LOS ANGELES COUNTY
DEPARTMENT OF MENTAL HEALTH
  Policy 506.02 - Privacy Sanctions
 
Policy Category:  Administrative
Distribution Level:  Directly Operated
Responsible Party:  Human Resources
 
Approved by Marvin J. Southard, DSW, Director on May 1, 2006
 
I.  POLICY STATEMENT
 
To establish a policy for imposing sanctions against Department of Mental Health (DMH) workforce members for the improper disclosure of Protected Health Information (PHI) and to identify those disclosures for which sanctions will not be imposed.
 
II.  DEFINITIONS
 
Covered Entities: means health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions electronically (such as eligibility, referral authorizations and claims) to comply with each set of final administrative simplification standards (Health, Insurance Portability and Accountability Act of 1996, 45 CRF, Section 160 and 164).

Health Care Provider: means any person, corporation, facility or institution licensed to provide health care services, including, but not limited to, any physician, coordinated care organization, hospital, health care facility, nurse, psychologist, pharmacist, and employee or agent of such person acting in the course and scope of employment or agency related to health care services. DMH is a covered entity as a health care provider.

Violation: means an infringement of the County’s privacy-related policies or any of the provisions of HIPAA. The term “violation” does not include disclosures by whistleblowers or disclosures by workforce crime victims, as defined in this policy.

Workforcemeans employees, volunteers, trainees and other persons whose conduct in the performance of his/her work for the covered healthcare component of the hybrid entity (as outlined in the Board Letter) is under the direct control of DMH whether or not they are paid by the County.
 
III.  POLICY
 
This policy is applicable to all workforce members within DMH as the Department has been designated as part of the covered healthcare component of the County hybrid entity.

It is the policy of DMH to impose appropriate sanctions against its designated workforce members who fail to comply with the Privacy Standards of the Health Insurance Portability and Accountability Act of 1996, 45 CRF, Section 160 and 164 (HIPAA Privacy Standards) or the policies and procedures to implement HIPAA.

This Sanctions Policy is intended as a guide for the efficient and professional performance of a workforce member’s duty to protect the integrity and confidentiality of medical and other sensitive information. Additionally, nothing in this policy is to be construed by any workforce member as containing binding terms and conditions of employment.
 
IV.  PROCEDURES
 
V.  AUTHORITY