LOS ANGELES COUNTY
DEPARTMENT OF MENTAL HEALTH
  Policy 551.01 Information Access Management
 
  PROCEDURES
  1. Information Access Management
     
    1. The Los Angeles County Department of Mental Health (DMH) Chief Information Officer (CIO) or his/her designee must work with system managers/owners, DMH managers and supervisors, and DMH Human Resources Bureau to:
       
      1. Develop information access procedures and
      2. Coordinate activities necessary for the implementation of such procedures. 
         
    2. System managers/owners must ensure that appropriate physical safeguards and technical security policies are established and enforced. They must also verify compliance with these policies in such a manner and frequency that the purpose of this policy is demonstrably accomplished.
       
    3. Facility management and supervisors must prevent workforce members and others who do not have authorized access but work in locations where electronic data might be accessed.
       
  2. Elements
     
    1. The system managers/owners must consider the following elements when developing the information access procedures:
       
      1. Access Authorization:
         
        1. System managers/owners must implement a role-based procedure specifying how a person is granted authorization to access confidential and/or sensitive information. They must also specify in writing who may authorize such access, for what purposes access can be authorized, and the procedures for approving and documenting the access authorization. The specification must include how and when to modify or cancel such access and procedures for communicating such changes to appropriate people and systems. These specifications must also establish limits on access to confidential and/or sensitive information based on the role(s) of the person (for example, a treatment provider generally needs access to health information only for people they are treating; a billing person needs only sufficient information to bill for work done, not full patient records, etc.). Access authorization must specify what authorized people may do with confidential and/or sensitive information - such as use (read), create, modify, and remove (delete).
        2. The authorization criteria must include required levels of training and training certification requirements commensurate with the level of access. The access level must be established by a single point of approval, the system manager/owner or designee, and may be for a limited timeframe.
        3. Renewal or a change of access level must require re-evaluation of access needs and may require re-training.
        4. For non-DMH users, it is the responsibility of the non-DMH liaison to keep track of the account anniversary date of all users whose work performance conduct is under their authority. Should any of them require access to DMH resources beyond their account anniversary date, the non-DMH liaison must request a renewal or extension a few weeks prior to the account’s expiration date to avoid interruption. 
           
      2. Access Establishment and Modification
         
        1. System managers/owners must specify in writing how to establish the access authorized. This must include:
           
          • Specifying who is responsible for establishing the access,
          • Procedures to be followed, and
          • How the granting of access must be documented.
             
        2. System managers/owners must identify who is responsible for establishing the change in authorization, the process for changing the authorization, the process for documenting the change of access, and the process for canceling authorization.
           
      3. Access Monitoring and Periodic Audits
         
        1. System managers/owners must regularly verify and confirm that the active accounts of their managed and maintained systems are still appropriate and no changes in workforce members’ employment status or duties require adjustments in the level of their privilege has occurred.
        2. Upon the discovery of any error or discrepancy, system managers/owners must immediately make the necessary changes to the account and report the incident to the Department Information Security Officer (DISO) and Privacy Officer.
        3. In order to prevent potential risks of unauthorized access, accounts in excess of ninety (90) days of inactivity shall be automatically suspended. Should a workforce member undergo an extended leave of absence that exceeds ninety (90) days, their manager or supervisor must submit a request for the restoration and reinstatement of their account.
           
  3. Exceptions
Any requests for exceptions due to unique responsibilities of a user or a program must be reviewed and approved by the DISO.
  1. Incidents
     
    1. In the event of an unauthorized access or inappropriate disclosure, the DMH workforce member must take immediate action and report such incident to their immediate management as well as DMH Helpdesk.
       
    2. A Non-DMH workforce member’s unauthorized access or inappropriate disclosure must be immediately reported to the Non-DMH organization’s liaison or designee who will then report such incident by phone and email to the DMH sponsor or designee as well as the DISO.