LOS ANGELES COUNTY
DEPARTMENT OF MENTAL HEALTH
  Policy 550.04 Access to Integrated Behavioral Health Information System
 
  PROCEDURES
 
  1. Integrated Behavioral Health Information System Account Management
     
    1. Account management policies apply to all Integrated Behavioral Health Information System (IBHIS) users, regardless of DMH or Non-DMH workforce members.
       
    2. Uniquely named IBHIS accounts are created upon the completion of the account request procedure outlined below. The three (3) components of each account are:
       
      1. User Account or User Identification (ID);
         
      2. Password; and
         
      3. User Role.
         
    3. An individual is eligible for an IBHIS user account if all of the following conditions are met:
       
      1. The individual is a current Los Angeles County Department of Mental Health (DMH/Department) workforce member or a non-DMH person such as a business associate, a contracted worker, a consultant, a volunteer, or another County department employee; and
         
      2. The individual’s access to IBHIS is permissible by law and also required in order to complete necessary job functions.
         
    4. After the creation and use of an IBHIS account, if any changes in the workforce member’s employment status or responsibilities takes place in a way that the individual will no longer be justified to access IBHIS (such as separation from DMH or a change in job function that no longer requires access to DMH Electronic Health Record (EHR) System) the account deactivation process outlined in Sections B and C must be immediately followed.
       
    5. To prevent unauthorized access that could lead to data compromise or a breach, IBHIS accounts are automatically deactivated after 90 days of inactivity.
       
    6. An IBHIS DMH workforce member’s access may become limited or terminated by management’s request or Human Resources authorities without prior notice, due to improper access, inappropriate system usage, as a result of an investigation or an audit review.
       
    7. Any request for exceptions due to unique responsibilities of a user or program must be reviewed and approved by the Departmental Information Security Officer (DISO).  Record of decision and type of access shall be maintained in the IBHIS account management folder.
       
  2. Access to IBHIS for a DMH Workforce Member

    Note: For Non-DMH workforce member’s access to IBHIS related inquiries please, refer to Section C.
     
    1. New account request for a DMH workforce member:
       
      1. DMH workforce members requesting an IBHIS account must:
         
        1. Have successfully completed the Online Health Insurance Portability and Accountability Act (HIPAA) Compliance Training, and the applicant must have received the minimal required operational preparation in the use of the DMH IBHIS with the expectancy to complete the official comprehensive training conducted by IBHIS Super Users within 90 days of authorization;
        2. Have acknowledged that they have read and understand this policy and procedures; and
        3. Have signed the following documents:
           
        4. Once it is confirmed that the applicant has undergone all required trainings and completed and signed the required forms, the DMH workforce member’s Program Head or level above shall electronically submit a “New Account or a Change Authorization Request” (an internal IBHIS feature designed for access related inquiries), to be processed by the designated IBHIS Local User Administrator (IBHIS LUA).

          Note: The Program Head’s approval process includes review of the DMH workforce member’s duties to ensure that the requestor is eligible and justified to access the sensitive or confidential information within IBHIS.  Based on this evaluation, the Program Head shall assign the most appropriate and applicable role in IBHIS that is the minimum necessary for this individual as permissible by law for providing treatment, coordinated care, or other legally allowable purposes.
           
        5. Upon receipt, the IBHIS LUA will create the DMH workforce member’s account, assign the authorized role, and notify the individual by email.
        6. These requirements MUST be met prior to the user’s access to IBHIS.
        7. The signed copy of the forms must be maintained at the facility and should be made available at the request of the DISO, Compliance, Privacy, and Audit Services Bureau (CPAS), Quality Assurance (QA), or auditors.
           
    2. Account renewal for an IBHIS DMH workforce member:
       
      1. A typical IBHIS account life cycle is one (1) year.  The expiration date is set at the time when the account is created. Any IBHIS DMH workforce member whose justified access to DMH EHR System must continue after the initial year shall submit a renewal request prior their account’s expiration date.  Any exception must be reviewed and approved by the DISO.
         
      2. To ensure uninterrupted access to IBHIS, the IBHIS DMH workforce member must renew their access account annually by:
         
        1. Acknowledging that they have read and understand this policy and procedures.
        2. Re-signing the documents mentioned in B.1.a.iii.
           
