San Francisco Health Plan (SFHP) is committed to protecting the confidential and protected health information of our members and participants.  While privacy and confidentiality have always been a priority for SFHP and our health care providers, the need for security and best practices is even more important with the increased use of electronic health records and technology and the increased state and federal oversight of the privacy and security of health care information.  Both the state and federal governments have new agencies with the authority to receive reports, investigate incidences and impose fines regarding health care information breaches.

The best approach to avoid the state and federal reporting requirements and fines would be to prevent breaches of protected health information (PHI). Some best practices to prevent breaches are the following:

• Do NOT store PHI on portable devices, like laptops and hand-held devices. If necessary, only store on ENCRYPTED devices.
• Do NOT disclose PHI to those not authorized.
• Do NOT share passwords.
• Do NOT disclose PHI via email, unless using a secure email system.
• Do NOT place PHI in the trash or recycling bins.
• Do NOT put patient names in the subject line of an email.
• Secure or lock up records with PHI.
• Always use a fax cover sheet with a confidentiality disclaimer.

With the new federal law, the Health Information Technology for Economic and Clinical Health Act (HITECH), which is part of the American Recovery and Reinvestment Act (ARRA, commonly referred to as the stimulus bill), covered entities, e.g. health care providers and health plans, are required to notify the federal government, media and individuals affected by the breach when more than 500 individuals are affected.  HITECH also requires an annual report of incidences that affect less than 500 individuals, but the media and affected individuals do not have to be notified. There have been nearly 100 reports of breaches to the HHS, with 15 in California.  Most of these were due to lost or stolen laptops, which contained protected health information.  You may view these reported incidences at this link.

As contracted health care providers of SFHP, health care providers must report breaches to SFHP as well, within one business day of knowledge of the breach, because we may also have a responsibility to report the breach to state and federal agencies as a covered entity.

If you have any questions or need to report a breach, please contact SFHP’s Compliance Officer, Nina Maruyama, at (415) 615-4217 or nmaruyama@sfhp.org.