Problem solve Get help with specific problems with your technologies, process and projects.

Is it a violation of HIPAA to collect consumer Social Security numbers?

In this expert response, Mike Rothman discusses if collecting consumer SSNs is a HIPAA violation, and unveils how to handle employees that disregard corporate policies.

I work within a medical practice, and I know at least one employee continually asks patients for their Social Security...

numbers. However, from what I have read about the new HIPAA requirements, we are no longer permitted to ask patients for this information. Is this correct, and do you have any tips or best practices on how medical organizations can enforce compliance rules at the patient level?

It's not clear to me whether any new versions of HIPAA have specifically disallowed the use of Social Security numbers, or whether it's just an informal guideline. The reality is that either way, it's a good idea to move away from using the SSN as a primary identifier.

In terms of tips, there are several things you can do to address this issue, especially for a resistant employee. You can conduct extensive employee training, which typically involves engaging a professional HIPAA training firm that specializes in ensuring that frontline healthcare personnel understand what sensitive data is and why it needs to be protected.

Also remove SSNs from forms, and as a last resort terminate employees who don't follow policy. If an organization has decided that it will no longer collect SSN information, and an employee continues to do so, then that person should be fired. After all, if an organization doesn't enforce its policies and suffers some kind of breach, it faces significant liabilities.

Content monitoring technology can help to index and search structured and unstructured data to look for SSN data and to get rid of it. Monitoring the content will prevent potential violations (which is a good thing), but doesn't really address the root cause, which is that the staff doesn't understand what data is private and how to protect it. Ultimately, it's a training issue.

More on this topic

  • Ed Skoudis explains how creating a security awareness program can help thwart insider threats.
  • In this case study, learn how merging networks helped one medical facility with HIPAA compliance requirements.
This was last published in November 2007

Dig Deeper on HIPAA