Clinic Manual

Contents
Catalog Links
Share

F. HIPAA

Clinical Information Management System User Security Access Policy

Subject: III. Clinical – F. HIPAA

Effective Date:  09/01/2017

Reviewed and/or Revised:  09/01/2017, 02/28/2025, 07/31/2025

Click the following links to access the User Access Control Procedure (PDF) and the User Access Review Procedure (PDF).

I. Policy Statement

It shall be the policy of the University of Maryland, School of Dentistry that all users of the axiUm application, which houses all of our Patient’s and Faculty’s sensitive information, is regarded as confidential, is secure. Patient care information is the property of the patient with the University of Maryland, School of Dentistry being the gatekeeper of that information and the owner of the medium of storage, our axiUm application. University of Maryland, School of Dentistry shall maintain management processes to ensure that access to axiUm is restricted to authorized users with minimal access rights necessary to perform their role and responsibilities. Account provisioning and monitoring shall be reviewed annually.

II. Policy Purpose

The purpose of this policy is to protect patients from inappropriate dissemination of identifiable information. This policy applies to all clinical staff, employees, vendors, volunteers, students and others who are members of the University of Maryland, School of Dentistry sites and Health Centers, and refers to all information resources, whether verbal, printed, or electronic, and whether individually controlled, shared, stand alone or networked. This policy also provides guidelines on employee access to patient data to ensure confidentiality and integrity of patient information.

Confidentiality of Patient Information Policy

Subject: III. Clinical – F. HIPAA

Effective Date:;  09/01/2017

Reviewed and/or Revised:;  09/01/2017, 02/28/2024, 07/31/2025

I. Policy Statement

It shall be the policy of the University of Maryland, School of Dentistry that all information regarding care of the individual patient be maintained as confidential information. Patient care information is the property of the patient; University of Maryland, School of Dentistry is the steward or caretaker of that information and the owner of the medium of storage.

II. Policy Purpose

The purpose of this policy is to protect the patient, the clinical team, and the University of Maryland, School of Dentistry from inappropriate dissemination of information regarding care of individual and collective patients. This policy applies to all clinical staff, employees, vendors, volunteers, students and others who are members of the University of Maryland, School of Dentistry sites and Health Centers, and refers to all information resources, whether verbal, printed, or electronic, and whether individually controlled, shared, stand alone or networked. Proper handling of external requests for patient information is addressed in the Privacy Policy. This policy also provides guidelines and examples on employee access to patient identifiable information to ensure confidentiality and integrity of patient information.

Credit Card Security Policy

Subject: III. Clinical – F. HIPAA

Reviewed and/or Revised: 09/01/2017, 02/28/2024, 07/31/2025

Introduction and Scope

Introduction

This document explains School of Dentistry, University of Maryland’s credit card security requirements as required by the Payment Card Industry Data Security Standard (PCI DSS) Program. School of Dentistry, University of Maryland management is committed to these security policies to protect information utilized by School of Dentistry, University of Maryland in attaining its business goals. All employees are required to adhere to the policies described within this document.

Scope of Compliance

The PCI requirements apply to all systems that store, process, or transmit cardholder data. Currently, School of Dentistry, University of Maryland’s cardholder environment consists only of imprint machines or standalone dial-out terminals. The environment does not include storage of cardholder data on any computer system.

Due to the limited nature of the in-scope environment, this document is intended to meet the PCI requirements as defined in Self-Assessment Questionnaire (SAQ) B, ver. 2.0, October, 2010. Should School of Dentistry, University of Maryland implement additional acceptance channels, begin storing, processing, or transmitting cardholder data in electronic format, or otherwise become ineligible to validate compliance under SAQ B, it will be the responsibility of School of Dentistry, University of Maryland to determine the appropriate compliance criteria and implement additional policies and controls as needed.

