Home > Ask the Security Experts > Security Management Questions & Answers > How to avoid HIPAA Social Security number compliance violations
Ask The Security Expert: Questions & Answers
EMAIL THIS

How to avoid HIPAA Social Security number compliance violations

David Mortman, featured expert EXPERT RESPONSE FROM: David Mortman, featured expert

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 11 March 2009
I work for a health insurance company and our member IDs are Social Security numbers. The company does not use alternate IDs on insurance cards. Is this in violation of HIPAA?


BROWSE BY TAG
Security Management,   Security Audit, Compliance and Standards,   HIPAA,   Information Security Policies, Procedures and Guidelines,   Information Security Management,   VIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



RELATED CONTENT
Security Management
How to prepare for a FERPA audit
Why doesn't the CISSP cover information assurance and DIACAP?
Data breach notification legislation: What info must be released?
Risk management strategy for an information technology solution provider
Are there guidelines to create a HIPAA-compliant data center?
HHS HIPAA guidance on encryption requirements and data destruction
Writing a patient identifier policy to prevent common HIPAA violations
How to write technology outsourcing contracts
The requirements for being a PCI DSS-compliant service provider
The requirements needed to make an external penetration test legal

HIPAA
Creating a HIPAA employee training program
FTC extends breach notification to Web-based health repositories
Are there guidelines to create a HIPAA-compliant data center?
HHS HIPAA guidance on encryption requirements and data destruction
Writing a patient identifier policy to prevent common HIPAA violations
HIPAA compliance: New regulations change the game
HIPAA compliance manual: Training, audit and requirement checklist
Key elements of a HIPAA compliance checklist
Quiz: How to meet HIPAA compliance requirements
HIPAA changes force healthcare to improve data flow
HIPAA Research

Information Security Policies, Procedures and Guidelines
Essential guide: Pandemic planning for H1N1
Whitelists, SaaS modify traditional security, tackle flaws
Melissa Hathaway urges more cooperation, government attention to cybersecurity
Reuters: Obama ready to select cyber security czar
How a corporate Twitter policy can combat social network threats
Should enterprises be concerned with Twitter in the workplace?
Information security management hype: Debunking best practices
Data breach avoidance begins with security basics, panel says
Expert: Information security spending often restricts innovation
GAO report cites government weaknesses, data leakage

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
defense in depth  (SearchSecurity.com)
non-disclosure agreement  (SearchSecurity.com)
security policy  (SearchSecurity.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary


Using Social Security numbers (SSNs) as patient ID numbers is not technically a violation of HIPAA -- you can use SSNs on insurance cards as long as you don't display the entire number -- but I think it definitely violates the spirit of the legislation.

Additionally, it adds unnecessary risk to the organization. While any medical ID number is considered protected health information (PHI), in the event of a breach, the company is exposing less information about its customers if it's only disclosing IDs and not their SSNs. So having alternate ID numbers not only limits the customers' exposure, it also shows the U.S. Department of Health and Human Services (HHS) -- the HIPAA enforcement body -- that the company takes extra precautions to protect its customers, and that is never a bad thing.

This risk of exposing customer data will be even greater next year when The Health Information Technology for Economic and Clinical Health Act (HITECH Act) goes into effect. This legislation, recently passed as part of the American Recovery and Reinvestment Act, not only raises the civil penalties for violations of HIPAA, but also mandates public disclosure of unencrypted PHI. So now is a good time to start revamping security policies.

For more information:



Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
Browse our Expert Advice



Find Security Solutions for Your Business
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts