LOS ANGELES COUNTY
DEPARTMENT OF MENTAL HEALTH
  Policy 556.01 Acceptable Use and Confidentiality of County Information Assets
 
  PROCEDURES
  1. Agreement for Acceptable Use
     
    1. Los Angeles County Department of Mental Health (DMH) workforce members performing in a management or supervisory capacity, must ensure all DMH and non-DMH workforce members including employees, volunteers, interns, contractors, sub-contractors, consultants, vendors and business associates that electronically access, process, store and/or transmit County Personal Identifiable Information (PII), Protected Health Information (PHI) whose conduct in the performance of work for DMH is under their authority, acknowledge and sign the Agreement for Acceptable Use and Confidentiality of County Information Assets before accessing any resource or information.
       
    2. DMH managers and supervisors must ensure the County of Los Angeles Agreement for Acceptable Use and Confidentiality of County Information Assets is renewed and resigned annually for compliance with Board of Supervisors Policy 6.101, Use of County Information Technology Resources and that the signed acknowledgments must be filed in the user's official personnel folder (or vendor file).
       
    3. DMH System Managers/Owners must ensure every user who requires access to County information technology (IT) resources and data, has signed the Agreement for Acceptable Use and Confidentiality of County Information Assets prior to providing access.
       
  2. Responsibility
     
    1. Access to County IT resources and accounts is a privilege granted to individual DMH and non-DMH workforce members and is based on their job duties and may be modified or revoked at any time. They each are responsible for the protection of DMH and the County's IT resources and data with which they are entrusted; accessing, using, exposing, disclosing, and modifying only as authorized; and accessing and using them for their intended purposes.
       
    2. DMH and non-DMH workforce members must also protect all information contained in the IT resources as required by local, State, and federal laws and regulations. Each must sign and abide by the Agreement as described in Section A. Violation of this Acceptable Use for County IT Resources Policy may result in disciplinary action, up to and including, discharge, and possible civil and/or criminal liability.
       
    3. County IT Resources are the are the property of the County. The County has the right to administer all aspects of County Information Asset access, including, without limitation, the right to monitor and restrict such access.
       
  3. DMH and Non-DMH Workforce Member Privacy
     
    1. Workforce Members have no expectation of privacy with respect to their use of the County information system assets because at any time DMH may log, review, or monitor any data created, stored, sent, or received. DMH has and will exercise the right to monitor any information stored on a workstation, server, or other storage device; monitor any data or information transmitted through the DMH network; and/or monitor sites visited on the DMH intranet, Internet, chat groups, newsgroups, material downloaded or uploaded, and e-mail sent and received through or from the County network. DMH may use manual or automated means to monitor use of its County IT resources.
       
    2. Use of passwords to gain access to County IT resources or to encode particular files or messages does not imply any expectation of privacy in the material created or received. The requirement for use of passwords is based on DMH's obligation to administer properly IT resources to ensure the confidentiality, integrity, and availability of information. All DMH and non-DMH workforce members are required to authenticate with a unique ID so that all access may be auditable.
       
  4. Minimal Personal Use
     
    1. DMH and Non-DMH workforce members may use County Information Assets for minimal personal use, provided that the use is not prohibited, does not impact performance or business operations and has the appearance of professionalism, even if it is not used in a public setting.
       
  5. Prohibited Activities
     
    1. Prohibited Uses - DMH and Non-DMH workforce members are prohibited from using County IT Resources for any of the following activities:
       