Requirement 3: Protect Stored Cardholder Data

Prohibited Data

Processes must be in place to securely delete sensitive authentication data post-authorization so that the data is unrecoverable. (PCI Requirement 3.2)

Payment systems must adhere to the following requirements regarding non-storage of sensitive authentication data after authorization (even if encrypted):

The full contents of any track data from the magnetic stripe (located on the back of a card, equivalent data contained on a chip, or elsewhere) are not stored under any circumstance. (PCI Requirement 3.2.1)

The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) is not stored under any circumstance. (PCI Requirement 3.2.2)

The personal identification number (PIN) or the encrypted PIN block are not stored under any circumstance. (PCI Requirement 3.2.3)

Displaying PAN

School of Dentistry, University of Maryland will mask the display of PANs (primary account numbers), and limit viewing of PANs to only those employees and other parties with a legitimate need. A properly masked number will show only the first six and the last four digits of the PAN. (PCI requirement 3.3)

Requirement 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks

Transmission of Cardholder Data

Sending unencrypted PANs by end-user messaging technologies is prohibited. Examples of end-user technologies include email, instant messaging and chat. (PCI requirement 4.2)

Requirement 7: Restrict Access to Cardholder Data by Business Need to Know

Limit Access to Cardholder Data

Access to School of Dentistry, University of Maryland’s cardholder system components and data is limited to only those individuals whose jobs require such access. (PCI Requirement 7.1)

Access limitations must include the following:

Access rights for privileged user IDs must be restricted to the least privileges necessary to perform job responsibilities. (PCI Requirement 7.1.1)

Privileges must be assigned to individuals based on job classification and function (also called “role-based access control). (PCI Requirement 7.1.2)

Requirement 9: Restrict Physical Access to Cardholder Data

Physically Secure all Media Containing Cardholder Data

Hard copy materials containing confidential or sensitive information (e.g., paper receipts, paper reports, faxes, etc.) are subject to the following storage guidelines:

All media must be physically secured. (PCI requirement 9.6)

Strict control must be maintained over the internal or external distribution of any kind of media containing cardholder data. These controls shall include:

Media must be classified so the sensitivity of the data can be determined. (PCI Requirement 9.7.1)

Media must be sent by a secure carrier or other delivery method that can be accurately tracked. (PCI Requirement 9.7.2)

Logs must be maintained to track all media that is moved from a secured area, and management approval must be obtained prior to moving the media. (PCI Requirement 9.8)

Strict control must be maintained over the storage and accessibility of media containing cardholder data. (PCI Requirement 9.9)

Destruction of Data

All media containing cardholder data must be destroyed when no longer needed for business or legal reasons. (PCI requirement 9.10)

Hardcopy media must be destroyed by shredding, incineration or pulping so that cardholder data cannot be reconstructed. Container storing information waiting to be destroyed must be secured to prevent access to the contents. (PCI requirement 9.10.1)

Requirement 12: Maintain a Policy that Addresses Information Security for Employees and Contractors

Security Policy

School of Dentistry, University of Maryland shall establish, publish, maintain, and disseminate a security policy that addresses how the company will protect cardholder data. (PCI Requirement 12.1)

This policy must be reviewed at least annually, and must be updated as needed to reflect changes to business objectives or the risk environment. (PCI requirement 12.1.3)

Critical Technologies

School of Dentistry, University of Maryland shall establish usage policies for critical technologies (for example, remote-access technologies, wireless technologies, removable electronic media, laptops, tablets, personal data/digital assistants (PDAs), email, and internet usage. (PCI requirement 12.3)

These policies must include the following:

Explicit approval by authorized parties to use the technologies (PCI Requirement 12.3.1)

A list of all such devices and personnel with access (PCI Requirement 12.3.3)

Acceptable uses of the technologies (PCI Requirement 12.3.5)

Security Responsibilities

School of Dentistry, University of Maryland’s policies and procedures must clearly define information security responsibilities for all personnel. (PCI Requirement 12.4)

Incident Response Policy

The IT Security Officer shall establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations. (PCI requirement 12.5.3)

Incident Identification

Employees must be aware of their responsibilities in detecting security incidents to facilitate the incident response plan and procedures. All employees have the responsibility to assist in the incident response procedures within their particular areas of responsibility. Some examples of security incidents that an employee might recognize in their day to day activities include, but are not limited to,

  • Theft, damage, or unauthorized access (e.g., papers missing from their desk, broken locks, missing log files, alert from a security guard, video evidence of a break-in or unscheduled/unauthorized physical entry)
  • Fraud – Inaccurate information within databases, logs, files or paper records

Reporting an Incident

The IT Security Officer should be notified immediately of any suspected or real security incidents involving cardholder data:

Contact the IT Security Officer to report any suspected or actual incidents. The Internal Audit’s phone number should be well known to all employees and should page someone during non-business hours.

No one should communicate with anyone outside of their supervisor(s) or the IT Security Officer about any details or generalities surrounding any suspected or actual incident. All communications with law enforcement or the public will be coordinated by the IT Security Officer .

