Privacy & Compliance

CalMHSA Integrated Compliance and Privacy Program

CalMHSA is committed to upholding the highest standards of integrity, ethics, and compliance. By maintaining robust compliance and privacy practices with a particular emphasis on data security and confidentiality, we better fulfill our mission of supporting California counties in the delivery of essential behavioral health services.

Our Integrated Compliance and Privacy Program serves as the cornerstone of our organizational conduct, with a strengthened emphasis on protecting the privacy and security of sensitive information entrusted to us by our county partners, clients, employees, and other stakeholders. This comprehensive program reflects our dedication to operational excellence, ethical behavior, and the safeguarding of protected health information (PHI), substance use disorder (SUD) records, and other personal data.

Questions or concerns related to our Compliance and Privacy Program, or to report a compliance or privacy issue, can be directed to [email protected] with the subject line, “Attention Compliance Officer or Privacy Officer.”

Program Details

Lead Staff:

Terence Moloughney

Privacy Attorney Data Security Counsel

California Regulatory Context

CalMHSA operates within a complex regulatory environment that includes federal and California-specific requirements. While our program addresses all applicable federal regulations, we place particular emphasis on California laws that shape our privacy and compliance obligations, including:

  • California Confidentiality of Medical Information Act (CMIA): Establishing state-level protections for medical information that complement and sometimes exceed HIPAA requirements
  • Lanterman-Petris-Short (LPS) Act: Providing specific privacy protections for mental health information in California
  • California Consumer Privacy Act (CCPA): Establishing privacy rights and business obligations related to personal information
  • California Health and Safety Code: Containing various provisions related to patient privacy and health information

Our program incorporates these California-specific requirements alongside federal regulations such as HIPAA and 42 CFR Part 2 to ensure comprehensive compliance across all aspects of our operations.

Program Purpose

The CalMHSA Integrated Compliance and Privacy Program is designed to:

  • Ensure Comprehensive Regulatory Compliance: Establish and maintain compliance with all applicable federal and state laws, regulations, and standards governing health care operations, including the Health Insurance Portability and Accountability Act (HIPAA), 42 CFR Part 2 (Substance Use Disorder Records), and other relevant U.S. data protection regulations.
  • Prevent Fraud, Waste, and Abuse: Implement effective controls and oversight mechanisms to detect, prevent, and address potential instances of fraud, waste, and abuse in all aspects of our operations.
  • Safeguard Sensitive Information: Develop and enforce robust policies, procedures, and technical safeguards to protect the confidentiality, integrity, and availability of PHI, SUD records, and other sensitive data throughout its lifecycle
  • Promote Ethical Conduct: Foster a culture of integrity, accountability, and ethical behavior among all CalMHSA workforce members, contractors, and business associates
  • Support County Partners: Provide a framework that enables CalMHSA to effectively support our county partners in their service delivery while maintaining appropriate boundaries and safeguards
CalMHSA's Role and Responsibilities

This program is designed specifically for CalMHSA employees and contractors, addressing our unique role while acknowledging the interconnected nature of our work with county partners.

  • Scope of Responsibility: While counties maintain responsibility as direct service providers, CalMHSA often functions as a business associate (as defined by HIPAA) when handling protected health information on behalf of counties. This creates specific compliance obligations for our organization and our workforce.
  • Boundary Management: Our program clearly delineates where CalMHSA’s responsibilities begin and end, establishing appropriate boundaries while ensuring we meet all obligations related to the data we process, store, or transmit.
  • Support Without Direct Service Provision: We provide administrative, technical, and fiscal support to counties without directly delivering behavioral health services. This requires tailored compliance approaches that address our specific operational context.
  • Data Stewardship: As data stewards rather than data owners in many cases, we maintain rigorous standards for how we handle information provided by or on behalf of counties.
Privacy Program Focus

Our privacy program is a core component of our overall compliance framework and ensures the highest standards of data protection. Our approach is built on:

Compliance Program

Our compliance program works in concert with our privacy initiatives to ensure comprehensive oversight of all operational aspects. The program is structured around seven core elements based on guidance from the Department of Health and Human Services Office of Inspector General:

Metrics and Accountability

To ensure our program’s effectiveness, we have established measurable standards and accountability mechanisms:

Integration of Compliance and Privacy

While our privacy program receives heightened focus due to the sensitive nature of the information we handle, it operates as an integrated component of our overall compliance framework.