities necessary to provide for the security, integrity, and confidentiality of University of Maryland, School of Dentistry health information assets.

Information Sharing Agreement (Also known as, “Chain of Trust Agreement.”): A contract entered into by two parties in which they agree to exchange data while maintaining its security and confidentiality. (Part of administrative procedures to guard data integrity, confidentiality and availability.) For a description of the factors that must be present in an information sharing agreement between University of Maryland, School of Dentistry and any external entity seeking access to University of Maryland, School of Dentistry health information assets, see University of Maryland, School of Dentistry Policy, "Sharing University of Maryland, School of Dentistry Data with External Entities".

Legally Restricted Information: Individually identifiable health information for which disclosure is specifically subject to additional legal requirements imposed by statute or administrative rule.

Need to Know: The principle that states that a user should access only the specific information necessary to complete his or her assigned job functions. This principle is applied in two main contexts:

1. Departmental Directors (or their Delegated Access Coordinators) apply this principle in determining the appropriate level of access to databases and/or applications needed by people in different roles in their department (see University of Maryland, School of Dentistry Policy, "Information Access: Responsibilities of Department Directors or Delegated Access Coordinators").
2. Authorized Data Users apply the principle every time they decide whether to access a specific individual's record or not, even if they have been granted full access to the application in which the record resides.

Once access to a database and/or application has been authorized, the authorized data user is still obligated to assess the appropriateness of each specific access on a need to know basis. See Exhibit 1 - "Need to Know" for further discussion and examples of this definition.

System Administrator: The individual responsible for the functions of installing, maintaining, and operating hardware and software platforms (system environments). (The roles of system and account administrator may be combined for smaller databases.)

IV.  POLICY STANDARDS

General Standards:

1. All persons with access to University of Maryland, School of Dentistry health information assets may only have such access on a need to know basis and must be

approved and verified as Authorized Data Users at regular intervals (but no less than annually) by the appropriate Departmental Director (or Delegated Access Coordinator).

2. It is the responsibility of every Authorized Data User to maintain confidentiality of University of Maryland, School of Dentistry health information assets even if technical security mechanisms fail or are absent. A lack of security measures to protect the confidentiality of information does not imply that such information is public.

3. Each clinical staff member, employee, trainee, student, vendor, volunteer, or contractor, or other affiliate of the University of Maryland, School of Dentistry with access to University of Maryland, School of Dentistry health information is subject to and has the responsibilities outlined in this policy as well as those outlined in their organization's policy on confidentiality of information. For external entities, this is covered by a Business Associate Agreement, see University of Maryland, School of Dentistry Policy "Sharing University of Maryland, School of Dentistry Data with External Entities”.

4. Individually identifiable health information is the property of the individual to whom the information pertains and the University of Maryland, School of Dentistry is the steward of that information and the owner of the storage medium.

5. If an Authorized Data User elects to place individually identifiable health information onto a mobile device, then the device must be registered with the Office of Information Technology. The device must be encrypted and he or she is responsible for ensuring that the device is password protected.
6. A person must be identified by the Data Steward (or Business Owner) as the Data Manager for each University of Maryland, School of Dentistry health information

7. The University of Maryland, School of Dentistry Information Security Officer shall provide assistance to the University of Maryland, School of Dentistry community on interpretation of existing policy, cataloging of University of Maryland, School of Dentistry health information assets and individually identifiable health information, monitoring and tracking violations and appeals, identifying areas of risk, defining security controls, and maintaining the AAD in collaboration with other departments that hold information about individuals' job status and access privileges.

8. All University of Maryland, School of Dentistry health information assets containing individually identifiable health information in any medium must be registered by the appropriate Data Manager in the Authorized Access Database.

9. If any University of Maryland, School of Dentistry staff member chooses to maintain a database containing individually identifiable health information generated in the course of performing professional responsibilities, he/she will be responsible as Data Manager for that database and must follow all applicable rules.

10. Individuals have the right to correct inaccurate individually identifiable health information. The appropriate process for validating and processing such corrections is determined individually by each organization, and specified in that organization's policies (see, University of Maryland, School of Dentistry Privacy Policy “Amendment of Incomplete or Incorrect Protected Health Information”). Each Data Manager is responsible for ensuring that validated correction requests relevant to University of Maryland, School of Dentistry data assets under his/her control are implemented.