Document any information you know while waiting for the IT Security Officer to respond to the incident. If known, this must include date, time, and the nature of the incident. Any information you can provide will aid in responding in an appropriate manner.

Incident Response

Responses can include or proceed through the following stages: identification, severity classification, containment, eradication, recovery and root cause analysis resulting in improvement of security controls.

Contain, Eradicate, Recover and perform Root Cause Analysis

  1. Notify applicable card associations.

    Visa

    Provide the compromised Visa accounts to Visa Fraud Control Group within ten (10) business days. For assistance, contact 1-(650)-432-2978. Account numbers must be securely sent to Visa as instructed by the Visa Fraud Control Group. It is critical that all potentially compromised accounts are provided. Visa will distribute the compromised Visa account numbers to issuers and ensure the confidentiality of entity and non-public information. See Visa’s “What to do if compromised” documentation for additional activities that must be performed. That documentation can be found at 

    MasterCard

    Contact your merchant bank for specific details on what to do following a compromise. Details on the merchant bank (aka. the acquirer) can be found in the Merchant Manual. Your merchant bank will assist when you call MasterCard at 1-(636)-722-4100.

    Discover Card

    Contact your relationship manager or call the support line at 1-(800)-347-3083 for further guidance.

  2. Alert all necessary parties. Be sure to notify:
    1. Merchant bank
    2. Local FBI Office
    3. U.S. Secret Service (if Visa payment data is compromised)
    4. Local authorities (if appropriate)
  3. Perform an analysis of legal requirements for reporting compromises in every state where clients were affected. The following source of information must be used: 
  4. Collect and protect information associated with the intrusion. In the event that forensic investigation is required the IT Security Officer will work with legal and management to identify appropriate forensic specialists.
  5. Eliminate the intruder's means of access and any related vulnerabilities.
  6. Research potential risks related to or damage caused by intrusion method used.

Root Cause Analysis and Lessons Learned

Not more than one week following the incident, members of the IT Security Officer and all affected parties will meet to review the results of any investigation to determine the root cause of the compromise and evaluate the effectiveness of the Incident Response Plan. Review other security controls to determine their appropriateness for the current risks. Any identified areas in which the plan, policy or security control can be made more effective or efficient, must be updated accordingly.

Security Awareness

School of Dentistry, University of Maryland shall establish and maintain a formal security awareness program to make all personnel aware of the importance of cardholder data security. (PCI Requirement 12.6)

Service Providers

School of Dentistry, University of Maryland shall implement and maintain policies and procedures to manage service providers. (PCI requirement 12.8)

This process must include the following:

  • Maintain a list of service providers (PCI requirement 12.8.1)
  • Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of the cardholder data the service providers possess (PCI requirement 12.8.2)
  • Implement a process to perform proper due diligence prior to engaging a service provider (PCI requirement 12.8.3)
  • Monitor service providers’ PCI DSS compliance status (PCI requirement 12.8.4)

Health Record Amendment Correction Policy

Subject: III. Clinical – F. HIPAA

Effective Date: March 2016

Reviewed and/or Revised: 09/01/2017, 02/28/2024, 07/31/2025

I. Policy Statement

It shall be the policy of the University of Maryland, School of Dentistry to capture, share, secure, maintain, and enhance health information assets in all mediums through appropriate information management policies. Our system shall meet applicable Federal, State, and regulatory requirements in support of the University of Maryland, School of Dentistry’s mission, vision, and values. Furthermore, it shall be the policy of University of Maryland, School of Dentistry to support and adhere to the rights and responsibilities of patients as specified in the State of Maryland Public Health and Mental Health Codes. It is the responsibility of the University of Maryland, School of Dentistry to ensure that these principles and policies are upheld. Patients have the right to request that information contained in their patient record be updated. If information in the custody of University of Maryland, School of Dentistry is requested to be updated it will be done through a formal process which provides documentation to support the inclusion or denial of these requests.

II. Policy Purpose

The purpose of this policy is to inform University of Maryland, School of Dentistry personnel of the procedures that must be followed when a patient requests that their Health Record be amended or corrected.

