-
If a workforce member discovers or becomes aware of a breach or suspected (possible) breach of PHI, he or she must immediately report (immediately means without delay or by the end of one's shift) the incident to his or her supervisor. The supervisor shall report the breach to the Department's Privacy Officer and/or Departmental Information Security Officer (DISO) by telephone or email immediately.
-
The initial report to the DMH Privacy Officer and/or DISO should never include PHI and only contain the following information:
-
The reporter's name and contact information
-
Short description of the incident
-
Estimated number of affected clients.
-
After the initial report, the workforce member and his/her supervisor must each submit a written report/statement with detailed information (including PHI) to the DMH Privacy and/or Information Security Officer by fax or hand-delivered only by the end of the next business day.
-
The Privacy or Information Security Officer shall make the initial report by telephone call promptly after he or she becomes aware of the breach, followed by a full written report no later than three (3) business days from the date he or she becomes aware of the breach to the Los Angeles County Chief HIPAA Privacy Officer (CHPO) located at 500 West Temple Street, Room 410, Los Angeles, California 90012.
-
Following the initial notice of the discovery of a breach, or suspected breach, the DMH Privacy and/or Security Officers shall conduct an investigation, including a risk assessment, to determine if the breach is an unsecured or secured breach of PHI and whether the breach is reportable. Either Officer shall forward the determination to CHPO promptly.
-
Document Retention
-
The report and risk assessment of the reported/suspected breach shall be retained for a period of at least six (6) years from the date of its creation.
|
|
