How to avoid HIPAA Social Security number compliance violations
It can be difficult to decipher what a HIPAA Social Security number violation is. In this information security management expert response, David Mortman explains how to avoid HIPAA SSN violations as an employer.
I work for a health insurance company and our member IDs are Social Security numbers. The company does not use...
Continue Reading This Article
Enjoy this article as well as all of our content, including E-Guides, news, tips and more.
alternate IDs on insurance cards. Is this in violation of HIPAA?
Using Social Security numbers (SSNs) as patient ID numbers is not technically a violation of HIPAA -- you can use SSNs on insurance cards as long as you don't display the entire number -- but I think it definitely violates the spirit of the legislation.
Additionally, it adds unnecessary risk to the organization. While any medical ID number is considered protected health information (PHI), in the event of a breach, the company is exposing less information about its customers if it's only disclosing IDs and not their SSNs. So having alternate ID numbers not only limits the customers' exposure, it also shows the U.S. Department of Health and Human Services (HHS) -- the HIPAA enforcement body -- that the company takes extra precautions to protect its customers, and that is never a bad thing.
This risk of exposing customer data will be even greater next year when The Health Information Technology for Economic and Clinical Health Act (HITECH Act) goes into effect. This legislation, recently passed as part of the American Recovery and Reinvestment Act, not only raises the civil penalties for violations of HIPAA, but also mandates public disclosure of unencrypted PHI. So now is a good time to start revamping security policies.
- Check out these key elements of a HIPAA compliance checklist.
- Is a lack of employee privacy a violation of HIPAA? Read more.
Dig Deeper on Compliance
Related Q&A from David Mortman
Personally identifiable information guidelines for U.S. passport numbers
Do U.S. passport numbers count as personally identifiable information? Learn more about guidelines for PII in this security management expert ... Continue Reading
How to protect employee information in email paystubs
Many companies are moving to a system of paperless paystubs. Learn how to protect the information contained in these email paystubs with the use of ... Continue Reading
What are the ethical issues when consulting for two competing companies?
Security consulting is a job in which privacy is paramount. Leaking security strategies to the wrong people -- especially a company's competition -- ... Continue Reading