LOS ANGELES COUNTY
DEPARTMENT OF MENTAL HEALTH
  Policy 550.02 Workforce Members Security
 
  PROCEDURES
  1. The Los Angeles County Department of Mental Health (DMH/Department) Chief Information Officer (CIO) or his/her designee must work with system managers/owners and DMH Human Resources Bureau (HRB) to develop and coordinate implementation of the workforce security procedures.
     
    1. DMH Workforce Authorization and Supervision Procedure
       
      1. System managers/owners must ensure that workforce members are granted access authorization in accordance with DMH Policy 551.01, Information Access Management Policy.
         
      2. The authorization and supervision process must consist of all the following components:
         
        1. Managers/supervisors must identify and supervise workforce members who work with or have access to protected health information (PHI) and other confidential information. Managers/supervisors must identify the minimum information access required by these workforce members to do their job.
        2. System managers/owners or designees must identify the security levels necessary for securing the system and while still allowing workforce members to perform their jobs. System managers/owners will assign workforce members to the minimum-security level that they need to perform their job function.
        3. Managers/supervisors must restrict access to PHI and other confidential information by unauthorized workforce members.
        4. Managers/supervisors must provide authorization and supervision to workforce members and others who need to be in areas where PHI and other confidential information may be accessed. Also, take appropriate safeguards to ensure that those who may be exposed to PHI and other confidential information are made aware of the policies protecting that information.
           
    2. DMH Workforce Clearance Procedure
       
      1. System managers/owners must ensure that workforce members' access to PHI and other confidential information is limited to the minimum necessary to perform their job responsibilities.
         
      2. The clearance process must consist of all of the following components:
         
        1. System managers/owners or designee must work with DMH HRB to ensure that proper workforce clearance procedures are implemented.
        2. System managers/owners or designee must ensure that all applications for access to a system are complete and approved by the appropriate workforce managers/supervisors. System managers/owners must also ensure that each workforce member with access has signed an acknowledgment of the DMH Policy 556.01, DMH Acceptable Use for County IT Resources, which defines their responsibility for the protection of the confidentiality, integrity, and availability of all DMH information resources and the restrictions for utilizing those resources.
        3. DMH HRB must ensure that each new workforce member receives and signs the acknowledgment of DMH Policy 556.01 during the initial hiring orientation and that each workforce member completes the acknowledgment during the annual Performance Evaluation process. Signed acknowledgments will be filed in the workforce member's official personnel folder.
           
    3. DMH Workforce Termination Procedure (Access)
       
      1. System managers/owners must ensure that departing workforce members' access to all PHI and other confidential information is terminated upon termination of employment.
         
      2. The termination process must consist of all the following components:
         
        1. The system manager/owner must be notified by the workforce member's supervisor as soon as possible, but in no circumstance later than the day the workforce member's employment or other service arrangement with DMH ends.
        2. The system manager/owner must terminate the workforce member's access to PHI or other confidential information upon notification by the workforce member's supervisor when the workforce member terminates employment or transfers to another DMH facility or County department. Access termination must be:
           
        • As soon as possible, but in no circumstance later than five (5) business days when the end of employment is voluntary.
        • As soon as possible, but in no circumstance later than close of the same business day or end of workforce member's work shift when the end of employment is involuntary.
           
        1. The workforce member's supervisor must notify the system manager/owner when a workforce member's status, function, or responsibility has changed. The system manager/owner must promptly review the workforce member's access to PHI and other confidential information and must modify the member's access as needed.