      3. IBHIS access renewal for IBHIS DMH workforce members is done automatically through employee’s Annual Report of Performance Evaluation.
         
    3. Account deactivation for an IBHIS DMH workforce member:
       
      1. If any of the following conditions are met, the IBHIS account must be deactivated:
         
        1. Separation of a workforce member from DMH;
        2. Extended Leave of Absence 90 days or longer;
        3. Access is no longer required to complete job functions; and/or
        4. By the request of the IBHIS DMH workforce member’s Program Head or Human Resources authorities due to improper access, or inappropriate system usage, as a result of an investigation or an audit review.
           
      2. In order to deactivate an IBHIS account, the IBHIS DMH workforce member’s Program Head or level above shall electronically submit a “New Account or a Change Authorization Request” (an internal IBHIS feature designed for access related inquiries), to be processed by the designated IBHIS LUA.
         
      3. Upon receipt, the IBHIS LUA shall deactivate the IBHIS DMH workforce member’s account.
         
      4. In addition, the IBHIS DMH workforce member’s Supervisor must notify CIOB by submitting an access termination Service Catalog Request.  This request must indicate the last day that the workforce member shall require access to IBHIS.  Access shall be terminated effective this date.
         
      5. To prevent unauthorized access that could lead to data compromise or a breach, an automated process has been designed and enforced which automatically deactivates accounts that have been inactive beyond 90 days.  To reinstate a deactivated account, the IBHIS DMH workforce member must follow procedures in Section B.4.
         
    4. Account Reinstatement or Role Change for an IBHIS DMH workforce member:
       
      1. In the event a deactivated IBHIS account needs to be reinstated:
         
        1. If it has been less than 90 days since the deactivation date, the IBHIS DMH workforce member’s designated Program Head or level above must electronically submit a “New Account or a Change Authorization Request” (an internal IBHIS feature designed for access related inquiries), to be processed by the designated IBHIS LUA.
        2. If it has been greater than 90 days since the deactivation date, the IBHIS DMH workforce member shall be required to complete training before the designated Program Head or level above submits a “New Account or a Change Authorization Request” (an internal IBHIS feature designed for access related inquiries), to the designated IBHIS LUA.
        3. Upon receipt, the IBHIS LUA shall reinstate the IBHIS DMH workforce member’s account.
           
      2. In the event when a IBHIS DMH workforce member’s level of access or role in IBHIS must change:
         
        1. The IBHIS DMH workforce member’s designated Program Head or level above shall electronically submit a “New Account or a Change Authorization Request”  to the designated IBHIS LUA who, upon receipt, shall create the IBHIS DMH workforce member’s account, assign the authorized role, and notify the individual by email.
           
    5. Access Control and Audit for an IBHIS DMH workforce member:
       
      1. IBHIS contains a systematic collection of electronic health information about individual clients in a digitized format that forms the client’s EHR.  Each IBHIS role provides the privilege to access a specific segment of records.  Each IBHIS account must have a minimum of one role allocated for accessing information.  Accounts with no role shall be unable to access data.
         
      2. To ensure an authorized IBHIS DMH workforce member’s access is limited to only what is minimally necessary and permissible by law for providing treatment, coordinated care, or other legally allowable purposes, roles must be carefully assigned.  An incorrectly assigned role can potentially lead to an inappropriate access and result in a HIPAA violation.
         
      3. DMH periodically audits access to data within IBHIS.  All access must be on a “need to know basis” in accordance with HIPAA Privacy/Security rules.  Data “Browsing” is strictly prohibited.
         
      4. Audit logs are maintained for a minimum of one year and available for routine and special audits or investigations as required or determined by the Administration Deputy, the Departmental Compliance Officer (DCO), or designee.  IBHIS reports may also be utilized as needed to validate appropriate use of the system.
         