11. In order to protect the individually identifiable health information entrusted to University of Maryland, School of Dentistry, all directed communication/solicitations shall adhere to University of Maryland, School of Dentistry Policy “Directed Communication/Solicitations”.

12. University of Maryland, School of Dentistry (through the ISO) shall create, administer and oversee policies to ensure the prevention, detection, containment and correction of breaches of security, integrity, and confidentiality.

13. University of Maryland, School of Dentistry,( through the ISO) shall evaluate and certify that appropriate security systems and measures are For external entities, this is part of the Information Sharing Agreement.

14. The security management process shall be the responsibility of the Business Owner, according to the guidelines set by the ISO, and must include, at a minimum, the implementation of:
    • Risk analysis, based on information asset contents and user population, to determine the likely occurrence and severity of loss of potential incidents.
    • Risk management including formal, documented procedures for monitoring, detection, auditing, reporting, and responding to breaches of security, integrity, and confidentiality.
    • A disciplinary process including procedures for the potential discipline, up to and including dismissal, for misuse, misappropriation of data, or acts of omission or commission which result in breaches of security, integrity, or confidentiality.
15. The prevention of access to University of Maryland, School of Dentistry health information assets by unauthorized or untrained personnel shall be addressed by personnel security policies, including provisions that:
    • Ensure that all personnel with access or potential access to University of Maryland, School of Dentistry health information assets have gone through personnel clearance procedures — they have been screened, are specifically authorized for that access, are trained in relevant University of Maryland, School of Dentistry confidentiality policies, and have attested knowledge of and compliance with those policies.
    • Ensure that operating and maintenance personnel are given the access necessary for them to perform their system maintenance responsibilities without compromising individually identifiable health information.

• Ensure that personnel performing maintenance activities related to University of Maryland, School of Dentistry health information assets are supervised by authorized, knowledgeable persons.
• Require maintenance of records of those granted physical access to University of Maryland, School of Dentistry health information assets.
• Employ personnel security policy and
• Ensure that system users, including technical maintenance personnel, are trained in system security.

16. The security management process shall be the responsibility of the Business Owner, according to the guidelines set by the ISO, and must include, at a minimum, formal, documented policies and procedures to limit physical access while ensuring that properly authorized access is allowed, including contingency planning for how security is to be maintained in the event of an emergency. These controls shall include, but not be limited to:
    • Applications and data criticality
    • A data backup
    • Disaster
    • Emergency mode
    • Equipment control (into and out of site), including workstation and laptop
    • A facility security plan coordinated with Campus Public Safety
    • Procedures for verifying access authorizations prior to physical
    • Maintenance
    • Sign-in for visitors and escort, if
17. To ensure that appropriate access control of University of Maryland, School of Dentistry health information assets are in place and to fulfill the obligation to keep information timely, accurate, complete, and confidential, all information systems and application programs must adhere to the following principles:
    • Data Stewards, Business Owners, Data Managers, Account and System Administrators are accountable for ensuring that the information security policies are fully executed.
    • Information systems and application programs must provide a mechanism to control authentication, authorization, and audit.
    • All members of the University of Maryland, School of Dentistry “community” shall be assigned a unique University of Maryland, School of Dentistry name identifier, users assigned a specified account shall be the sole user of that account and its associated identification methods; they shall not be shared. Identification methods include, but are not limited to, login names or IDs, password and pass phrases, digital certificates and signatures, PIN, tokens, smart card, biometrics (voice and finger printing), and other forms of personal
    • Authentication shall include establishment of criteria for account eligibility, creation, maintenance, and expiration.

• When passwords are used as an authentication mechanism, a password shall be present, be of a minimal length, be changeable by the end user, be encrypted, be non-reusable (uniqueness) and have a timed forced renewal.
• Intruder detection and lockout (maximal limit of 3-5 attempts with a 15-30 minute timeout upon violation) shall be set on for the account.
• Electronic communication and exchange of health information that occurs over open networks such as the Internet must include strong authentication, adequate encryption, and effective administration of keys and passwords for
• Applications shall provide an automatic logoff/lockout after a specified period of inactivity of interaction with that application; a user shall re-authenticate to gain access to the application. The period of inactivity shall be long enough to provide for continuous user interaction with the application, yet short enough not to permit access to a possibly unattended session.
• One authoritative source shall hold the identifications for University of Maryland, School of Dentistry users, information systems, applications, and their processes. This authoritative source shall include the identification information of application processes which access University of Maryland, School of Dentistry health information assets for purposes of capturing, providing, and/or receiving

18. External data users shall have access to University of Maryland, School of Dentistry health information assets only upon the completion of an Business Associate Agreement with University of Maryland, School of Dentistry, as described in University of Maryland, School of Dentistry Policy, "Sharing Information with External Entities".
19. There may be cases in which a state, federal, or regulatory agency requires that it be granted access to University of Maryland, School of Dentistry health information assets under law or regulation.

