Q

Is it a violation of HIPAA to collect consumer Social Security numbers?

In this expert response, Mike Rothman discusses if collecting consumer SSNs is a HIPAA violation, and unveils how to handle employees that disregard corporate policies.

I work within a medical practice, and I know at least one employee continually asks patients for their Social Security numbers. However, from what I have read about the new HIPAA requirements, we are no longer permitted to ask patients for this information. Is this correct, and do you have any tips or best practices on how medical organizations can enforce compliance rules at the patient level?

It's not clear to me whether any new versions of HIPAA have specifically disallowed the use of Social Security numbers, or whether it's just an informal guideline. The reality is that either way, it's a good idea to move away from using the SSN as a primary identifier.

In terms of tips, there are several things you can do to address this issue, especially for a resistant employee. You can conduct extensive employee training, which typically involves engaging a professional HIPAA training firm that specializes in ensuring that frontline healthcare personnel understand what sensitive data is and why it needs to be protected.

Also remove SSNs from forms, and as a last resort terminate employees who don't follow policy. If an organization has decided that it will no longer collect SSN information, and an employee continues to do so, then that person should be fired. After all, if an organization doesn't enforce its policies and suffers some kind of breach, it faces significant liabilities.

Content monitoring technology can help to index and search structured and unstructured data to look for SSN data and to get rid of it. Monitoring the content will prevent potential violations (which is a good thing), but doesn't really address the root cause, which is that the staff doesn't understand what data is private and how to protect it. Ultimately, it's a training issue.

This was first published in November 2007

Dig deeper on HIPAA

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close