The County of Los Angeles Office of Privacy is committed to protecting the privacy of our constituents, employees, and other confidential information. Our goal is to ensure the proper use and disclosure of such information, while maintaining the highest level of integrity and protection. We strive to achieve these goals by providing oversight and guidance to County departments, engagement with County stakeholders, and promoting a culture that values the compliance with privacy laws, regulations, and policies.
Privacy Practices while Teleworking
As the world continues to navigate through the challenges of the COVID-19 pandemic, many employers have expanded teleworking options for employees. Click here to learn more about privacy practices while teleworking.
What is data privacy?
Generally speaking, privacy is your right to control how your information is used, processed, stored, or shared. Today, our lives are significantly intertwined with electronic devices, information technology, and data about ourselves. Data privacy involves the governance of personal data about ourselves, which includes personally identifiable information (PII) and personal health information (PHI).
What is the difference between a privacy “incident” versus a “breach”?
A privacy incident is an adverse event that may have compromised the confidentiality, integrity, or availability of personal information. A privacy incident may also occur when someone violates the organization’s privacy policies and procedures. Examples of privacy incident include:
- Email or fax being sent to an incorrect party.
- Loss or theft of a computing device such as a USB drive, mobile phone, tablet, laptop, or desktop computer.
- Potential violation of County policies and/or department policies and procedures.
A breach is an incident in which sensitive, confidential, or personal information has been accessed and/or disclosed without authorization. A breach is reported internally in an organization, as well as to affected individuals, regulatory agencies, and in some cases, the media.
What are some best practices to protect my privacy?
- Create strong passwords that are unique, hard to guess, and include numerous characters, numbers and symbols.
- Protect computers and other devices by using current anti-virus software.
- Be cautious about emails from unknown sources, especially if they have attachments or seek a response. A quick phone call or conversation to verify the validity of the email is a good practice to follow.
- Be careful about sharing Personally Identifiable Information or sensitive information about yourself on social media.
- Use two-factor authentication or multi-factor authentication to access accounts that contain personal and/or confidential information. This usually involves use of a password, and a second form of verification such as answering security question or inputting a secondary random passcode that is sent to the user via email or text message.
- Use a shredder to destroy paper documents containing personal or sensitive information.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) ensures patient confidentiality for all healthcare-related data. HIPAA is a federal regulation that was passed in 1996 to address the following:
- Provides the ability to transfer and continue health insurance coverage for individuals who change employers.
- Requires covered entities to protect the privacy and security of Protected Health Information.
- Establishes standard requirements for electronic transactions involving the exchange of healthcare data (including payment, claims and eligibility data).
In December 2000, the U.S. Department of Health and Human Services (HHS) issued the “Privacy Rule” to carry out HIPAA’s mandate to safeguard the privacy of health information.
What is a Covered Entity?
Covered entities are defined under HIPAA to include (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. In general, these transactions involve billing and payment for services or insurance coverage. Examples of covered entities include hospitals, academic medical centers, physicians and other healthcare providers, and other health care providers who electronically transmit claims transaction information.
What is Protected Health Information?
Protected Health Information (PHI) is health data that is created, received, stored, or transmitted by HIPAA-covered entities and their business associates during the provision of healthcare, healthcare operations and payment for healthcare services. PHI can be in electronic, oral, or paper format.
What is Personally Identifiable Information?
Personally Identifiable Information (PII) is any data that could be used to identify a particular individual. Examples of PII include a person’s full name, Social Security number, biometric identifiers (such as fingerprints), bank account number, and driver’s license number.
What type of activity might constitute a HIPAA violation?
HIPAA includes a specific set of rules that healthcare providers are required to follow. Failure to comply with any of the provisions of the HIPAA Rules may lead to improper disclosure of PHI, which may constitute a HIPAA violation, sanctions and/or penalties. Some examples include:
- Unauthorized release of PHI.
- Improper disposal of PHI records.
- Unauthorized disclosure of PHI records.
- Improper access to patient files by employees.
- Failure to meet patient access requirements to health records.
How do I obtain a copy of my medical records?
Contact your healthcare provider to request copies of your medical records. If you are a patient at a County facility, please use the links below for more information:
Department of Health Services:
Department of Mental Health:
Department of Public Health: