Risk Management

The Office of Privacy develops, guides, and directs the overall Privacy and HIPAA (Health Insurance Portability and Accountability Act) policies and procedures that guide all Departments of the County of Los Angeles that store, process, or transmit personally identifiable or protected health information. The Office of Privacy governs, enforces, and directs the risk control activities associated with protected and private information.

Our purpose is to provide guidance, enforce and oversee the County's policies and procedures related to HIPAA and Privacy programs to the extent that such operations are consistent and compliant with applicable Federal, State, and local laws and standards.

How to file a HIPAA privacy complaint:

You may complete and mail the HIPAA Privacy Complaint Form to us or submit your complaint via the complaint portal.


Privacy Strategic Plan Goals

Organizational Goal 1: Service Excellence

Provide the public with easy access to quality information and services that are both beneficial and responsive.

Programmatic Goal 7: Health and Mental Health

Implement a client-centered and information-based health and mental health services delivery system that provides cost-effective and quality services across County departments.

More About HIPAA

In 1996, Congress passed HIPAA. As a result, the Act impacts all areas of the health care industry. HIPAA was designed to provide insurance portability, improve the efficiency of health care by standardizing the exchange of administrative and financial data, and protect the privacy, confidentiality and security of health care information. A major principle of the Privacy Rule is to define and limit the circumstances in which an individual’s protected health information may be used or disclosed by covered entities. A covered entity may not use or disclose protected health information, except either: (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.

A covered entity is permitted to use and disclose Protected Health Information (PHI) without an individual’s authorization for the following purposes:
  • To the Individual for his/her review of their PHI;
  • For treatment, payment, and health care operations;
  • Incidental to an otherwise permitted use and disclosure;
  • Under the Opportunity to Agree or Object clause, if the individual is unavailable, incapacitated, or in an emergency situation, a covered entity may disclose PHI in the exercise of their professional judgment that the disclosure is in the best interest of the individual;
  • Public interest and benefit activities; and
  • Limited data set for the purposes of research and public health or health care operations.
A patient has the following rights under the HIPAA Privacy Rule:
  • To access his/her PHI;
  • To request an amendment to his/her PHI if he/she disagrees with what is documented;
  • To request an accounting of disclosure of his/her PHI;
  • To request that certain information be restricted from use or disclosure;
  • To request that certain PHI be communicated in a particular manner to ensure confidentiality;
  • To withhold authorization for the release of PHI; and
  • To authorize the release of PHI.

The primary activities of the HIPAA Compliance Unit are: audit reviews; develop policies and procedures; enforce compliance; act as the County’s liaison to the Officer for Civil Rights and other agencies; review and comment on new local, State, or Federal laws that may impact existing health privacy practices; facilitate in the resolution of reported health care privacy breaches or complaints; prepare reports to the Board of Supervisors; and coordinate efforts with the HIPAA Security Program under the Chief Executive Office.