If I understand your question correctly, I'm not aware of any HIPAA mandate that states a social security number must be used for client access. If anything, HIPAA mandates protecting SSNs and requires the minimum amount of protected health information necessary to get the job done. This can be used, but if it is determined during a risk assessment that threats or vulnerabilities exist in transmitting a SSN (or any confidential info) across a FTP, or any data communications, session, then certain systems must be in place to protect that information (i.e. encryption, authentication, etc.).
For more information on this topic, visit these other SearchSecurity.com resources:
Dig deeper on Web Authentication and Access Control
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.