LOS ANGELES COUNTY
DEPARTMENT OF MENTAL HEALTH
  Policy 500.09 - Use and Disclosure of Protected Health Information on Social Media Platforms
 
Policy Category:  Administrative
Distribution Level:  Directly-Operated
Responsible Party:  Quality Assurance
 
Approval completed on Apr 22, 2026
 
 
 
I.  PURPOSE
 
The purpose of this policy is to govern content creation and sharing, including posts, comments, photos, videos, and any  digital communications that reference programs, clients, or the organization.

The policy establishes clear expectations for workforce members, contractors, and affiliates of the Los Angeles County Department of Mental Health (DMH) regarding the use of social media platforms in both professional and personal contexts to prevent unauthorized use and disclosure of Protected Health Information (PHI), Personal Identifiable Information (PII), or Confidential Organizational Information.

This policy is intended to ensure that DMH practices are consistent with the provisions of the Health Insurance Portability and Accountability Act (HIPAA) and California Medical Information Act (CMIA). The policy applies to all DMH workforce members and contractors and all social media platforms, including official organizational accounts and personal accounts when referencing the organization in work-related content. 
 
II.  DEFINITIONS
 
Disclosure: With respect to PHI, the release, transfer, provision of access to or divulging in any other manner of PHI outside of DMH.

Protected Health Information: Individually identifiable information maintained or transmitted by DMH in any form or medium, relating to the past, present, or future physical or mental health condition of an individual, the provision of health care to an individual; or past present, or future payment for the provision of health care to an individual. 

Personal Identifiable Information: Information that can be used alone or in combination to identify, distinguish or trace an individual's identity, either alone or when combined with other information, including demographic, financial, or health related data. 

Social Media Platform: Any online service, digital service, website, application or platform that enables users to communicate, network, create, share, or exchange content, publicity or privately. Social media platforms identified but not limited to Facebook, Instagram, Twitter, LinkedIn, YouTube, Tik Tok and Threads. 

Confidential Organizational Information: Non-public information related to DMH operations, systems, investigations, complaints, incidents, contracts, or internal communications that is protected from disclosure by law, County policy, or DMH policy.

Content: Any text, image video, audio, graphic, emoji, reaction, hyperlink, story, reel, live stream, comment, reply, direct message, or other digital material created, shared, or transmitted on a social media platform in connection with DMH clients, programs, workforce members, or operations. 
 
III.  POLICY
 
All DMH workforce members are responsible for ensuring that any use of social media complies with this policy, HIPAA and CMIA, and related organizational confidentiality standard, and aligns with the Department's Code of Organizational Conduct, Ethics, and Compliance.

Social media use must never compromise the privacy, dignity, or confidentiality of any client or employee. 

A. Workforce members shall not:
  • use personal or professional social media platforms to post, share, discuss, or reference any information that directly or indirectly reveals the identity of any client, including PHI, PII and confidential organizational information.
  • discuss, photograph, or record client encounters, treatment settings, program activities, or confidential operations.
  • post images, screenshots, or written content obtained from the workforce, electronic health record systems, or internal communications.
  • engage in discussions that could disclose internal program operations, privacy and/or security incidents or investigations. 
  • respond publicly to client or participant comments, questions, or complaints that reference client PHI/PII or case-specific details. 
  • use organizational resources, logos or official imagery on personal social media accounts without supervisor approval or written authorization from clients. 
  • post discriminatory, harassing, or defamatory content about clients, colleagues, or partner agencies. 
B. Prohibited Use and Disclosure of PHI on Social Media. 

Workforce members are strictly prohibited from posting/sharing comments, tags, photos, client information, mental/physical health, work-related information or discussions of any client information, including PHI/PII in the following manner:
  • Client Outreach - workforce members communicating with clients and/or client representatives through social media platforms is strictly prohibited. 
  • Direct Identification of clients - names, addresses, DOB, SSN, emails phone numbers, photos, or videos.
  • Indirect Identification - post that describe circumstances, conditions, or events that could reasonably allow someone to infer identify the client. 
  • Direct Identification - combining demographic details, dates, or location information that could lead to client identification.
  • Health or Treatment Discussions - diagnosis, treatment plans, medications, conditions, or medical history.
  • Discussions of Health or Treatment Information - diagnosis, treatment plans, medications, conditions, mental/medical history or health status and care received. 
  • Posting of workplace encounters - screenshots of clinical areas, program offices where clients are present or emails containing client PHI/PII and Confidential Organizational Information. 
  • Incidents or Client Complaints - discussions related to client complaints, grievances, reported incidents or investigations details on personal/professional platforms. 
  • Social Media Client Requests - responding to requests for individual information on social media or sharing client PHI/PII and participation in social media collaborative platforms without a signed authorization. 
C.  Permissible Use and Disclosure on Social Media

Workforce members may post with prior approval from the Public Information Office (PIO):
  • pre-approved organizational content that de-identifies client PHI/PII and/or Confidential Organizational Information to promote outreach efforts.
  • when the client has been informed and given the opportunity to object or agree and a signed Authorization for Use and disclosure of Protected Health Information (MH602) has been obtained from the client. 
  • to promote outreach and education programs with authorization.
  • to participate in professional discussions without disclosing PHI/PII and confidential organizational information.
Workforce members have a duty to report suspected or confirmed unauthorized disclosure of PHI/PII on social media platforms immediately to the Program Manager and Privacy Officer. 

Violations of this section may constitute an Impermissible Disclosure of PHI under 45 CFR 164.502(a) and can result in corrective or disciplinary action, up to and including termination of employment.
 
IV.  PROCEDURES
 
V.  AUTHORITIES
 
Code of Federal Regulations HIPAA Titles 45 Parts 160 and 164.
CMIA - California Civil Code Sections 56-56.37
CCPA - California Civil code Sections 1798. 100-1798.199
 
VI.  ATTACHMENTS