LOS ANGELES COUNTY
DEPARTMENT OF MENTAL HEALTH
  Policy 510.01 Interdepartmental Memorandum of Understanding
 
  PROCEDURES
  1. Managing Interdepartmental MOU’s
     
    1. The Covered Component shall be responsible for managing and tracking all Interdepartmental MOU’s, assuring that the required provisions are included in all appropriate MOU’s and that such provisions are current and in compliance with the requirements of the HIPAA Privacy Rule.
       
    2. Contract Form The provisions of the Interdepartmental MOU’s to be used by the Covered Component for the MOU Departments are detailed in the Board Letter, approved on March 25, 2003, entitled, “Approval of the Health Insurance Portability and Accountability Act (HIPAA) Interdepartmental Memorandums of Understanding (MOU) for Los Angeles County as a Covered Hybrid Entity”. If a non-covered Department requires the use or disclosure of PHI from the Covered Component for non-treatment purposes, the Covered Component must execute the Board approved “Interdepartmental MOU” with such Department.
       
    3. Changes to Interdepartmental MOU’s No changes or modifications to the language of the Interdepartmental MOU may be made without prior legal review and authorization by County Counsel and the Chief Information Privacy Office. The Covered Component will document and retain the executed MOUs for a period of at least six (6) years from the date of its creation or the date when it was last in effect, whichever is later.
       
  2. Covered Component’s Responsibilities to the MOU Departments
     
    1. With regard to the use and/or disclosure of PHI by MOU Departments, the Covered Component shall (1) inform the MOU Departments of the privacy practices of the Covered Component; (2) notify the MOU Departments of any restrictions to the use or disclosure of PHI that the Covered Component has agreed to in accordance with 45 CFR, Section 164.522, to the extent that such restriction may affect the MOU Departments’ use or disclosure of PHI; and (3) notify the MOU Departments of any changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent that such changes may affect MOU Departments’ use or disclosure of PHI.
       
    2. MOU Departments Awareness of the Covered Component HIPAA Privacy Policies The Covered Component Privacy Officer(s), or their designee(s), shall make available the relevant HIPAA Privacy policies and procedures and forms to the MOU Department, upon request, to assure that the MOU Departments understand the basics of how the Covered Component is executing the HIPAA Privacy Rule, the Covered Components’ legal obligations and the expectations of the Covered Component regarding the activities of the MOU Departments to assure the Covered Components’ compliance with the HIPAA Privacy Rule.
       
    3. Changes in Use or Disclosure of PHI The Covered Component Privacy Officer(s), or their designee(s), shall notify the MOU Departments in writing within ten (10) business days of any arrangements permitted or required by the Covered Component that may impact the use or disclosure of PHI by its MOU Departments.
       
  3. MOU Departments’ Obligations to the Covered Component
     
    1. Access to PHI  At the request of and in the time and manner designated by the appropriate Covered Component’s Privacy Officer, MOU Departments shall provide access to PHI in a Designated Record Set to the Covered Component, the client or their representative, to whom such PHI relates in order to meet the requirements of 45 CFR Section 164.524 in accordance with the Covered Component’s Right to Access Information Policy.
       
    2. Amendment to PHI   At the request of and in the time and manner designated by the appropriate Covered Component’s Privacy Officer, MOU Department shall make any amendments to PHI in the Designated Record Set that the Covered Component direct and agrees to pursuant to 45 CFR, Section 164.526 in accordance with the Covered Component’s Right to Amend Health Information Policy.
       
    3. Accounting of Disclosure of PHI  At the request of and in the time and manner designated by the appropriate Covered Component’s Privacy Officer, MOU Departments shall provide an accounting of disclosure to the Covered Component, the client or their representative, to whom such PHI relates in order to meet the requirements of 45 CFR Section 164.528 in accordance with the Covered Component’s Right to Accounting of Disclosures Policy.
       
    4. Permitted Use and Disclosure of PHI MOU Departments shall not use or disclose PHI, except as permitted by the MOU or required by law. The MOU recognizes that a MOU Department may use of disclose PHI for the proper management and administration of its business and as required by law.
       
    5. Minimum Necessary  The MOU Departments shall take responsible steps to ensure that it limits the use and disclosure of PHI to the minimum necessary to carry out their functions for the Covered Component.
       
    6. Appropriate Safeguards MOU Departments shall use appropriate safeguards to prevent an impermissible use or disclosure of PHI.
       
    7. Reporting Impermissible Use and Disclosure MOU Departments shall report violations to the appropriate Covered Component’s Privacy Officer within forty-eight (48) hours upon learning of any impermissible use or disclosure of PHI.
       
    8. Contractors, Subcontractors and Agents MOU Departments shall ensure that any agent, including a contractor of subcontractor, that receives PHI from the MOU Departments or creates PHI for the MOU Departments, agrees to the same restrictions and conditions on the use and disclosure of PHI that apply to the MOU Departments.
       
    9. Records Available to Secretary MOU Departments shall make its internal practices, and books and records related to the use or disclosure of PHI available to the Secretary of the United States Department of Health and Human Services for purposes of determining the Covered Components’ compliance with the HIPAA Privacy Rule.
       
    10. Mitigation Each MOU Department shall mitigate, the extent practicable, any harmful effect that is known to it of a use or disclosure of PHI by it in violation of the MOU requirements.
       
    11. Training Each MOU Department shall ensure that all workforce members have access to PHI complete “HIPAA for MOU Departments” training.
       
  4. Disposition of PHI at Service Termination In the event specific services are no longer required, the MOU Departments shall return or destroy all PHI in its possession relating to any Covered Component, if feasible. MOU Departments shall also recover, return or destroy any PHI in the possession of its contractors, subcontractors or agents. If it is not feasible to return or destroy the PHI, the provisions of the MOU shall be extended to protect the PHI so that no one has access to, or can use or disclose, that PHI.
     
  5. Administrative Dispute Resolution Process (ADRP)
     
    1. The ADRP approved by the Board of Supervisors provides for the resolution of disputes between departments and for the enforcement of the MOUs as required by HIPAA.
       
    2. If the Covered Component believes the terms of the MOU have been or will be violated by any recipient of PHI in another department, the Covered Component shall file a written complaint with the Chief Information Privacy Officer (CIPO). The CIPO will investigate the complaint and will work with the affected departments to develop a mutually satisfactory resolution of the complaint.
       
    3. If the department believes the Covered Component is not complying with the terms of the MOU, a complaint may be filed with the CIPO.
       
    4. If the CIPO and the affected departments are not able to resolve their differences to their mutual satisfaction, the matter will be referred to the Chief Administrative Office (CAO), provided it is not an involved party, for resolution. If the CAO is involved, County Counsel shall supervise the resolution.
       
    5. If neither the CAO nor County Counsel are able to satisfactorily resolve the dispute, the issues will be submitted to the Board of Supervisors for final resolution.
       
    6. In the event the Board determines that a department has violated the terms of the MOU, it may take or recommend appropriate administrative action. The Board’s recommendations regarding obligations under the MOU shall be final.