Question: Recently, a new patient adamantly refused to provide his Social Security number (SSN). He claimed it exposes him to identity theft. The front desk assistant didn't know what to do, so she simply left the space blank on the form. But our system won't accept the record without it. Can we require the patient to provide his SSN?
by Dan Zimmerman in Operational & Staff Risks on Monday, November 27, 2017
Answer: You can expect to see this happen more frequently in your practice as patients become more aware of the risk of identity theft.
Social Security numbers were created to track an individual’s earnings and to pay benefits. Unfortunately, the numbers have evolved to become the universally used personal identifier in the private and public sectors. As such, they have also become prized targets of identity thieves.
Widely publicized thefts of laptops and other electronic data storage devices have resulted in the unauthorized release of millions of personal health and financial records. The countless articles on the topic almost always warn about the need to safeguard SSNs and challenge the need to provide it—even in healthcare settings.
The vast majority of private healthcare insurers have stopped using SSNs as a member’s identification number. Some insurers ceased this practice as a direct result of state legislation prohibiting the practice. Others stopped because they recognized both the risks and the additional efforts required to safeguard SSNs—particularly since HIPAA was enacted. Medicare and most state Medicaid programs still use the SSN as the patient identifier, but even those programs are under pressure to discontinue the practice.
More than 20 states have enacted legislation that minimizes or restricts the collection, use, storage and retention of Social Security numbers. Some specifically address and mandate privacy protection efforts for collecting and storing SSNs electronically. Others speak to release requirements (e.g., only the last four digits of an SSN). It’s important to consult a practice attorney to determine your state’s requirements for SSNs, and to review your practice policies and protocols to ensure compliance.
For these reasons, it’s advisable to consider changing your system to accept a patient identifier other than the SSN for your record management. In most cases, the SSN shouldn’t be necessary for your recordkeeping and claims processing. If an SSN is needed, for example, to coordinate covered benefits for a patient and spouse, a request can be made to the patient at that time.
Be aware that it is only a matter of time before the practice of using SSNs as patient identifiers is universally prohibited. In the meantime, expect to continue to be challenged by patients in this area.