LOS ANGELES COUNTY
DEPARTMENT OF MENTAL HEALTH
  Policy 551.01 Information Access Management
 
Policy Category:  Administrative
Distribution Level:  Directly Operated and Contractors
Review and Approved by:  Chief Information Office Bureau
 
Approved by Edgar M. Soto, MBA, CSP, Administrative Deputy III, on January 21, 2020
 
I.  POLICY STATEMENTS
 
The purpose of this policy is to:
  • Create administrative controls for access to protected health information (PHI) and other confidential and/or sensitive information. 
  • Restrict information access to those persons and external entities with a need for access as a basic tenet of security.
Contracted agencies shall develop an internal policy and associated procedures that are consistent with their organizational practices and meet the requirements set forth in this policy.
 
II.  DEFINITIONS
 
III.  POLICY
 
System managers/owners must adhere to procedures for information access authorization, access establishment, and access modification that restrict information access to only those persons whose job functions require access.

DMH Administrative Operations must establish a Business Associate Agreement with all external entities to manage information access authorization, access establishment, and access modification to DMH resources.
  1. Access Authorization
System managers/owners must authorize access to information resources under their control on a "need to know basis" for carrying out the essential job functions of workforce members. Workforce members are prohibited from attempting to gain unauthorized access to confidential information.  DMH Chief Information Officer (CIO) must implement access control mechanisms for electronic systems to protect against unauthorized and inadvertent use, disclosure, modification, or destruction of resources.

System managers/owners must set up authorization, establishment, and modification procedures for controlling access to information. The Department Information Security Officer (DISO) must assist system managers/owners in implementing access authorization procedures and determining the appropriate technical access controls.
  1. Isolating Health Care Clearinghouse Function
After exercising due diligence, DMH has determined that it has no health care clearinghouse as defined by the Health Insurance Portability and Accountability Act (HIPAA) of 1996 that is a part of its larger organization.
  1. Access Establishment and Modification
The CIO must ensure that system managers/owners document and implement procedures for establishing workforce member access to electronic information (for example, through access to a workstation, transaction, program, process, or other mechanism) that is both necessary and appropriate for the job functions of the workforce member.
 
The CIO must ensure that system managers/owners document and implement procedures that modify a user’s right of access to a workstation, transaction, program, process, or other mechanism when such modification is necessary to align each workforce member’s access with their respective job functions.
 
IV.  PROCEDURES
 
V.  AUTHORITIES
 
Code of Federal Regulations, Title 45, Part 164, Subpart C, Section 164.308(a)(2)
Los Angeles County Board of Supervisors Policy 6.100, Information Security Policy
Los Angeles County Board of Supervisors Policy 6.101, Use of County Information Assets