| I. PURPOSE
| | To provide Los Angeles County Department of Mental Health (DMH/Department) workforce with a policy and procedures for the issuance and management of cellular devices in a health care environment.
To ensure compliance with applicable federal and state laws and regulations regarding security of sensitive health and confidential information.
To articulate DMH's expectations regarding how a Workforce Member will conduct County business with County provided cellular devices for voice, email communications, electronic messaging, access to DMH network, or Internet connections.
To clarify that DMH supplied devices are not intended for personal use.
To inform DMH Workforce Members that a County-issued personal cellular device utilized for business purposes or personally owned cellular devices cannot be used for sending protected health information (PHI) or confidential data.
| | II. DEFINITIONS
| | Authorized Workforce Member: A DMH Workforce Member who has acknowledged this policy and completed and signed the required DMH Cellular Phone, Smart Phone, or Pager Usage Agreement Form.
Cellular Device: Any hand-held, portable, or vehicle-mounted, two-way communication device with multi-functional capabilities used to process, store, transmit, and receive voice and/or data information over a cellular network. This generally includes cellular phones, smartphones, pagers, broadband connection devices (data cards, air cards, or hotspots used with notebook or tablet computers), or other cellular communication devices.
Confidential Data: Information that is sensitive, proprietary, or personal to which access must be restricted and whose unauthorized disclosure could be harmful to a person, process, or to an organization.
Emergency Non-Business Call: An instance when a workforce member must make emergency non-business use of a DMH issued cellular device and when he or she lacks access to a personal cellular device. Total emergency usage is limited to 60 voice minutes and 60 text messages per month or less if texting is permitted and made available on device.
Encryption: A process of making information indecipherable to protect it from unauthorized viewing or use, especially during transmission, or when it is stored on a transportable magnetic medium.
iMessage: An Apple's native text messaging application that uses the internet to send and receive text, picture, audio, and video messages. iMessages can be sent between Apple devices that have this application installed. This method is insecure and not Health Insurance Portability and Accountability Act of 1996 (H I PAA) compliant.
Mobile Application: Most commonly referred to as an app, this is a type of application software designed to run on a mobile device, such as a smartphone or tablet computer. Mobile applications frequently serve to provide users with similar services to those accessed on PCs.
Protected Health Information (PHI): Individually identifiable health information held or transmitted by DMH or its business associate(s), in any form or medium, whether electronic, paper, or oral. This information relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or with respect to which there is reasonable basis to believe the information can be used to identify the individual.
Secure Text Messaging: An DMH administered and approved secure text messaging solution that allows authorized workforce members to send texts or video messages including ones that may include PHI or confidential data using their DMH issued cellular devices.
Short Message Service (SMS): Synonymous with texting, a text messaging service component of phone, web, or mobile communication devices that utilizes standardized communications protocols (voice lines) to allow mobile phones and smart devices to exchange short text based messages. This method is insecure and not HIPAA compliant.
Texting/Text Messaging: An act of sending short written messages between cellular phones or other handheld devices. The native Texting feature available on cellular phones is insecure and not HIPAA compliant.
Workforce Member: Employee, Business Associate, Contracted Employee, Consultant, Volunteer, other County departments and/or individual whose conduct in the performance of work for DMH, its offices, programs, or facilities is under the direct control of the Department, office, program, or facility regardless of whether the person is paid or unpaid.
| | III. POLICY
| | DMH assigns cellular devices to Department's workforce members whose duties and responsibilities clearly require cellular devices to conduct County business and not on the basis of convenience, seniority, or position. -
The following justifications clarify when a cellular device may be assigned:
-
When a workforce member's job assignment is such that he/she must be immediately accessible to members of the Board of Supervisors, their staff, and/or the Director of the Department. -
For a workforce member with a Disaster Operations Center (DOC) leadership role (Director, Chief Deputy Director, Medical Director, Deputy Director for the Emergency Outreach Bureau (EOB), or others as designated). -
When a workforce member's assignment involves extensive time in the field or when job duties require access to telephone or online resources in locations where County provided hard-wired telephone, network, or Internet connections would not be reasonably available. -
When a manager or supervisor requires more than one cellular device (a pool of devices) for shared use by his/her workforce member to ensure the effective and efficient performance of their duties.
-
The need to have a cellular device assigned to a workforce member on a full-time basis must have a corresponding full-time or near full-time requirement. In the event that job responsibilities or functions change and the full-time needs are reduced, the cellular device must be returned to the Chief Information Office Bureau (CIOB).
-
All usages of DMH issued cellular devices whether for County business or personal will be tracked.
-
DMH issued cellular devices found with zero or low usage may be cancelled. Exceptions will be considered for those devices purposed for emergency, disaster recovery functions, or safety reasons. -
When a workforce member will be absent for over 30 days, the supervisor must advise CIOB so that the service may be disabled during the staff's absence. -
Assignees are responsible for their own device access and usage.DMH monitors all users' activities for protection of County's network and data from unauthorized sources including events that were administered via wireless connections. A monthly activity log is provided by the automated system to user's management for their respective review and analysis. Any inappropriate, unusual, or suspicious activities will be subject to investigation.