      1. Engaging in unlawful or malicious activities;
      2. Sending, receiving, or accessing pornographic materials;
      3. Engaging in abusive, threatening, profane, racist, sexist, or otherwise objectionable language;
      4. Engaging in personal or commercial activities for profit;
      5. Playing games or accessing non-business-related applications;
      6. Streaming non-business-related high bandwidth materials such as music, videos or movies
      7. Misrepresenting oneself or the County;
      8. Misrepresenting a personal opinion as an official County position;
      9. Defeating or attempting to defeat security restrictions on County systems or applications;
      10. Broadcasting unsolicited, non-work-related messages (spamming);
      11. Intentionally disseminating any destructive program (e.g., viruses);
      12. Creating unnecessary or unauthorized network traffic that interferes with the efficient use of County IT Resources (e.g., spending excessive amounts of time on the Internet, engaging in online chat groups, listening to online radio stations);
      13. Attempting to view and/or use another person's account(s), computer file(s), program, or data without authorization;
      14. Using County IT Resources to gain unauthorized access to DMH or other systems;
      15. Using unauthorized wired or wireless connections to DMH networks;
      16. Copying, downloading, storing, sharing, installing, or distributing movies, music, and other materials protected by copyright, except as clearly permitted by licensing agreements or fair use laws;
      17. Using County IT Resources to commit acts that violate State, federal, and/or international laws, including but not limited to laws governing intellectual property;
      18. Participating in activities that may reasonably be construed as a violation of National/Homeland security; and
      19. Posting or transmitting private, proprietary, or confidential information, including patient information, to unauthorized persons, or without authorization.
         
    2. Misuse of software: At no time may any DMH and Non-DMH workforce member be engaged in software copyright infringements. DMH prohibits all workforce members from conducting the following activities without proper licensing and prior written authorization:
       
      1. Copying County-owned software onto their non-County computers;
      2. Providing copies of County-owned software to independent contractors, clients, or any other third-party person;
      3. Installing non-County software on any DMH workstation (e.g., desktops, personal computers, mobile devices, laptops) or server without the written approval of the Departmental Information Security Officer (DISO) or designee;
      4. Downloading software from the Internet or other online server to DMH workstations or servers;
      5. Modifying, revising, transforming, recasting, or adapting County-owned software; and
      6. Reverse engineering, disassembling, or decompiling County-owned software.
         
  6. Passwords
     
    1. DMH and Non-DMH workforce members are responsible for safeguarding their passwords for access to the County IT resources. Individual passwords should not be printed, stored online, or given to others. All workforce members are responsible for all transactions made using their passwords. No individual may access any County IT resource with another one’s password or account unless such access is explicitly allowed by the accessing person’s job description.
       
    2. Under no circumstances should DMH and Non-DMH workforce members share their passwords with anyone, even their subordinates, management or IT support. Sharing computer identification codes and other authentication mechanisms (e.g., logon identification (ID), computer access codes, account codes, passwords, SecurID cards or tokens, biometric logons, and smartcards) are strictly prohibited.
       
  7. Security
     
    1. County IT Resources
       
      1. Security measures must be employed by all DMH and non-DMH workforce members to safeguard all County stored, received or transmitted PII and/or PHI.
      2. DMH and non-DMH workforce members are responsible for ensuring that the use of outside computers and networks, such as the Internet, does not compromise the security of County IT resources. This responsibility includes taking reasonable precautions to prevent intruders from accessing County IT resources.
      3. DMH and non-DMH workforce members are prohibited from connecting any Non-DMH computing devices or their personally owned equipment to DMH or County Network unless with prior approval of DMH Departmental Information Security Officer or designee.
      4. Storing confidential or sensitive information including PHI onto any Non-DMH computing devices or personally owned equipment is strictly prohibited unless the device meets DMH security and encryption expectations and with the prior approval from the DISO.
         
    2. Malicious Software
       
      1. Malicious Software can cause substantial damage or inconvenience to County IT resources. DMH and non-DMH workforce members are responsible for taking reasonable precautions to ensure they do not introduce malicious software into County resources. They must not bypass or disable DMH malicious software protections and must only use or distribute storage media or email (including attachments) known to be free from malicious software.
      2. Any DMH and non-DMH workforce member who telecommutes or is granted remote access, must utilize equipment that contains current County-approved antivirus software and must adhere to County hardware/software protection standards and procedures that are defined by the County and DMH.
      3. DMH restricts access to the Internet or any other network via modem, Digital Subscriber Line, cellular wireless, or other telecommunication services. No DMH and non-DMH workforce member may employ any external inbound or outbound connections to DMH network resources unless explicitly authorized by the Departmental Information Security Officer or designee.
      4. Each DMH and non-DMH workforce member is responsible for notifying the Department's Help Desk as soon as a device is suspected of being compromised by a malware.
         
  8. E-Mail
     
    1. Access to DMH e-mail services is a privilege that may be wholly or partially restricted without prior notice and without consent of the DMH and non-DMH workforce members. E-mail messages are the property of the County and subject to review by authorized County personnel.
       
