Provider Manual | Section 12



HPSM is committed to helping protect the privacy and integrity of our members’ protected health information or “PHI”. As a Covered Entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), you have an obligation and responsibility to protect your patients’ and our members’ PHI.

This section of the Provider Manual seeks to guide providers and other plan partners to secure HPSM’s members’ PHI as well as identifying and reporting privacy incidents or security incidents to HPSM.

Privacy Incidents


A privacy incident is a situation where an individual or organization has suspicion or reasonably believes protected health information (PHI) may have been lost, sent in an unencrypted format, or otherwise released to or obtained by an individual or organization that does not have a right to review or receive the PHI.

Examples of Privacy Incidents

Privacy incidents may be unintentional and accidental, or they may be intentional. The release of PHI may be in a variety of formats: oral, written, and electronic. The list of examples below is not considered exhaustive. Potential incidents should always be reported to HPSM.

  • PHI sent to the wrong individual/organization: Examples include sending a fax to the wrong number or mailing PHI to the wrong address/individual.
  • PHI left unencrypted: Examples include PHI that is accessed electronically or sent to an unauthorized individual by email, and the PHI is not encrypted or otherwise unreadable.
  • Theft: Examples include PHI that is stolen due to the theft of an unencrypted or unprotected laptop or desktop, theft of hard drives or other media with PHI that is not encrypted, or theft of paper PHI.

Security Incidents

A security incident is the attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI or personal information (PI) or confidential data or interference with system operations in an information system. Incidents can affect one or more plan members.

Privacy and Security Safeguards

HPSM has adopted many safeguards to ensure our members’ PHI is properly used, disclosed, and safeguarded. Following are some common areas of focus:

  • Protect your computer passwords. Do not share passwords with your assistant, co-workers, or family members. Do not let anyone else use your password. Do keep your passwords secret and confidential.
  • Always secure your laptop. Sign off the laptop when you are not using it. Install encryption software on your laptops in case it is lost or stolen.
  • Confirm that you are using the correct fax number before you fax any PHI.
  • Protect your paper medical records, and do not leave any PHI in publicly accessible areas. Keep documents containing PHI in a secured location such as locked file cabinets or rooms.
  • Shred any PHI in appropriate receptacles, and do not dispose of PHI in regular trash cans.
  • Make sure any electronic media with PHI is disposed of properly, including CDs, thumb drives, and hard drives in laptops, printers, and copy machines.
  • This list of privacy and security practices is not exhaustive. If you have any questions or need more information, please contact HPSM’s Privacy Officer at the number below.

Reporting Privacy Incidents

If you suspect or know about a privacy incident involving HPSM members’ PHI, you must immediately report it to HPSM to investigate. Your actions can help mitigate the potential negative impact of the incident on the member(s).

To report suspected privacy incidents, you can contact HPSM in one of these ways:

Compliance Hotline (anonymous)844-965-1241

Health Plan of San Mateo
Attn: Compliance Department
801 Gateway Boulevard, Suite 100
South San Francisco, California 94080

You may remain anonymous, if you prefer, by calling the Compliance Hotline.

All information received or discovered by HPSM’s Compliance Department is treated as confidential, and the results of investigations are shared only with persons having a legitimate reason to receive the information (e.g., state and federal authorities, HPSM legal counsel, HPSM clinical reviewers and/or senior management).

You can report potential breaches of PHI to the following agencies, depending on the program affected.


Office of Civil Rights Regional Office 

Michael Leoz, Regional Manager

Office for Civil Rights

U.S. Department of Health and Human Services

90 7th Street, Suite 4-100

San Francisco, California 94103

Customer Response Center


HIPAA FAQs for Professionals 

DHCS Office of HIPAA Compliance – Information Protection Unit 


End of Section 12: Privacy