Ask the Expert

Is it a violation of HIPAA to collect consumer Social Security numbers?

I work within a medical practice, and I know at least one employee continually asks patients for their Social Security numbers. However, from what I have read about the new HIPAA requirements, we are no longer permitted to ask patients for this information. Is this correct, and do you have any tips or best practices on how medical organizations can enforce compliance rules at the patient level?

Requires Free Membership to View

It's not clear to me whether any new versions of HIPAA have specifically disallowed the use of Social Security numbers, or whether it's just an informal guideline. The reality is that either way, it's a good idea to move away from using the SSN as a primary identifier.

In terms of tips, there are several things you can do to address this issue, especially for a resistant employee. You can conduct extensive employee training, which typically involves engaging a professional HIPAA training firm that specializes in ensuring that frontline healthcare personnel understand what sensitive data is and why it needs to be protected.

Also remove SSNs from forms, and as a last resort terminate employees who don't follow policy. If an organization has decided that it will no longer collect SSN information, and an employee continues to do so, then that person should be fired. After all, if an organization doesn't enforce its policies and suffers some kind of breach, it faces significant liabilities.

Content monitoring technology can help to index and search structured and unstructured data to look for SSN data and to get rid of it. Monitoring the content will prevent potential violations (which is a good thing), but doesn't really address the root cause, which is that the staff doesn't understand what data is private and how to protect it. Ultimately, it's a training issue.

For more information:

  • Ed Skoudis explains how creating a security awareness program can help thwart insider threats.
  • In this case study, learn how merging networks helped one medical facility with HIPAA compliance requirements.
  • This was first published in November 2007