County officers, employees, agents, and volunteers are required to maintain the integrity and confidentiality of non-public personally identifiable information and to protect the security of that information.
Non-public, personally identifiable information includes information maintained electronically or in paper format that can potentially be used to uniquely identify, contact, or locate County employees or members of the public. Examples include, but are not limited to, social security numbers, driver's license numbers, and financial and health information not subject to disclosure under the Public Records Act.
Safeguarding Confidential Information
Our employees follow these guidelines to protect confidential information:
- Only access confidential information when necessary to perform
- Only access the minimum amount of information necessary to
complete a particular task
- Do not access information to satisfy curiousity
- Do not access or use information to benefit yourself, family member, friend, or acquaintance
- Keep physical documents containing confidential information safe from prying eyes
- Do not discuss confidential information where unauthorized individuals may overhear
- Do not share computer and system passwords with anyone
Health Information Privacy and Security
The Health Insurance Portability and Accountability Act (HIPAA) of 1996, also known as the Kennedy/Kassebaum Act (PL 104-191), was originally intended to ensure portability of health insurance when an individual moves from one health plan to another. As the bill progressed through the federal legislative process, its scope expanded. Title II requirements are expressed through the Privacy Rule, the Security Rule, and rules regarding Transaction and Code Sets.
The Privacy Rule is intended to offer a balance between personal privacy and access to high quality health care. Its provisions are written to be workable, flexible, and scalable.
Under the Privacy Rule:
- A covered entity and its business associates must protect individually identifiable health information.
- A covered entity is a health care provider who transmits any health information electronically in connection with certain transactions; or a health plan or health care clearinghouse.
- A business associate is a person who performs a function or activity on behalf of, or provides services to, a covered entity that involves individually identifiable health information. A business associate is not a workforce member. A covered entity can be a business associate to another covered entity.
- A covered entity may not use or disclose protected health information except as permitted or required by the Privacy Rule.
- Protected health information (PHI) is individually identifiable health information that is transmitted or maintained in any form or medium by a covered entity or business associate.
- Protected health information must be disclosed to the individual (if requested) and to the federal Department of Health and Human Services if needed to investigate or determine compliance with the Privacy Rule.
- Any person who believes a covered entity is not complying with the Privacy Rule may file a written complaint.
- Each covered entity must implement policies and procedures regarding PHI that are designed to comply with the Privacy Rule.
- The enforcement agency for the Privacy Rule is the federal Department of Health and Human Services, Office of Civil Rights (OCR).
Additional information regarding the Privacy Rule is available at
The Security Rule works in concert with the Privacy Rule. The two sets of standards use many of the same terms and definitions in order to make it easier for covered entities to comply.
The Security Rule establishes standards for protecting individually identifiable health information when it is maintained or transmitted electronically. Under HIPAA security standards, health insurers, certain healthcare providers, and healthcare clearinghouses must establish procedures and mechanisms to protect the confidentiality, integrity, and availability of electronic protected health information. The rule requires covered entities to implement administrative, physical, and technical safeguards to protect electronic protected health information in their care.
The major difference between the Security Rule and the Privacy Rule is that the former concentrates on electronic information and the latter encompasses electronic, oral and physical information.
The second significant difference between the Security Rule and the Privacy Rule is the enforcement agency. The federal Centers for Medicare & Medicaid Services (CMS) is responsible for implementing and enforcing the security standards, the transactions standards, and other HIPAA administrative simplification provisions, except for the privacy standards. HHS' Office for Civil Rights is responsible for implementing and enforcing the privacy rule.
You have the right to file a complaint if you believe that the County of San Bernardino has given out or used your personal health information inappropriately. If you believe that an action was taken against you contact the complaints officer. You may contact either:
County of San Bernardino HIPAA Complaints Official
157 West Fifth Street, First Floor
San Bernardino, CA 92415-0400
Under the HIPAA rules it is unlawful for an employee of San Bernardino County to take an action against you because you:
United States Department of Health and Human Services
Office for Civil Rights
- Filed a complaint;
- Helped with an investigation; or
- Opposed a practice that you think is unlawful under HIPAA.