        1. When responding to a request for release of information related to a particular clinical record, the audit log associated with that record and/or the identification of staff who have accessed this record shall only be released when the Department is legally required to provide the audit log associated with that record and/or to identify staff who accessed that clinical record (e.g., when the request explicitly asks for the audit log and/or for DMH to identify all staff who accessed the record).  If the Department is required to release the audit log and/or identify staff who have accessed a specific medical record, the Department shall restrict its response to that which is legally required to comply with the parameters of the request (e.g., treating staff only).
        2. IBHIS LUAs must be extremely cautious when setting up or configuring IBHIS access accounts.  They must make sure that the role about to be assigned to each user matches the level of access authorized and approved by the Program Head. This requires an explicit acknowledgement that the account’s role is accurately assigned and is appropriately utilized.
        3. IBHIS LUAs are required to periodically review the activities of the DMH workforce members who operate in their program and make sure that active accounts of IBHIS are assigned to users whose access to PHI are still justified and appropriate.  During this review, they must make the Program Head aware of any observed suspicious activities or accounts that have not been active for an extended time period that may seem abnormal for the role held by the account holder.  The Program Head must then investigate and perhaps reconsider these individuals’ access to DMH EHR System.
        4. Occasionally, DISO, CPAS, QA, or auditors may review the IBHIS DMH workforce members’ activity logs and consult with the designated IBHIS LUA about a specific action or inquiry in IBHIS.  IBHIS reports shall be utilized to audit user activity.
        5. IBHIS LUAs are responsible to respond to the inquiries and must provide evidence and supporting documentation within five (5) business days of receiving the inquiry.
           
  3. Requesting IBHIS Access for an IBHIS Non-DMH Workforce Member

    Note: For an IBHIS DMH workforce member’s access to IBHIS related inquiries please, refer to Section B.
     
    1. Selection of Representatives:
       
      1. Identify a main contact person employed by the Non-DMH organization (hereinafter “Non-DMH Liaison”) who shall be representing the Non-DMH organization throughout the course of the contract or project.
         
      2. Identify a DMH contact person (hereinafter “DMH Sponsor”) and a designee who shall be responsible for the project or program.  Only DMH Sponsors are authorized to approve Non-DMH workforce members’ access requests.
         
      3. Identify two (2) to three (3) IBHIS LUAs employed by DMH who shall be responsible for account creation and maintenance assignments by the DMH Sponsor or designee.
         
      4. DMH Sponsors are responsible for all the individuals whose access they approve.  They must ensure that the requestor has the clinical justification to access the information and the role and level of privilege requested is the minimum necessary for this individual as permissible by law for providing treatment, coordinated care, or other legally allowable purposes.
         
      5. The Non-DMH Liaisons are responsible for the actions and activities of their organization’s personnel.  They must ensure that the IBHIS Non-DMH workforce member whose applications they submit are clinically qualified and have appropriate justification for accessing IBHIS.
         
    2. New Account Request for an IBHIS Non-DMH Workforce Member:
       
      1. Non-DMH Liaison or designee shall distribute the required IBHIS forms and documentations to the respective individuals.  Before the access request is sent to the DMH Sponsor, the IBHIS Non-DMH workforce member must meet the following requirements:
         
        1. The online HIPAA Compliance Training must have been successfully completed and the applicant must have received the minimal required operational preparation in the use of IBHIS with the expectancy to complete the official comprehensive training conducted by IBHIS Super Users within 90 days of authorization.
        2. Acknowledge that they have read and understand this policy and procedures;
        3. Sign the following documents:
           
      2. Non-DMH Liaison shall collect and review the signed and completed forms from the requesting individuals, complete an IBHIS Access Request Form and select the most appropriate level of privilege that the individual may need for their assignments.
         
      3. Non-DMH Liaison or designee shall then submit all the documents to the DMH Sponsor or designee.
         
      4. In order to ensure the integrity of the request and to prevent fraudulent requests, the DMH Sponsor or designee must only accept requests directly from the Non-DMH Liaison.  Any request received from anyone other than the Non-DMH Liaison shall be rejected.
         
      5. DMH Sponsor or designee shall review and validate the accuracy of the request and verify that the role and level of privilege being requested is the minimum necessary as permissible by law for providing treatment, coordinated care, or other legally permissible purposes.
         
      6. Once it is confirmed that the applicant has undergone all required trainings, DMH Sponsor or designee shall electronically submit a “New Account or a Change Authorization Request” (an internal IBHIS feature designed for access related inquiries), to the designated IBHIS LUA.
         
      7. Upon receipt of the form indicated in Section C.2.f, IBHIS LUA shall create the IBHIS Non-DMH workforce member’s account, assign the authorized role, and notify the individual by email.  Non-DMH Liaison can assist the user with instructions, when needed.
         
