I work within a medical practice, and I know at least one employee continually asks patients for their Social Security numbers. However, from what I have read about the new HIPAA requirements, we are no longer permitted to ask patients for this information. Is this correct, and do you have any tips or best practices on how medical organizations can enforce compliance rules at the patient level?
It's not clear to me whether any new versions of HIPAA have specifically disallowed the use of Social Security numbers, or whether it's just an informal guideline. The reality is that either way, it's a good idea to move away from using the SSN as a primary identifier.
In terms of tips, there are several things you can do to address this issue, especially for a resistant employee. You can conduct extensive employee training, which typically involves engaging a professional HIPAA training firm that specializes in ensuring that frontline healthcare personnel understand what sensitive data is and why it needs to be protected.
Also remove SSNs from forms, and as a last resort terminate employees who don't follow policy. If an organization has decided that it will no longer collect SSN information, and an employee continues to do so, then that person should be fired. After all, if an organization doesn't enforce its policies and suffers some kind of breach, it faces significant liabilities.
Content monitoring technology can help to index and search structured and unstructured data to look for SSN data and to get rid of it. Monitoring the content will prevent potential violations (which is a good thing), but doesn't really address the root cause, which is that the staff doesn't understand what data is private and how to protect it. Ultimately, it's a training issue.
- Ed Skoudis explains how creating a security awareness program can help thwart insider threats.
- In this case study, learn how merging networks helped one medical facility with HIPAA compliance requirements.
Dig deeper on HIPAA
Related Q&A from Mike Rothman, Contributor
In the world of security certifications, what is the GISP and how alike is it to the CISSP? In this security management expert response, learn about ...continue reading
Depending on your enterprise, it may or may not be necessary to utilize a QSA. In this security management expert response, learn how to determine ...continue reading
When developing software securely, what role does gap analysis play? In this security management expert response, learn how to implement gap analysis...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.