LOS ANGELES COUNTY
DEPARTMENT OF MENTAL HEALTH
  Policy 506.01 Mitigation of Harm 
 
  PROCEDURES
  1. Reports of Suspected Violations
     
    1. All reports of suspected Violations of DMH Privacy-Related policies or of the HIPAA Privacy Standards by a Workforce Member or a Business Associate shall be forwarded immediately to the designated Privacy Officer.
       
    2. The Privacy Officer, or his/her designee, shall promptly conduct an investigation of the alleged violation and, as part of that investigation, shall document any known violation(s).
       
    3. The designated Privacy Officer, in consultation with outside legal counsel as deemed appropriate, shall take steps, as reasonably practicable, to mitigate the harmful effects of such violation to the individual whose PHI is at issue. Such steps may include, but are not limited to, imposing sanctions against Workforce Members in accordance with the Workforce Sanctions Policy, in a form that could inure to the benefit of the harmed individual, such as requiring specific types of restitution. To the extent that the individual harmed is aware of the harm, such as when the individual initiated a complaint, the designated Privacy Officer shall discuss any proposed mitigation with the individual in accordance with the Complaint Policy. If the individual is not aware of the harm, the general practice should be to inform the individual of the harm and to discuss options for mitigation.1 However, in usual circumstances where it seems that informing the individual of the harm could be more harmful than helpful to the individual, County’s Chief Information Privacy Officer should be consulted for a recommendation.
       
    4. The designated Privacy Officer shall document all actions taken under this policy.
       
    5. When the violation was caused by a business associate, the contract shall be reviewed for possible indemnification or other form of recovery against the business associate, at least as to the costs of the mitigation.
       
  2. Review of Complaints and Audits
     
    1. Violations identified through the designated Privacy Officer’s review of all privacy-related complaints shall be analyzed for mitigation according to this policy.
       
    2. Violations identified through the designated Privacy Officer’s review of internal audit reports shall be analyzed for mitigation according to this policy.
       
    3. The designated Privacy Officer shall take steps, as reasonably practicable, which may include, but not be limited to, the actions identified in Section 4.1(c) in this policy, to mitigate any harmful effects of violations discovered pursuant to this Section.
1 NOTE: HIPAA does not explicitly require that the harmed individual be informed of the harm. Because it seems unlikely that “silent” mitigation would be deemed sufficient mitigation, at lease in many cases, this section recommends informing the harmed individual. However, again, this is not an explicit HIPAA requirement. More guidance may come in this area with the eventual release of the enforcement regulations.