LOS ANGELES COUNTY
DEPARTMENT OF MENTAL HEALTH
  Policy 553.01 Privacy and Security Awareness Training
 
  PROCEDURES
  1. Workforce Training Requirements
     
    1. The Privacy and Security Awareness Training must provide workforce members with information on how to handle Protected Health Information (PHI) and other confidential/sensitive information in accordance with DMH's privacy-related and security-related policies.
       
      1. HIPAA Awareness Training: General privacy and security training provided in the New Employee Orientation (NEO) is mandatory for all DMH workforce members within the first 60 days of hire or prior to accessing PHI, whichever comes first. This training consists of educating the workforce member on the Department's Notice of Privacy Practices and the following DMH policies and procedures:
         
        1. DMH Policy 508.01, Safeguards for Protected Health Information
        2. DMH Policy 500.01, Use and Disclosure of Protected Health Information Requiring an Authorization
        3. DMH Policy 500.03, Minimum Necessary Requirements for Using and Disclosing Protected Health Information
        4. DMH Policy 506.03, Responding to Breach of  Protected Health Information
        5. DMH Policy 506.02, Privacy Sanctions
        6. DMH Policy 508.02, Confidentiality
        7. DMH Policy 605.01, Discipline
           
      2. HIPAA Comprehensive Curriculum Training: This training is mandatory for all DMH workforce members to complete within 60 days of hire or prior to accessing PHI, and every two (2) years thereafter. The workforce member is to provide a copy of the certificate of completion to their supervisor. HIPAA Comprehensive Curriculum Training is the minimum standard for training and is provided through the countywide web-based training program (Learning Link). The role-based privacy and security training is designed to provide the level of access to PHI workforce members need to perform their job functions. Security training is also required for all workforce members responsible for PHI and other confidential information. HIPAA Comprehensive Training is the minimum standard for training and is provided through the County's Learning Management System (LMS), i.e., The Learning Link.
         
      3. Cybersecurity Awareness Specialized Training: All workforce members are required to complete formal cybersecurity awareness training annually. The mandatory core training modules are selected based on industry frameworks, cybersecurity best practices, County policy, relevant experience, and research. These modules must be completed by all workforce members by the end of the calendar year. Workforce members in management or supervisory capacity must ensure that employees, contractors, volunteers, interns, trainees, or persons whose conduct in the performance of work for DMH is under their authority, regardless of whether they are paid or unpaid by the County, complete all the mandatory training modules by the end of the calendar year.
         
      4. Departmental Information Security Officer (DISO) and Departmental training coordinators may make additional cybersecurity courses available for their Department employee training program.
         
      5. Every year workforce members sign the DMH policy certification, which lists privacy and security policies and procedures with which they agree to comply.
         
      6. HIPAA for Business Associates: Specialized training is required for the segment of DMH workforce members who provide contract and purchase order procurements in order to understand when a business associate agreement is needed.
         
      7. Security Training Content: DMH security awareness training must include, as a minimum, the following topics:
         
        1. Guarding against, detecting, and reporting malicious software;
        2. Rules for creating, changing, and safeguarding passwords;
        3. Logging in and the importance of monitoring log-in attempts and reporting discrepancies;
        4. Periodic security reminders through automated means, login banners, pamphlets, broadcast e-mails, etc.;
        5. Workstation usage and related safeguards;
        6. Security incident reporting;
        7. Training on acceptable use of County information technology resources;
        8. Appropriate use of email for transmitting PHI and/or confidential data.
           
      8. The DMH Chief Information Officer (CIO), as appropriate, shall include additional security awareness training topics aimed at reducing the risk of improper access, use, and disclosure of confidential and/or sensitive information. The training topics must take into consideration the information from the System Description Report and the Risk Analysis Report as specified in DMH Policy 550.01, Security Management Process: Risk Management.
         
    2. The Privacy and Security Awareness Training component of DMH's New Employee Orientation shall include:
       
      1. HIPAA awareness and information that all DMH employees must know related to security and the access, use, and handling of PHI and other confidential information.
         
      2. Facility orientation on all policies and procedures regarding PHI privacy and security as they relate to the facility.
         
      3. Job-specific orientation to educate employees on confidentiality and address PHI privacy and security functions necessary for job performance.
         
    3. For all members of its workforce whose job responsibilities change because of new or changed policies or procedures, DMH will update training within a reasonable amount of time after the effective date of the change.
       
    4. If an existing workforce member's job functions change due to a position/assignment change within DMH, training on health information privacy and security will be conducted during orientation at the workforce member's new position, or within the first 30 days after the workforce member's first workday in the new position, whichever is sooner.
       
  2. Training Related To Updates or Changes In Policies and/or Procedures
     
    1. HIPAA requires that HIPAA-covered entities, such as DMH, train workforce members on changes to HIPAA and HITECH regulations and standards, as well as when there are material changes to existing policies or procedures. Training related to updates or changes in policies and procedures will be executed through workforce training, facility training, or job-specific training.
       
    2. Training will be an ongoing, evolving process in response to environmental and operational changes affecting the security of electronic information and as DMH's security needs and procedures change.
       
  3. Retraining Intervals
     
    1. Divisions/programs shall ensure that workforce members take the HIPAA Awareness Training provided on the LMS every two (2) years. In addition, the maximum interval from the completion of HIPAA Comprehensive Training shall not exceed 36 months.
       
  4. Training Documentation Requirements
     
    1. Each DMH division/program will maintain documentation in electronic or written format on all training provided to members of its workforce.
       
    2. Documentation of training will consist of the following: date, time, workforce trainee name, and type of training session attended.
       
    3. Training documentation will be placed in the workforce personnel file and/or tracked in a DMH training database.
       
    4. This documentation shall be retained for six (6) years from the date of its creation or the date it was last in effect, whichever is later.
       
      1. If, however, a DMH entity is subject to a longer documentation retention period as a part of a regulatory, compliance, and/or accreditation requirement (e.g., Medicare, Medicaid, Joint Commission on Accreditation of Healthcare Organization [JCAHO]), then the documentation mentioned above must be retained for the longer period.