20. All data users shall receive education on the expectations, knowledge, and skills related to information security prior to being given access to University of Maryland, School of Dentistry health information assets. University of Maryland, School of Dentistry Information Technology Department shall verify that potential Authorized Data Users have received security education before access to University of Maryland, School of Dentistry information is granted.

21. To the extent technologically practical, system administrators shall maintain ongoing internal audit processes which record system activity such as log-ins, file accesses, and security incidents.

23. To the extent that an audit trail shows access to an individual's individually identifiable health information, it shall be made accessible to that individual at the individual's request in the event that questions arise about improper access to his or her

24. All Authorized Data Users, both internal and external, shall be made aware that from time to time or as indicated by events and circumstances, audits may be conducted.

25. Breaches of confidentiality under this policy are subject to appropriate disciplinary action up to and including discharge or termination of contract/relationship.

Link to UMB IT Policy https://www.umaryland.edu/umbcomputingpolicies/it-security-policy/

Information Management Policy: Sharing Data with External Entities 

I.  POLICY STATEMENT

It shall be the policy of the University of Maryland, School of Dentistry to capture, share, secure, maintain, and enhance the value of University of Maryland, School of Dentistry health information assets in all mediums through appropriate information management policies and actions that meet applicable Federal, State, regulatory, or contractual requirements and support the University of Maryland, School of Dentistry mission, vision, and values. Furthermore, it shall be the policy of University of Maryland, School of Dentistry to support and adhere to the rights and responsibilities of patients as specified in the State of Maryland Public Health and Mental Health Codes. It is the responsibility of the University of Maryland, School of Dentistry to ensure that these principles and policies are upheld even when individually identifiable health information in the custody of University of Maryland, School of Dentistry needs to be shared with other entities. Sharing of data shall be done by requiring potential data sharing partners to execute a Business Associate agreement which obliges them to handle the data in a manner consistent with Federal and State laws.

II.  POLICY PURPOSE

 The purpose of this policy is to inform University of Maryland, School of Dentistry personnel of the procedures that must be followed if individually identifiable health information is to be shared with an external entity.

III.  STANDARDS

External data users must not be permitted to access University of Maryland, School of Dentistry data assets unless the external users have completed a Business Associate Agreement with University of Maryland, School of

1. There may be cases in which a state, federal, or regulatory agency requires that access be granted to it under law or regulation. In such cases, to the extent possible, a Business Associate Agreement meeting the criteria above shall be negotiated between University of Maryland, School of Dentistry and the agency before access is granted to the University of Maryland, School of Dentistry data

AUTHOR: University of Maryland Dental School Information Security Officer

University of Maryland, School of Dentistry,

Information Management Policy: Sharing Data with External Entities 1

University of Maryland School of Dentistry

Notice of Privacy Practices

Effective October 31, 2016

 Your Information. Your Rights. Our Responsibilities.                                                                                                                                             

This notice describes how medical and dental information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

Your Rights

You have the right to:

• Get a copy of your health and claims records
• Correct your health and claims records
• Request confidential communication
• Ask us to limit the information we share
• Get a list of those with whom we’ve shared your information
• Get a copy of this privacy notice
• Choose someone to act for you
• File a complaint if you believe your privacy rights have been violated

Your Choices

You have some choices in the way that we use and share information as we:

• Answer coverage questions from your family and friends
• Provide disaster relief
• Market our services and sell your information

Our Uses and Disclosures

We may use and share your information as we:

• Help manage the health care treatment you receive
• Run our organization
• Pay for your health services
• Administer your health plan
• Help with public health and safety issues
• Do research
• Comply with the law
• Respond to organ and tissue donation requests and work with a medical examiner or funeral director
• Address workers’ compensation, law enforcement, and other government requests
• Respond to lawsuits and legal actions
• Provide data to Chesapeake Regional Information System for our Patients (CRISP)

Your Rights

When it comes to your health information, you have certain rights. This section explains your rights and some of our responsibilities to help you.