III. Standards

  1. Patients have the right to request an amendment of their health information.
    1. Patients must complete the "Amendment Correction of Health Record Request" form. 
    2. Requests should be sent to the:

      Associate Dean of Clinical Affairs,
      Room 5209,
      650 West Baltimore Street,
      Baltimore, MD 21201

    3. A response is required within 60 days from the date the request was received. A one-time extension of 30 days may be granted under extenuating circumstances. The patient should be notified via the "30-Day Extension to Respond to Amendment/Correction Request" form. 
  2. If the responsible faculty determines that the amendment is appropriate and the current information is incomplete or inaccurate without the patient’s requested amendment, the amendment should be made in the patient’s record.
    1. The "Acceptance of Amendment/Correction Request" form should be sent to the patient. 
    2. Standard medical record procedures should be followed when making an amendment to a patient’s record.
    3. Any future disclosures of the amended PHI must include the amended information or a link to the amended information.
  3. The responsible faculty may deny a patient’s request to amend his/her health information.
    1. Clinic Administration staff should send the "Denial of Amendment/Correction Request" form to the patient, indicating the grounds for the denial.. 
    2. The patient may submit a statement of disagreement, limited to two pages. 
    3. The responsible faculty, in conjunction with Clinic Administration staff, may prepare a rebuttal statement, if necessary to clarify School of Dentistry’s position. A copy of the rebuttal must be provided to the patient. 
    4. The following documents must be included in any future disclosures of the patient’s information: 
      1. Patient’s written amendment request; 
      2. School of Dentistry’s Notice of Denial; 
      3. Patient’s statement of disagreement (if any) and rebuttal statement (if any)

HIPAA-Related Forms

Subject: III. Clinical – F. HIPAA

Effective Date: 09/01/2017

Reviewed and/or Revised: 09/01/2017, 02/28/2024, 07/31/2025

The following are University of Maryland, School of Dentistry HIPAA-related Forms:

Information Management Policy

Subject: III. Clinical – F. HIPAA

Effective Date: March 2016

Reviewed and/or Revised: 09/01/2017

I. Policy Statement

It shall be the policy of the University of Maryland, School of Dentistry to capture, share, secure, maintain, and enhance the value of University of Maryland, School of Dentistry health information assets in all mediums through appropriate information management policies and actions that meet applicable Federal, State, regulatory, or contractual requirements and support the University of Maryland, School of Dentistry mission, vision, and values. Furthermore, it shall be the policy of University of Maryland, School of Dentistry to support and adhere to the rights and responsibilities of patients as specified in the State of Maryland Public Health and Mental Health Codes.

II. Policy Purpose

The purpose of this policy is to identify and disseminate the University of Maryland, School of Dentistry’s framework and principles for information management that guide our institutional actions and operations in protecting, generating, and sharing individually identifiable health information in support of the University of Maryland, School of Dentistry’s mission, vision, and values.

Click the following link to access the full Information Management Policy (PDF).

Information Management Policy – Sharing Data with External Entities

Subject: III. Clinical – F. HIPAA

Effective Date: March 2016

Reviewed and/or Revised: 09/01/2017, 02/28/2024, 07/31/2025

I. Policy Statement

It shall be the policy of the University of Maryland, School of Dentistry to capture, share, secure, maintain, and enhance the value of University of Maryland, School of Dentistry health information assets in all mediums through appropriate information management policies and actions that meet applicable Federal, State, regulatory, or contractual requirements and support the University of Maryland, School of Dentistry mission, vision, and values. Furthermore, it shall be the policy of University of Maryland, School of Dentistry to support and adhere to the rights and responsibilities of patients as specified in the State of Maryland Public Health and Mental Health Codes. It is the responsibility of the University of Maryland, School of Dentistry to ensure that these principles and policies are upheld even when individually identifiable health information in the custody of University of Maryland, School of Dentistry needs to be shared with other entities. Sharing of data shall be done by requiring potential data sharing partners to execute a Business Associate agreement which obliges them to handle the data in a manner consistent with Federal and State laws.

II. Policy Purpose

The purpose of this policy is to inform University of Maryland, School of Dentistry personnel of the procedures that must be followed if individually identifiable health information is to be shared with an external entity.

III. Standards

  1. External data users must not be permitted to access University of Maryland, School of Dentistry data assets unless the external users have completed a Business Associate Agreement with University of Maryland, School of Dentistry.
  2. There may be cases in which a state, federal, or regulatory agency requires that access be granted to it under law or regulation. In such cases, to the extent possible, a Business Associate Agreement meeting the criteria above shall be negotiated between University of Maryland, School of Dentistry and the agency before access is granted to the University of Maryland, School of Dentistry data assets.

In this section