I work for a health insurance company and our member IDs are Social Security numbers. The company does not use...
alternate IDs on insurance cards. Is this in violation of HIPAA?
Using Social Security numbers (SSNs) as patient ID numbers is not technically a violation of HIPAA -- you can use SSNs on insurance cards as long as you don't display the entire number -- but I think it definitely violates the spirit of the legislation.
Additionally, it adds unnecessary risk to the organization. While any medical ID number is considered protected health information (PHI), in the event of a breach, the company is exposing less information about its customers if it's only disclosing IDs and not their SSNs. So having alternate ID numbers not only limits the customers' exposure, it also shows the U.S. Department of Health and Human Services (HHS) -- the HIPAA enforcement body -- that the company takes extra precautions to protect its customers, and that is never a bad thing.
This risk of exposing customer data will be even greater next year when The Health Information Technology for Economic and Clinical Health Act (HITECH Act) goes into effect. This legislation, recently passed as part of the American Recovery and Reinvestment Act, not only raises the civil penalties for violations of HIPAA, but also mandates public disclosure of unencrypted PHI. So now is a good time to start revamping security policies.
Related Q&A from David Mortman, Contributor
While IT security consultancies can be helpful when trying to find flaws in an information security management framework, there are ways to do it ...continue reading
PCI DSS audits can be a lot easier if the scope is narrow. Learn how to consolidate and store sensitive data in order to best reduce PCI DSS security...continue reading
When hiring an information security team member, how important is a certification in information security? Learn how to talk to executives about ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.