Get a copy of health and claims records

• You can ask to see or get a copy of your health and claims records and other health information we have about you. Ask us how to do this.
• We will provide a copy or a summary of your health and claims records, usually within 30 days of your We may charge a reasonable, cost-based fee.

Ask us to correct health and claims records

• You can ask us to correct your health and claims records if you think they are incorrect or Ask us how to do this.
• We may say “no” to your request, but we’ll tell you why in writing within 60

Request confidential communications

• You can ask us to contact you in a specific way (for example, home or office phone) or to send mail to a different
• We will consider all reasonable requests, and must say “yes” if you tell us you would be in danger if we do

Ask us to limit what we use or share

• You can ask us not to use or share certain health information for treatment, payment, or our
• We are not required to agree to your request, and we may say “no” if it would affect your

Get a list of those with whom we’ve shared information

• You can ask for a list (accounting) of the times we’ve shared your health information for six years prior to the date you ask, who we shared it with, and why.
• We will include all the disclosures except for those about treatment, payment, and health care operations, and certain other disclosures (such as any you asked us to make). We’ll provide one accounting a year for free but will charge a reasonable, cost-based fee if you ask for another one within 12 months.

Get a copy of this privacy notice

You can ask for a paper copy of this notice at any time, even if you have agreed to receive the notice electronically. We will provide you with a paper copy promptly.

Choose someone to act for you

• If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your health information.
• We will make sure the person has this authority and can act for you before we take any

File a complaint if you feel your rights are violated

• You can complain if you feel we have violated your rights by contacting us using the information on page
• You can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, W., Washington, D.C. 20201, calling 1-877-696-6775, or visiting www.hhs.gov/ocr/privacy/hipaa/complaints/.
• We will not retaliate against you for filing a

Your Choices

For certain health information, you can tell us your choices about what we share. If you have a clear preference for how we share your information in the situations described below, talk to us. Tell us what you want us to do, and we will follow your instructions.

In these cases, you have both the right and choice to tell us to:

• Share information with your family, close friends, or others involved in payment for your care
• Share information in a disaster relief situation

If you are not able to tell us your preference, for example if you are unconscious, we may go ahead and share your information if we believe it is in your best interest. We may also share your information when needed to lessen a serious and imminent threat to health or safety.

In these cases we never share your information unless you give us written permission:

• Marketing purposes
• Sale of your information

Our Uses and Disclosures

How do we typically use or share your health information?

We typically use or share your health information in the following ways.

Help manage the health care treatment you receive

We can use your health information and share it with professionals who are treating you.

Example: A doctor sends us information about your diagnosis and treatment plan so we can arrange additional services.

Run our organization

• We can use and disclose your information to run our organization and contact you when
• We are not allowed to use genetic information to decide whether we will give you coverage and the price of that coverage. This does not apply to long term care plans.

Example: We use health information about you to develop better services for you.

Pay for your health services

We can use and disclose your health information as we pay for your health services.

Example: We share information about you with your dental plan to coordinate payment for your dental work.

Administer your plan

We may disclose your health information to your health plan sponsor for plan administration.

Example: Your company contracts with us to provide a health plan, and we provide your company with certain statistics to explain the premiums we charge.

How else can we use or share your health information?

We are allowed or required to share your information in other ways – usually in ways that contribute to the public good, such as public health and research. We have to meet many conditions in the law before we can share your information for these purposes. For more information see: www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html.

Help with public health and safety issues

We can share health information about you for certain situations such as:

• Preventing disease
• Helping with product recalls
• Reporting adverse reactions to medications
• Reporting suspected abuse, neglect, or domestic violence
• Preventing or reducing a serious threat to anyone’s health or safety

Do research

We can use or share your information for health research.

Comply with the law

We will share information about you if state or federal laws require it, including with the Department of Health and Human Services if it wants to see that we’re complying with federal privacy law.

Respond to organ and tissue donation requests and work with a medical examiner or funeral director

• We can share health information about you with organ procurement
• We can share health information with a coroner, medical examiner, or funeral director when an individual

Address workers’ compensation, law enforcement, and other government requests

We can use or share health information about you:

• For workers’ compensation claims
• For law enforcement purposes or with a law enforcement official
• With health oversight agencies for activities authorized by law
• For special government functions such as military, national security, and presidential protective services

Respond to lawsuits and legal actions

We can share health information about you in response to a court or administrative order, or in response to a subpoena.

