Privacy at DPH

• Find out about OCPA's Privacy Program's activities and services.
• Understand what a breach is.
• Find out how to report a suspected breach.
• Find links to DPH Privacy Policies.
• Find links to information on Data Sharing. 
• Get guidance and see frequently asked questions.  

Privacy is ensuring that protected health information (PHI) is used, viewed, or disclosed in a way permitted by federal and state law.  

PHI is any information related to a person's treatment or payment for services that is identifiable to that person.  There are 18 identifiers that make treatment or payment information PHI.  It only takes one identifier to make the treatment or payment information PHI.  

• ​​​​​​Allowable uses of PHI

DPH workforce members may use and disclose PHI for the purposes of treatment, payment, and operations only when it is necessary to perform an authorized work function.  Using and disclosing PHI must be limited to the minimum necessary to complete the job function.  

• When is using or disclosing PHI not allowed?

Viewing, using, or disclosing PHI for any reason that is not related to treatment, payment, or operations is not allowed.  There are many instances of accidental and deliberate improper use and disclosure of PHI that may result in a breach.  Some examples of impermissible uses:

1. Viewing patient records without a legitimate treatment, payment, or operations reason.  This includes looking at your own records, and the records of family members, friends, or any other record that you have no job-related reason to view.  
2. Verbally disclosing PHI to any person who does not have a job-related need to know the information.  

If you use, view, or disclose PHI that you are not authorized to as part of you job, that is a "breach" of patient privacy.  

• What is a breach?

A breach is a use of disclosure of protected health information (PHI) that is not allowed under the Health Insurance Portability and Accountability Act (HIPAA).  PHI is health information about a patient that is identifiable to that patient.  

• How do I report a breach? 

You can report all suspected breaches to the OPCA Compliance and Privacy Hotline at 855-729-6040, by email at compliance.privacy@sfdph.org.  You can also report suspected breaches to your onsite Privacy Officer. 

• What if I am not sure if an incident is a breach? 

You should report any incident that you believe may be a breach to your onsite Privacy Officer or to the Compliance and Privacy hotline.  The Privacy Officer and OCPA will determine if the incident is a breach. 

There are many situations that may result in a breach, including accidental loss or disclosure of PHI.  You must report all instances so OCPA can determine if the incident is a breach.   

• Privacy issues can be complex.  OCPA is here to provide advice to support DPH operational decisions.  You can request advice directly from your division's Privacy Officer.  Visit the Our Team page to find your Privacy Officer. 
• Educate yourself on HIPAA rules and responsibilities.
• Do your annual Compliance and Privacy Training each year.  
• Report any incident that you think may be a privacy breach.

You can also make requests for guidance to compliance.privacy@sfdph.org.   

Answers to commonly asked questions can be found at Privacy FAQs.  

DPH Privacy Policies