    2. E-mail messages are legal documents. Statements must not be made on e-mail that would not be appropriate in a formal memo. DMH and non-DMH workforce members must endeavor to make each electronic communication truthful and accurate. They are to delete e-mail messages routinely in accordance with both the DMH and County E-mail policies.
       
    3. PHI and other confidential and/or sensitive information can be sent or received only if it is encrypted or safeguarded in accordance with DMH Policy 508.01, Safeguards for Protected Health Information.
       
    4. Regardless of who the recipients may be, all emails that contain sensitive or confidential information must be encrypted and sent through DMH Secure Messaging System. This includes DMH Workforce Member recipients as well.
       
    5. All DMH and non-DMH workforce members must delete email containing PHI from applicable folders in the Outlook application (“Inbox,” “Sent,” “Deleted,” etc.) once the business need has been satisfied and the documentation has been completed. PHI shall not remain in anyone’s mailbox for an extended period.
       
    6. Internet-based e-mail services accessed with County IT resources must only be used for County purposes.
       
    7. All DMH and non-DMH workforce members, authorized or not, are prohibited from texting PHI and/or Confidential Data including but not limited to scripts, images, audio or video through Short Message System (SMS), Enhanced Message System (EMS), iMessage or unsecure chats. Only authorized personnel who have justified business need may exchange sensitive context via DMH Secure Texting Solution and applications. If a text message that includes confidential data such as PHI is sent to a DMH and non-DMH workforce member via standard SMS or iMessage, he/she must respond to the sender via other means of communication (e.g., telephone or mail) with instructions to delete the text message immediately.
       
  9. Use of the Internet
     
    1. Use of the Internet must be in accordance with DMH and County Internet and privacy policies.
       
    2. DMH is not responsible for material viewed or downloaded by DMH and non-DMH workforce members from the Internet. The Internet is a worldwide public network that is uncensored and contains sites that may be considered offensive. Anyone accessing the Internet does so at their own risk and DMH shall not be liable for inadvertent exposure to any offensive materials.
       
    3. Internet access is provided to DMH and non-DMH workforce members at the discretion of their DMH Manager or Supervisor.
       
  10. Incident Reporting

    If a County Resource, Data or Computing equipment is lost, stolen, or damaged:
     
    1. The DMH and non-DMH workforce members must immediately notify Chief Information Office Bureau (CIOB) Helpdesk and provide a detailed statement about the accident or incident (When, Where, What, Who, How). CIOB Helpdesk will initiate necessary data security measures to mitigate any risks and will notify the responsible authorities accordingly. This may include service deactivation if applicable.
       
    2. The DMH and non-DMH workforce members must immediately notify the designated DMH workforce member who is responsible for them in a management or supervisory capacity.  That DMH workforce member then must complete an Accident/Incident Investigative Report (AIIR) via the Service Catalog.
       
    3. Upon completion, the AIIR automatically will be forwarded to the responsible parties such as DMH Information Security, DMH Privacy, and Procurement Units, who upon receipt will take appropriate action to mitigate any possible introduced risk.
       
    4. Law Enforcement Report:
       
      1. For Loss or theft, the DMH and non-DMH workforce member must file a police report within thirty (30) days of the incident. The report shall be emailed to DMH Helpdesk and also attached to the AIIR.
      2. For damages, it will be up to the discretion of CIOB to determine if the DMH and non-DMH workforce member must provide a police report within thirty (30) days of the incident. If required, the police report shall be emailed to DMH Helpdesk and also attached to the AIIR.
         
    5. Whether lost, stolen, or damaged, if carelessness or negligence is determined to be the cause, the DMH and non-DMH workforce member may be financially responsible for the full or partial cost of replacing the device.
       
    6. If the required police report is not provided within thirty (30) days of the incident, the DMH and non-DMH workforce member will automatically be considered responsible for reimbursing the Department for the full or partial cost of replacing the device.
       
  11. Contractor Protection of Electronic County Information
     
    1. To comply with Board of Supervisors Policy 5.200, Contractor Protection of Electronic County Information; DMH contractors, sub-contractors, consultants, vendors and business associates must follow guidelines described in Attachment - Contractor Protection of Electronic County Information.