Provide data to Chesapeake Regional Information System for our Patients (CRISP)

We have chosen to participate in the Chesapeake Regional Information System for our Patients, Inc. (CRISP), a statewide health information exchange. As a participant in CRISP, we may share and exchange information that we obtain or create about you for treatment and public health purposes, as permitted by applicable law. This exchange of health information can provide faster access to critical information about your medical condition, improve the coordination of your health care, and assist health care providers and public health officials in making more informed treatment decisions.

You have the right to "opt-out" of CRISP, which will prevent health care providers from accessing some of the information available through the exchange. However, even if you opt-out, a certain amount of your health information will remain in the exchange. Specifically, health care providers who participate in CRISP may continue to access certain diagnostic information related to tests, procedures, etc. that have been ordered for you (e.g., imaging reports and lab results), and they may send this information to other health providers to whom you have been referred for evaluation or treatment though CRISP's secure messaging services. You may opt-out of CRISP by calling 1-877-952-7477, or by submitting a completed Opt-Out Form to CRISP by mail, fax, or through their website at www.crisphealth.org.

Our Responsibilities

• We are required by law to maintain the privacy and security of your protected health
• We will let you know promptly if a breach occurs that may have compromised the privacy or security of your
• We must follow the duties and privacy practices described in this notice and give you a copy of
• We will not use or share your information other than as described here unless you tell us we can in If you tell us we can, you may change your mind at any time. Let us know in writing if you change your mind.

For more information see: www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/noticepp.html.

Changes to the Terms of this Notice

We can change the terms of this notice, and the changes will apply to all information we have about you. The new notice is available from our web site, and upon request we will mail a copy to you.

The University of Maryland, School of Dentistry is required by law to maintain the privacy of your health information and to provide you with notice of its legal duties and privacy practices with respect to your health information. If you have questions about any part of this notice or if you want more information about the privacy practices at the University of Maryland, School of Dentistry, please contact:

Privacy Officer:

Kent Buckingham

Executive Director of IT and Facilities Management, HIPAA & IT Security Officer, University of Maryland School of Dentistry,

650 West Baltimore St., Room G424, Baltimore, MD 21201 kbuckingham@umaryland.edu

(410) 706-0343

(410) 706-3389 Fax

Privacy Compliance Responsibility Assignments

Assignments

• Privacy Officer: Kent Buckingham
• Data Steward: Lou Depaola
• Security Officer: Kent Buckingham
• Information Security Officer: Kent Buckingham
• System Administrators: Stephen Gray, Galina Arbitman

Departmental Administrators determine the appropriate level of access to database and/or applications based on those members’ roles to perform job responsibilities.

• Formal request with defined user access profile submitted to help desk system;
• Identifier profile account created for each authorized data user;
• All user access profiles have an expiry date according to contractual agreement upon appointment or admittance;
• Users may not request additional access to database to their own profile;

All data users receive education on the expectations, knowledge, and skills related to information security prior to authorize access to University of Maryland, School of Dentistry health information assets.

Verification documented that Authorized Data Users have received security education before access to University of Maryland, School of Dentistry information is granted.

Access Review

Periodic access reviews documented and retained by IT Administrators

• To maintain access, users are required to complete yearly compliance training by November 30^th of each year, revoking user access to account, lock-outs, implemented to non-compliant users;
• Periodic analysis of user access list; checking expiry dates and completed annual compliance assessments;
• Tickets are assigned to appropriate department management review and update user list;
• User list is verified by compliance manager;
• Compliance manager will close

Access to University systems and data will be granted to users based on their need for information and for performing their job responsibilities.

All data users receive education on the expectations, knowledge, and skills related to information security prior to authorize access to University of Maryland, School of Dentistry health information assets. Verification documented that Authorized Data Users have received training before access to University of Maryland, School of Dentistry information is granted.

User access list shall be reviewed with department management at least annually to reflect current user access of user role or any change in employment status. This review shall be documented and retained by IT administrators for verification purposes.

• Annual authorized user report is generated by IT administrators;
• Analysis of user access list; checking expiry dates and completed annual compliance assessments;
• User access list logged in help desk system;
• Help desk ticket generated and assigned to appropriate department management for confirmation;
• Revise expiry dates and revoke, lock-out, non-compliant users;
• Ticket escalated to Compliance Manager for review and verify;
• Compliance Manager will close