      8. The signed copy of the forms must be stored and maintained by the DMH Sponsor or designee.  The DMH Sponsor or designee must be able to provide the forms at the request of the DISO, CPAS, QA, or auditors.
         
    3. Account deactivation for an IBHIS Non-DMH workforce member:
       
      1. Non-DMH Liaison should complete an IBHIS Access Request Form requesting an account deactivation with the termination’s effective date to DMH Sponsor or designee.
         
      2. It is extremely crucial that all changes in employment status or a change in the IBHIS Non-DMH workforce member’s role which no longer justifies the individual’s access to IBHIS are being reported in a timely manner.  Any delay may result to unauthorized access and could be considered a violation of HIPAA or a breach.
         
      3. In order to ensure the integrity of the request and to prevent fraudulent requests, the DMH Sponsor or designee must only accept requests directly from the Non-DMH Liaison.  Any request received from anyone other than the Non-DMH Liaison shall be rejected.
         
      4. DMH Sponsor or designee shall then electronically submit a “New Account or a Change Authorization Request” (an internal IBHIS feature designed for access related inquiries), to the designated IBHIS LUA.
         
      5. As a result, the IBHIS LUA shall terminate the IBHIS Non-DMH workforce member’s account.  A timely action is expected to prevent any unauthorized access.
         
    4. Account Reinstatement or Role Change for an IBHIS Non-DMH workforce member:
       
      1. In order to prevent potential risks of unauthorized access, accounts that have been inactive in excess of 90 days are automatically disabled.  Should a user undergo an extended leave of absence exceeding 90 days, the Non-DMH Liaison must submit a request for the preservation and reinstatement of the user’s account to DMH Sponsor or designee.
         
      2. To request a change in the user’s level of access, the Non-DMH Liaison should submit an IBHIS Access Request Form and request for modification of the existing role of the IBHIS Non-DMH workforce member to the DMH Sponsor or designee.
         
      3. In order to ensure the integrity of the request and to prevent fraudulent requests, the DMH Sponsor or designee must only accept requests directly from the Non-DMH Liaison.  Any request received from anyone other than the Non-DMH Liaison shall be rejected.
         
      4. DMH Sponsor or designee shall review and validate the accuracy of the request and verify that the role and level of privilege requested to be granted is the minimum necessary as permissible by law for providing treatment, coordinated care, or other services.
         
      5. Once it is confirmed that the applicant has undergone all required trainings, the DMH Sponsor or designee shall electronically submit a “New Account or a Change Authorization Request” (an internal IBHIS feature designed for access related inquiries), to the designated IBHIS LUA.
         
      6. Upon receipt, the DMH IBHIS LUA shall modify the Non-DMH organization user’s existing account, assign the new authorized role, and notify the individual by email.  The Non-DMH liaison can assist the user with instructions, when needed.
         
      7. The signed copy of the forms must be stored and maintained by the DMH Sponsor or designee.  The DMH Sponsor or designee must be able to provide the forms at the request of the DISO, CPAS, QA, or auditors.
         
    5. Access Control and Audit for an IBHIS Non-DMH workforce member:
       
      1. DMH Sponsor or designee shall need to be in constant contact with the Non-DMH Liaison and ensure that all changes in employment status or a change in the IBHIS Non-DMH workforce member’s role no longer justifies the individual’s access to IBHIS are being reported in a timely manner.  Once a request for access modification for a user whose employment status, access level, or role is reported, the responsible DMH Sponsor or designee must take an immediate action.  Any delay may result to unauthorized access and could be considered a violation of HIPAA or a breach.
         
      2. Non-DMH Liaison must request a list of all the active IBHIS accounts under his supervision at least once a month in order to ensure that the list is accurate and roles are appropriately assigned.  Upon request, the DMH Sponsor or designee must generate and provide a list of all existing IBHIS active IBHIS Non-DMH workforce members including their respective roles for whom he/she has authorized an access for.
         
      3. The Non-DMH Liaison must compare the lists and confirm that all the listed accounts and roles have been accurately assigned, and the inactive users’ access is removed accordingly. 
         
      4. All errors and discrepancies must be immediately corrected and reported to the DMH Departmental Privacy Officer (DPO) and DISO.
         