-
DMH provides cellular devices for telephone, email communications, electronic messaging, access to DMH network, or Internet connections to workforce members to conduct County business; DMH cellular devices are not intended for personal use. Personal use of DMH issued cellular devices is only allowed in emergencies.
-
Regardless of which Flat Rate plans, Anytime Minute plans, Shared/Pooled plans, or Data plans are utilized, a workforce member might be charged for any emergency non-business use of DMH issued cellular devices beyond the allotted 60 voice minutes and/or any text messages exceeding the allotted 60 emergency non-business texts per billing cycle or for unapproved and inappropriate wireless internet connections and use of cellular data. In addition, workforce member might be charged for any emergency nonbusiness use of additional features (for example, call forwarding, 411 directory assistance, etc.) and any text messages exceeding the allotted 60 texts per billing cycle. -
If there is a charge for emergency non-business usage, the workforce member must reimburse the County within 30 days of receiving the Reimbursement/Remittance Form. -
All workforce members who receive the automated monthly notification to review their cellular invoices must do so within 10 days of receipt. Failure to complete the review in a timely manner and/or submit reimbursement when appropriate can result in having service disconnected. -
Any non-business use of unauthorized features or mobile applications will be charged to the employee at the rate stated on the bill. -
Personal cellular devices should not be used for County business. In the event a personal cellular device is used for convenience, two conditions apply:
-
The workforce member must ensure that no PHI or confidential information is included in the data transmissions; and -
The Department will not authorize payment for use of a workforce member's personal cellular device used for County business.
-
Workforce members covered under the Federal Fair Labor Standard Act (FLSA) are not permitted to use County-issued devices after working hours. Failure to comply with this policy may result in disciplinary action. The use of DMH cellular devices for personal use may also subject a workforce member to disciplinary action. Issuance of DMH cellular devices does not imply the Department is authorizing workforce members to work beyond their normal working hours or schedule. Note that County policy requires all overtime be pre- approved in accordance with DMH Policy No. 603.04, Overtime.
Any alteration or modification to configuration of the cellular device's existing settings is prohibited. This action may weaken existing security of the device which may introduce risks of confidential or sensitive information compromises and compliance violations.
Downloading, installing, or using applications that are not included initially at the distribution of the cellular device is prohibited. All non-standard application installation and use must be pre-approved and installed by CIOB.
Downloading, installing new ringtones, themes, or music is prohibited. All exceptions must be pre-approved by CIOB.
All electronic communications such as emails, text messages, video messages, or exchange of electronic files and images must follow all other Departmental privacy and security requirements and policies concerning secure transportation of electronic sensitive or confidential information including, but not limited to PHI. All electronic communications with clients are considered PHI and must be protected.
Uploading or posting comments, documents, images, or videos that include sensitive or confidential information to social networking sites, any non-DMH websites, and cloud storages is prohibited. All exceptions must be pre-approved by CIOB.
Workforce members are prohibited from using native SMS, Message, or any other third party messaging application when communication includes sensitive or confidential messages with, but not limited to clients, workforce members, or business associates unless explicit permission is granted by CIOB information Security.
Only authorized workforce members who have been issued an approved device and have been authorized to have DMH approved secure text messaging application installed on their device may send texts or video messages including ones that may include PHI or confidential data.
In events when email messages contain sensitive or confidential information, communications must be secured by utilizing DMH secure email while following all the guidelines specified in DMH Policy No. 557.02, Appropriate Use of Email for Transmitting Protected Health Information and/or Confidential Data.
Taking photos or videos that include DMH clients, clients' medical information, or structures identifying DMH clients is strictly prohibited. All exceptions must be pre-approved by CIOB.
Any violation of these policies and procedures may result in disciplinary action up to and including discharge.
Failure to comply with HIPAA can result in civil and criminal penalties according to United States Code Title 42 Section 1320d-5, General Penalty for Failure to Comply with Requirements and Standards.
Workforce members shall have no expectation of privacy with respect to their use of the DMH cellular device. At any time, DMH may log, review, or monitor any and all data created, stored, sent, or received.
| | IV. PROCEDURES
| | | | V. AUTHORITY
| HIPAA Security Rule - Code of Federal Regulations Tittle 45 Section 164.312(e)(2)(ii) Board of Supervisors Policy No. 6.101, Use of County Information Technology Resources
Board of Supervisors Policy No. 6.104, Electronic Communications Board of Supervisors Policy No. 6.105, Internet Usage Policy
Board of Supervisors Policy No. 6.110, Protection of Information on Portable Computing Devices United States Code Title 42 Section 1320d-5, General Penalty for Failure to Comply with Requirements and Standards County of Los Angeles Fiscal Manual Section 4.7.0, Cellular Telephone and Other Wireless Data Devices Usage Policy Board of Supervisors Policy No. 3.160, County Cellular Telephone and Other Wireless Data Devices Usage Policy
| | VI. ATTACHMENTS
| | DMH Cellular Phone, Smart Phone, or Pager Usage Agreement Cellular Phone Rate Table | |
|
