Provider Manual | Section 12



The Health Plan of San Mateo (HPSM) is committed to helping protect the privacy and integrity of our members’ protected health information or “PHI” and personal information or “PI.” As a Covered Entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), you have an obligation and responsibility to protect your patients’ and our members’ PHI.

This section of the Provider Manual seeks to guide providers and other plan partners to secure HPSM’s members’ PHI and PII as well as identifying and reporting privacy incidents or security incidents to HPSM.

Privacy Incidents


A privacy incident is a situation in which an individual or organization has suspicion or reasonably believes PHI or PI may have been lost, sent in an unencrypted format, or otherwise released to, accessed by, or obtained by an individual or organization that does not have authorization to review or receive the PHI.

Examples of Privacy Incidents

Privacy incidents may be unintentional and accidental, or they may be intentional. The release of PHI may be in a variety of formats: oral, written, and electronic. The list of examples below is not considered exhaustive. Potential incidents should always be reported to HPSM.

  • PHI sent to the wrong individual/organization: Examples include sending a fax to the wrong number or mailing PHI to the wrong address/individual.
  • PHI left unencrypted: Examples include PHI that is accessed electronically or sent to an unauthorized individual by email while unencrypted, or otherwise unreadable. This includes sending unencrypted emails containing PHI to HPSM.
  • Theft: Examples include PHI that is stolen due to the theft of an unencrypted or unprotected computer, theft of hard drives or other media with PHI that is not encrypted, or theft of paper PHI.

Security Incidents

A security incident is the attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI or personal information (PI) or confidential data or interference with system operations in an information system. Incidents can affect one or more plan members.

Privacy and Security Safeguards

HPSM has adopted many safeguards to ensure our members’ PHI and PI is properly used, disclosed, and safeguarded. The following are some common areas of focus:

  • Protect your computer passwords. Do not share passwords with your assistant, co-workers, or family members. Do not let anyone else use your password. Keep your passwords secret and confidential.
  • Always secure your laptop or desktop computer. Sign off the computer when you are not using it. Install encryption software on your computer in case it is lost or stolen.
  • Confirm that you are using the correct fax number before you fax any PHI or PI.
  • Protect your paper medical records, and do not leave any PHI in publicly accessible areas. Keep documents containing PHI or PI in a secured location such as locked file cabinets or rooms.
  • Shared any PHI or PI in appropriate receptacles, and do not dispose of PHI or PI in regular trash cans.
  • Make sure any electronic media with PHI or PI is disposed of properly, including CDs, thumb drives, and hard drives in laptops, printers, and copy machines.
  • This list of privacy and security practices is not exhaustive. If you have any questions or need more information, please contact HPSM’s Privacy Officer at the number below.

Reporting Privacy Incidents

If you suspect or know about a privacy incident involving HPSM members’ PHI, you must immediately report it to HPSM to investigate. Your actions can help mitigate the potential negative impact of the incident on the member(s).

To report suspected privacy or security incidents, you can contact HPSM in one of these ways:

Compliance Hotline844-965-1241

Health Plan of San Mateo
Attn: Privacy Officer
801 Gateway Boulevard, Suite 100
South San Francisco, California 94080

You may remain anonymous, if you prefer, by calling the Compliance Hotline.

All information received or discovered by HPSM’s Compliance Department is treated as confidential, and the results of investigations are shared only with persons having a legitimate reason to receive the information (e.g., state and federal authorities, HPSM legal counsel, HPSM clinical reviewers and/or senior management).

You can report potential breaches of PHI or PI to the following agencies, depending on the program affected.


Office of Civil Rights Regional Office


Michael Leoz, Regional Manager

Office for Civil Rights

U.S. Department of Health and Human Services

90 7th Street, Suite 4-100

San Francisco, California 94103

Customer Response Center


HIPAA FAQs for Professionals

DHCS Office of HIPAA Compliance – Information Protection Unit


End of Section 12: Privacy