Privacy and Security

County officers, employees, agents, and volunteers are required to maintain the integrity and confidentiality of non-public personally identifiable information and to protect the security of that information. 

Non-public, personally identifiable information includes information maintained electronically or in paper format that can potentially be used to uniquely identify, contact, or locate County employees or members of the public. Examples include, but are not limited to, social security numbers, driver's license numbers, and financial and health information not subject to disclosure under the Public Records Act.

Safeguarding Confidential Information


Our employees follow these guidelines to protect confidential information:

  • Only access confidential information when necessary to perform
    job responsibilities
  • Only access the minimum amount of information necessary to
    complete a particular task
  • Do not access information to satisfy curiousity
  • Do not access or use information to benefit yourself, family member, friend, or acquaintance
  • Keep physical documents containing confidential information safe from prying eyes
  • Do not discuss confidential information where unauthorized individuals may overhear
  • Do not share computer and system passwords with anyone

Health Information Privacy and Security

The Health Insurance Portability and Accountability Act (HIPAA) of 1996, also known as the Kennedy/Kassebaum Act (PL 104-191), was originally intended to ensure portability of health insurance when an individual moves from one health plan to another. As the bill progressed through the federal legislative process, its scope expanded. Title II requirements are expressed through the Privacy Rule, the Security Rule, and rules regarding Transaction and Code Sets.

The Privacy Rule is intended to offer a balance between personal privacy and access to high quality health care. Its provisions are written to be workable, flexible, and scalable.

Under the Privacy Rule:

  • A covered entity and its business associates must protect individually identifiable health information.
  • A covered entity is a health care provider who transmits any health information electronically in connection with certain transactions; or a health plan or health care clearinghouse.
  • A business associate is a person who performs a function or activity on behalf of, or provides services to, a covered entity that involves individually identifiable health information. A business associate is not a workforce member. A covered entity can be a business associate to another covered entity.
  • A covered entity may not use or disclose protected health information except as permitted or required by the Privacy Rule.
  • Protected health information (PHI) is individually identifiable health information that is transmitted or maintained in any form or medium by a covered entity or business associate.
  • Protected health information must be disclosed to the individual (if requested) and to the federal Department of Health and Human Services if needed to investigate or determine compliance with the Privacy Rule.
  • Any person who believes a covered entity is not complying with the Privacy Rule may file a written complaint.
  • Each covered entity must implement policies and procedures regarding PHI that are designed to comply with the Privacy Rule.
  • The enforcement agency for the Privacy Rule is the federal Department of Health and Human Services, Office of Civil Rights (OCR).

Additional information regarding the Privacy Rule is available at

County Privacy Practices

Arrowhead Regional Medical Center
Notice of Privacy Practices

Department of Behavioral Health
Notice of Privacy Practices

Department of Public Health

Notice of Privacy Practices

County of San Bernardino © 2015. All rights reserved. | Privacy Policy | E-mail Webmaster | Disclaimer | Accessibility

157 West Fifth Street, First Floor • San Bernardino, CA 92415-0440 • Phone 909.387.4500 • TTY Users 711 • Fax 909.387.8950