All security compliance documentation is maintained in either printed or electronic form.
 

All data security actions and assessments conducted by the Los Angeles County Department of Mental Health (DMH/Department) Information Security Team must be documented and maintained in either printed or electronic form.
 

All security compliance documentation must be retained for at least six (6) years from the date of its creation or the date when it last was in effect, whichever is later.
 

Documentation that contains clients' records including client's demographic information, various consents, documentation of all services delivered to that person (assessment, treatment, psychological test results, discharge plan, medication), correspondence, and in client hospital admissions must be retained: Adults 10 years after discharge and/or from the final date of the contract period between the plan and the provider (for Medi-Cal managed care enrollees), from the date of completion of any audit, or from the date the service was rendered, whichever is later; Minors: 1 year after the minor reaches the age 18, but not less than 10 years and/or from the final date of the contract period between the plan and the provider (for Medi-Cal managed care enrollees), from the date of completion of any audit, or from the date the service was rendered, whichever is later.
 

If a facility is subject to a longer documentation retention period as part of a regulatory, compliance, and/or accreditation requirement (e.g., Medicare, Medi-Cal, Title 22), the documentation must be retained for the longer period to meet specific retention requirements for the facility.
 

For all other types and forms of data, such as emails and information not governed by the Health Insurance Portability and Accountability Act (HIPAA), the default retention period is set for three (3) years, unless otherwise required by law or other legal reasons.
 

Security compliance documentation must be made readily available to those users who must comply and those persons responsible for auditing to ensure compliance with Security Policies and Procedures.
 

Access to security compliance documentation must be strictly limited to those whose roles or titles have been identified by system owners/managers, with review and approval by the Departmental Information Security Officer (DISO), as having a business need-to-know. DMH workforce members must ensure that security compliance documentation is stored securely and made available to persons authorized by the DISO as is relevant and necessary.
 

Reports and data concerning information security actions taken and assessments conducted must be archived in a security compliance documentation repository as soon as reasonably possible. Historical documentation in the security compliance documentation repository must be preserved.