Provider Manual | Section 12

Privacy

Download the Manual

Please check back frequently for a newer version of the manual.

 
2024 Provider Manual (1731 KB)

Feedback Welcome

We welcome your feedback on how we can improve the Provider Manual. HPSM's goal is to make this manual as helpful and easy to use as possible.

Please call the Provider Services Department at 650-616-2106 with your comments or suggestions.

Privacy

The Health Plan of San Mateo (HPSM) is committed to helping protect the privacy and integrity of our members’ protected health information or “PHI” and personal information or “PI.” As a Covered Entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), you have an obligation and responsibility to protect your patients’ and our members’ PHI.

This section of the Provider Manual seeks to guide providers and other plan partners to secure HPSM’s members’ PHI and PII as well as identifying and reporting privacy incidents or security incidents to HPSM.

Privacy Incidents

Definition

A privacy incident is a situation in which an individual or organization has suspicion or reasonably believes PHI or PI may have been lost, sent in an unencrypted format, or otherwise released to, accessed by, or obtained by an individual or organization that does not have authorization to review or receive the PHI.

Examples of Privacy Incidents

Privacy incidents may be unintentional and accidental, or they may be intentional. The release of PHI may be in a variety of formats: oral, written, and electronic. The list of examples below is not considered exhaustive. Potential incidents should always be reported to HPSM.

  • PHI sent to the wrong individual/organization: Examples include sending a fax to the wrong number or mailing PHI to the wrong address/individual.
  • PHI left unencrypted: Examples include PHI that is accessed electronically or sent to an unauthorized individual by email while unencrypted, or otherwise unreadable. This includes sending unencrypted emails containing PHI to HPSM.
  • Theft: Examples include PHI that is stolen due to the theft of an unencrypted or unprotected computer, theft of hard drives or other media with PHI that is not encrypted, or theft of paper PHI.

Security Incidents

A security incident is the attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI or personal information (PI) or confidential data or interference with system operations in an information system. Incidents can affect one or more plan members.

Privacy and Security Safeguards

HPSM has adopted many safeguards to ensure our members’ PHI and PI is properly used, disclosed, and safeguarded. The following are some common areas of focus:

  • Protect your computer passwords. Do not share passwords with your assistant, co-workers, or family members. Do not let anyone else use your password. Keep your passwords secret and confidential.
  • Always secure your laptop or desktop computer. Sign off the computer when you are not using it. Install encryption software on your computer in case it is lost or stolen.
  • Confirm that you are using the correct fax number before you fax any PHI or PI.
  • Protect your paper medical records, and do not leave any PHI in publicly accessible areas. Keep documents containing PHI or PI in a secured location such as locked file cabinets or rooms.
  • Shared any PHI or PI in appropriate receptacles, and do not dispose of PHI or PI in regular trash cans.
  • Make sure any electronic media with PHI or PI is disposed of properly, including CDs, thumb drives, and hard drives in laptops, printers, and copy machines.
  • This list of privacy and security practices is not exhaustive. If you have any questions or need more information, please contact HPSM’s Privacy Officer at the number below.

Reporting Privacy Incidents

If you suspect or know about a privacy incident involving HPSM members’ PHI, you must immediately report it to HPSM to investigate. Your actions can help mitigate the potential negative impact of the incident on the member(s).

To report suspected privacy or security incidents, you can contact HPSM in one of these ways:

Compliance Hotline844-965-1241
Phone650-616-0050
Fax650-829-2050
Emailcompliance@hpsm.org 
Mail

Health Plan of San Mateo
Attn: Privacy Officer
801 Gateway Boulevard, Suite 100
South San Francisco, California 94080

You may remain anonymous, if you prefer, by calling the Compliance Hotline.

All information received or discovered by HPSM’s Compliance Department is treated as confidential, and the results of investigations are shared only with persons having a legitimate reason to receive the information (e.g., state and federal authorities, HPSM legal counsel, HPSM clinical reviewers and/or senior management).

You can report potential breaches of PHI or PI to the following agencies, depending on the program affected.

Resources

Office of Civil Rights Regional Office

Websitehttps://www.hhs.gov/ocr/about-us/contact-us/index.html
Address 

Michael Leoz, Regional Manager

Office for Civil Rights

U.S. Department of Health and Human Services

90 7th Street, Suite 4-100

San Francisco, California 94103

Customer Response Center

Phone800-368-1019 
Fax202-619-3818 
TDD800-537-7697
Emailocrmail@hhs.gov

HIPAA FAQs for Professionals

https://www.hhs.gov/hipaa/for-professionals/faq

DHCS Office of HIPAA Compliance – Information Protection Unit

https://www.dhcs.ca.gov/formsandpubs/laws/priv/Pages/default.aspx


 

End of Section 12: Privacy
 Section 11: Fraud Waste and Abuse