LOS ANGELES COUNTY
DEPARTMENT OF MENTAL HEALTH
  Policy 508.01 Safeguards for Protected Health Information
 
  PROCEDURES
  1. Administrative Safeguards: The Department's workforce must exercise due care to avoid unnecessary disclosure of Protected Health Information (PHI).
    1. Incidental/Verbal Communications: 
      1. Attention shall be paid to unauthorized listeners to avoid unnecessary disclosure of PHI; keep voices modulated.
      2. Conversations shall be conducted away from public areas.
      3. Any equipment that displays PHI shall be placed where passers-by cannot see them.
    2. Telephone Messages:
      1. Telephone messages and appointment reminders may be left on voice mail systems unless the client has requested an alternative means of communication pursuant to DMH Policy 501.04.
      2. Each provider and/or clinic shall limit the amount of PHI that is disclosed in a telephone message.
      3. The content of appointment reminders shall not reveal Particularly Sensitive Health Information directly or indirectly.
    3. Faxes:
      1. All instances of misdirected faxes containing PHI shall be reported to the HIPAA Privacy Unit to mitigate the incident pursuant to DMH Policy 506.01.
      2. All faxes containing PHI and/or confidential information/data shall be accompanied by a cover page.
        1. Faxes sent via fax machine must include a Protected Health Information/Confidential Data Fax Cover Sheet.
        2. Faxes sent via DMH Outlook email shall automatically generate an eFax Cover page for Transmitting PHI that includes a confidentiality notice (eFax Full Introduction and eFax from Your DMH Outlook Email)
      3. When documents containing PHI or PII are faxed, the recipient shall be notified immediately prior to the transmission and, if possible, the sender shall immediately confirm with the recipient that the transmission was received. 
      4. Reasonable efforts shall be made to ensure that fax transmissions are sent to the correct destination.
        1. Frequently used numbers shall be pre-programmed into fax machines or computers to avoid misdialing errors.
    4. Mail:
      1. Any mail containing PHI shall be enclosed and sealed in a solid, windowless envelope.
      2. PHI mailed outside the County shall:
        1. Be sent via first-class mail or by County meter stamp.
        2. Only identify the address, but not the DMH clinic or program, in the return address.
        3. At the discretion of the HIPAA Privacy Unit or an administrator, certified mail may be used in certain situations (e.g., proof for HHS Office of Civil Rights investigation) to confirm receipt of confidential information. 
    5. Surveys:
      1. DMH workforce members shall not routinely gather PHI, PII, or Non-Public Information.
        1. Avoid using open-ended questions.
        2. Suggested formats:
          • Multiple choice
          • Rating scales (e.g., stars, numbers [1-10], agree/not agree, yes/no/not sure/NA, true/false)
      2. If collecting PHI, PII, or NPI is necessary, contact the HIPAA Privacy Unit for consultation and approval to ensure that the elements collected are appropriate.
  2. Physical Safeguards
    1. Paper Records:
      1. Paper records containing PHI shall be properly stored to avoid unauthorized access. Paper records at work stations must be placed face down or concealed to avoid access by unauthorized persons.
      2. Paper records containing PHI shall not be removed from the premises unless necessary to provide care or treatment to a client or required by law.
        1. DMH workforce members shall immediately report the theft or loss of any paper records to:
          • The supervisor, who shall notify the HIPAA Privacy Officer and/or Departmental Information Security Officer.
          • Follow all necessary protocols in accordance with DMH Policy 506.03.
            • Do not include PHI or confidential information in the SIR.
        2. DMH workforce members shall not leave paper records in vehicles, unattended in a facility, or in view of passersby.
          • While in transit, DMH members shall place paper records in an approved locked case and in the trunk of the vehicle.
        3. DMH workforce members shall take paper records into the office or home at the end of the work shift for safekeeping.
        4. DMH workforce members are solely responsible for the safety and return of paper records.
        5. DMH workforce members shall only remove records for business purposes.
    2. Destruction Standards:
      1. PHI shall be discarded in a manner that protects confidentiality.
        1. Paper and other printed materials containing PHI shall be destroyed in a criss-cross shredder or deposited in a designated secured bin.  
          • Centralized bins for disposing of confidential information must be locked and clearly labeled.
        2. DMH workforce members must contact the DMH Helpdesk to make arrangements for securely transporting all portable storage media devices containing PHI to the DMH Chief Information Office (CIO) for disposal in accordance with DMH Policy 554.01.
      2. Storage rooms containing confidential information awaiting disposal must be locked.
    3. Physical Access:
      1. DMH workforce members shall not share their badges.
      2. DMH workforce members shall verify access authorization for unknown persons entering an area containing PHI.
      3. Persons authorized or attempting to enter an area containing PHI shall wear an identifiable DMH badge or be escorted by a DMH workforce member wearing an identifiable DMH badge.
    4. Escorting Visitors or Clients:
      1. Visitors and clients shall be appropriately monitored when on Department premises.
        1. They shall not be in areas in which clients are being treated.
        2. They shall not be in areas containing PHI.
      2. Visitors (including former DMH workforce members) and clients are to be escorted to any and all areas (including the restroom) while in a DMH facility.
