
	Home > Ask the Security Experts > Security Management Questions & Answers > Writing a patient identifier policy to prevent common HIPAA violations

Ask The Security Expert: Questions & Answers

EMAIL THIS

Writing a patient identifier policy to prevent common HIPAA violations

EXPERT RESPONSE FROM: David Mortman, featured expert

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 17 June 2009
Is it a violation of HIPAA to have a patient's Social Security number appear in full on a computer screen while a hospital employee is searching for patient information? The computer screen may be in view of other patients.

BROWSE BY TAG

Security Management, Security Audit, Compliance and Standards, HIPAA, Information Security Policies, Procedures and Guidelines, Information Security Management, VIEW ALL TAGS

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Security Management
	How to prepare for a FERPA audit
	Why doesn't the CISSP cover information assurance and DIACAP?
	Data breach notification legislation: What info must be released?
	Risk management strategy for an information technology solution provider
	Are there guidelines to create a HIPAA-compliant data center?
	HHS HIPAA guidance on encryption requirements and data destruction
	How to write technology outsourcing contracts
	The requirements for being a PCI DSS-compliant service provider
	The requirements needed to make an external penetration test legal
	How to create configuration management plans to install DLP

HIPAA

Healthcare security spending remains sluggish, report shows

Creating a HIPAA employee training program

FTC extends breach notification to Web-based health repositories

Are there guidelines to create a HIPAA-compliant data center?

HHS HIPAA guidance on encryption requirements and data destruction

HIPAA compliance: New regulations change the game

HIPAA compliance manual: Training, audit and requirement checklist

Key elements of a HIPAA compliance checklist

Quiz: How to meet HIPAA compliance requirements

How to avoid HIPAA Social Security number compliance violations

HIPAA Research

Information Security Policies, Procedures and Guidelines

How to protect distributed information flows

Essential guide: Pandemic planning for H1N1

Whitelists, SaaS modify traditional security, tackle flaws

Melissa Hathaway urges more cooperation, government attention to cybersecurity

Reuters: Obama ready to select cyber security czar

How a corporate Twitter policy can combat social network threats

Should enterprises be concerned with Twitter in the workplace?

Information security management hype: Debunking best practices

Data breach avoidance begins with security basics, panel says

Expert: Information security spending often restricts innovation

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

defense in depth (SearchSecurity.com)

non-disclosure agreement (SearchSecurity.com)

security policy (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

It is quite possibly a violation, depending on which hospital staff members have access to the patient system and whether or not the patient's Social Security number is being used as a patient identifier. However, if the screen is viewable by other patients, then this is almost certainly a HIPAA violation example.

In general, HIPAA mandates that technology or processes be used to prevent unauthorized individuals from viewing patients' Personal Health Information (PHI). This can necessitate encrypting the data, truncating portions of the PHI and/or limiting who has access to the data to begin with.

So with the example above, if a patient's Social Security number is being used as a unique identifier and only people who need to have access are permitted to it, the access is appropriately controlled and all of the above can be demonstrated to an auditor, which means the company is going to be in pretty good shape.

On the other hand, if some or none of the preceding is true, then there is a problem. Addressing this issue doesn't necessarily have to be expensive, however; installing privacy screens on relevant computer monitors or perhaps even changing the positioning of the monitors may take care of the problem.

Regardless, consider switching away from using Social Security numbers and developing a new patient identifier policy. SSNs were never intended to be used this way, and as I've said in previous columns, using SSNs definitely violates the spirit of the legislation.

For more information:

Check out these key elements of a HIPAA compliance checklist.
Read more about how to avoid HIPAA Social Security number violations.

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Site Index

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2003 - 2009, TechTarget \| Read our Privacy Policy