Additionally, it adds unnecessary risk to the organization. While any medical ID number is considered protected health information (PHI), in the event of a breach, the company is exposing less information about its customers if it's only disclosing IDs and not their SSNs. So having alternate ID numbers not only limits the customers' exposure, it also shows the U.S. Department of Health and Human Services (HHS) -- the HIPAA enforcement body -- that the company takes extra precautions to protect its customers, and that is never a bad thing.
This risk of exposing customer data will be even greater next year when The Health Information Technology for Economic and Clinical Health Act (HITECH Act) goes into effect. This legislation, recently passed as part of the American Recovery and Reinvestment Act, not only raises the civil penalties for violations of HIPAA, but also mandates public disclosure of unencrypted PHI. So now is a good time to start revamping security policies.
For more information:
This was first published in March 2009