    5. Work Stations:
      1. In accordance with DMH Policy 551.03, workstations must be used in a manner safeguarding measures commensurate with the sensitivity of the information accessed via those workstations.
  3. Technical Safeguards:  For technical and solutions safeguards, please refer to CIO's 0550 HIPAA Security Policies.  Please make note of the following: 
    1. All County-issued and personally-owned Portable Electronic Devices (PEDs) shall be encrypted/equipped with technical, administrative, or procedural safeguards approved by CIO. For detailed procedures pertaining to PEDs, refer to Policy 551.03.
    2. For the use of personally-owned and DMH-issued desktop or portable computing equipment the following rules apply:
      1. Teleworkers are prohibited from storing PHI and PII on personally-owned computing devices. 
      2. All DMH workforce members are prohibited from using their personal PEDs for any County business.
      3. With prior approval from CIO, DMH workforce members may unblock the Caller-ID for business needs only.
        1. Unblock the Caller-ID by dialing *82 prior to dial the intended number. 
        2. Tampering with, bypassing, or permanently disabling blocked Caller-ID on County PEDs is prohibited.
      4. With prior approval from the DISO and HPO, DMH workforce members may use their DMH-issued photography devices (including County-issued iPhone cameras) for County business-related purposes only. 
        1. Images must be stored on encrypted solutions and transmitted by encrypted emails. 
    3. DMH workforce members shall use CIO-approved solutions for storing, exchanging, collaborating, conferencing, and recording information including PHI or confidential data. 
      1. Business Operation Technologies and Solutions:
        1. When DMH workforce members host or organize a clinical or administrative teleconference call, shall ensure the use of CIO-approved technology (e.g., VSee, Cisco Jabber).
          • DMH workforce members are prohibited from using freeware and unapproved solutions.
          • Hosts shall use a disclaimer when sending call invitations:
            • This teleconference invitation is sent to attendees that have justified reason to participate. Do not forward the invitation to anyone without authorization from the organizer.
          • Exchange/discussion of PHI or confidential information is allowed for appropriately cleared participants
          • Exchange/discussion of PHI or confidential information is prohibited in the presence of clients and/or their representatives. 
          • Please see Section 3.b. for teleconferences with client participants or where client PHI/PII is exchanged or discussed. 
          • Audio recording of phone conversations or teleconferences must have the consent of every participant and shall be recorded using only DMH-approved audio recorders. 
          • Video recording of teleconference calls must have the recording consent of every participant.
        2. Storage and File Sharing for Clinical and Administrative Deliveries:
          • DMH workforce members may store PHI or confidential data onto DMH-approved secure and encrypted storage solutions (e.g., Microsoft SharePoint, users' home drive, or DMH encrypted flash drive). 
          • DMH workforce members may collaborate and exchange PHI or Confidential Data with colleagues and business partners for justified business purposes such as coordination of care through DMH-approved secure and encrypted collaboration tools and file exchange solutions only.
          • Sharing of PHI/PII shall be the minimum information necessary and on a need-to-know basis only. 
        3. Secure Email:
          • DMH workforce members may encrypt emails containing PHI or confidential data using the DMH Secure Messaging Solution by typing "[Secure]" in the subject line.  Refer to DMH Policy 557.02.
        4. Social Media Posting:
          • DMH workforce members are prohibited from posting/sharing comments, tags, pictures, discussions, etc. of any client's identification, mental health information, confidential information or data or work-related information on any social media site (e.g., Facebook, Twitter, Snapchat, What's App, WeChat) or any other application. 
          • DMH workforce members communicating with clients and/or client representatives through social media outlets is strictly prohibited.
      2. Clinical Service Delivery Technologies and Solutions:
        1. Tele-conference solutions:
          • Exchange/discussion of PHI or confidential data during teleconferences through clinical service delivery technologies are permitted as long as the participating client or their respective representatives have signed consents and the organizer can validate that all the attendees are accounted for.
          • During clinical service deliveries, the audio recording of phone conversations or teleconferences must have the consent of every participating client and shall be recorded using only DMH-approved audio recorders. 
          • When video recording, the client must have signed or given verbal consent to receive telepsychiatry Services (Policy 308.01) and Consent to Photograph/Audio Recording before participating in the video sessions. Signed documents must be uploaded to the client's record. 
        2. Secure Texting:
          • In accordance with DMH Policy 401.05, VSee is the approved secure communication tool for chatting, video conferencing, sharing photos and videos, and voice calls with clients and their representatives. The solution can be operated on County-issued as well as personally-owned mobile devices and computers with prior approval from the Supervisor and/or Program Manager. 
          • DMH workforce members may request VSee and other solutions for justified business operations by submitting a request through DMH Service Catalog System.
          • In the event when a DMH workforce member receives PHI or sensitive content through standard SMS, the sender must be contacted, informed the message is unsecured and instructed to immediately delete the message from both the inbox and the delete box.