LOS ANGELES COUNTY
DEPARTMENT OF MENTAL HEALTH
  Policy 558.01 System Audit Controls
 
Policy Category:  Administrative
Distribution Level:  Directly-Operated Programs and Contracted Agencies
Review and Approved by:  Chief Information Office
 
Approved by Edgar M. Soto, MBA, CSP, Administrative Deputy III, on January 23, 2020
I.  POLICY STATEMENT
 
The purpose of this policy is to ensure Los Angeles County Department of Mental Health (DMH) has audit control mechanisms to record and examine activity in information systems that contain or use electronic protected health information (PHI).

Contracted agencies shall develop an internal policy and associated procedures that are consistent with their organizational practices and meet the requirements set forth in this policy.
 
II.  DEFINITIONS
 
III.  POLICY
 
DMH System Owners/Managers must: 
  • Ensure data systems containing PHI and other confidential information utilize a mechanism to log and store all system activities performed by machine or humans, in accordance with the recommended safeguards specified in the DMH Master Security Management Report and DMH Policy No. 550.01.
     
  • Develop an Audit Control and Review Plan that describes the systems and applications to be logged, activities to be audited, responsibilities of workforce members involved in the implementation of the Plan (including separation of duties), frequency of audits, and audit reporting and review process.  The Plan must be reviewed and approved by the Departmental Information Security Officer (DISO) or designee.
     
  • Protect and ensure the confidentiality, availability, and integrity of audit trails and internal audit reports.
     
  • Ensure audit trails are backed up and backups are verified and tested to assure complete restoration capability.
IV.  PROCEDURES
 
V.  AUTHORITIES