Currently, a hospital information system uses Social Security numbers as one of the key fields for patient identification.
This system enables the merging of patients' info into an enterprise patient ID. Is the use of Social Security numbers by this system considered a HIPAA violation? If so, would redesigning the entire patient ID system be the only answer?
Use of Social Security numbers (SSNs) is not a violation of HIPAA unless the number is used in such a way that it is clearly exposed to the public. So, as an example, if an organization is using Social Security numbers as the patient identifier, the full ID cannot be displayed on member cards. Similarly, computer monitors need to be set up so that patients' Personal Health Information (PHI), including their SSNs and diagnoses, are not viewable by other patients or unauthorized personnel.
Without further information about what the enterprise patient IDs looks like, it is hard to say for certain that this is not a violation of HIPAA, but at first blush it sounds acceptable, especially if this ID is not being printed on ID cards.
For more information:
- Read more about avoiding HIPAA violations involving Social Security numbers.
- Can SSNs be printed on insurance cards under HIPAA? Learn more.
Dig deeper on HIPAA
Related Q&A from David Mortman, featured expert
Many companies are moving to a system of paperless paystubs. Learn how to protect the information contained in these email paystubs with the use of ...continue reading
In the wake of a data breach, how do you know when to talk to executives, and, more importantly, what to say? In this expert response, learn how to ...continue reading
Congratulations, you've earned your CISSP certificate. Now, what are some ways to get CPE credits to keep it up? Find out in this security management...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.