How to avoid HIPAA Social Security number compliance violations

I work for a health insurance company and our member IDs are Social Security numbers. The company does not use alternate IDs on insurance cards. Is this in violation of HIPAA?

Using Social Security numbers (SSNs) as patient ID numbers is not technically a violation of HIPAA -- you can use SSNs on insurance cards as long as you don't display the entire number -- but I think it definitely violates the spirit of the legislation.

Additionally, it adds unnecessary risk to the organization. While any medical ID number is considered protected health information (PHI), in the event of a breach, the company is exposing less information about its customers if it's only disclosing IDs and not their SSNs. So having alternate ID numbers not only limits the customers' exposure, it also shows the U.S. Department of Health and Human Services (HHS) -- the HIPAA enforcement body -- that the company takes extra precautions to protect its customers, and that is never a bad thing.

This risk of exposing customer data will be even greater next year when The Health Information Technology for Economic and Clinical Health Act (HITECH Act) goes into effect. This legislation, recently passed as part of the American Recovery and Reinvestment Act, not only raises the civil penalties for violations of HIPAA, but also mandates public disclosure of unencrypted PHI. So now is a good time to start revamping security policies.