Currently, a hospital information system uses Social Security numbers as one of the key fields for patient identification. This system enables the merging of patients' info into an enterprise patient ID. Is the use of Social Security numbers by this system considered a HIPAA violation? If so, would redesigning the entire patient ID system be the only answer?