      5. It is the responsibility of the Non-DMH Liaisons to keep track of the anniversary date of all users whose conduct in the performance of work is under their authority.  If anyone of them requires that their access to DMH resources is extended beyond their anniversary date, the Non-DMH Liaison shall submit renewal forms for each individual a few weeks prior to the account’s expiration date.  This way, the individual’s access shall be in effect prior to its due date and interruption in user’s access shall be avoided.
         
      6. Any requests for exceptions due to unique responsibilities of a user or a program must be reviewed and approved by the DISO.  Record of decision and type of access shall be maintained in the IBHIS account management folder.
         
      7. In the event of an unauthorized access or inappropriate disclosure, Non-DMH Liaison must take immediate action and report such incident by phone and email to the DMH Sponsor or designee as well as the DISO.
         
    6. Password Protection
       
      1. DMH abides by the following standards with regard to password protection:
         
        1. Passwords must have a minimum length of eight (8) characters; and
        2. Passwords must meet at least three (3) out of the four (4) following requirements:
           
          • Contain at least one (1) lower case letter (a through z);
          • Contain at least one (1) upper case letter (A through Z);
          • Contain at least one (1) base ten (10) digit (0 through 9); and
          • Contain at least one (1) special character such as % or *.
             
        3. Passwords may not contain the user’s first or last name.
        4. Minimum password age is set to zero (0) days.  This shall allow the users to change their password at any time, especially if they suspect someone having the knowledge of their password.
        5. Maximum password age is set to 90 days.  Passwords on all DMH systems must be changed, at a minimum, every 90 days.
        6. Password expiration reminders are set to 14 days prior to expiration date and every time the user initiates a logon.
        7. The reuse of the last six (6) passwords is prevented.  Accordingly, a history of previously used passwords is maintained.
        8. Unique initial passwords must be provided through a secure and confidential manner, and initial passwords must be changed upon first logon.
        9. After five (5) unsuccessful consecutive logon attempts (e.g., incorrect passwords), the user’s account shall become automatically locked, and the user must contact the DMH Help Desk for account unlocking.
        10. Passwords should never be written down and left in plain sight or stored in plain text online.  If a password must be written down, it should be stored in a secure location.
        11. Users must prevent passwords from being known or used by others.
        12. Users must log off from applications when done using them.
        13. Users must secure workstations (i.e. activate lock screen) when they are away from them.  Devices shall automatically lock for inactivity after 20 minutes.
        14. Users must never use the “Remember Password” feature for any application.
        15. Users must report suspected password compromises.
        16. Users must contact the DMH Help Desk if they believe someone has obtained their password.
        17. Users must change their password if they suspect it has been compromised.
           
    7. Remote Access
       
      1. IBHIS DMH and IBHIS Non-DMH workforce members who have been authorized for connecting remotely to IBHIS System must ensure the following controls are implemented:
         
        1. The remote computing device being used must be protected with a password;
        2. A firewall must be activated and configured on the remote computing device;
        3. The remote computing device being used must be running the vendor-supported operating system that is automatically updated and has up-to-date security patches installed;
        4. Vendor-supported anti-virus, anti-spyware must be installed to perform continuous and/or scheduled scanning to detect malware or malicious activities.  The virus definition list must be automatically checked and updated at least once daily;
        5. The remote computing device must be configured to lock after 20 minutes of inactivity;
        6. The remote computing device must be physically protected and not shared with unauthorized persons;
        7. The displayed information cannot be visible to any unauthorized person;
        8. The remote computing device must be locked or logged off while unattended.
        9. Accessing DMH resources and systems from any public or private unencrypted and password-free WAP and Wi-Fi connection is prohibited.  Consequently, access to PHI over a wireless connection is prohibited unless via a secure and encrypted connection.
        10. When emailing confidential information from a remote computing device, IBHIS DMH and IBHIS Non-DMH workforce members must use the DMH secure messaging system in accordance with DMH Policy 557.02; and
        11. Remote IBHIS DMH and IBHIS Non-DMH workforce members are prohibited from using or printing paper documents that contain PHI unless this action is an approved part of conducting business as defined by the user’s role.  Paper documents containing PHI must be appropriately stored or transported in accordance with DMH Policy 508.01. 
        12. Remote IBHIS DMH and IBHIS Non-DMH workforce members are prohibited from storing sensitive or confidential data such as PHI onto their computing device unless the device is encrypted or the electronic documents containing PHI are encrypted prior to storage or transportation.