I recently registered as a new patient with a local practice. They asked me to complete an on-line registration form. Although I probably should not have been, I was surprised when I was asked to provide not only my social security number (SSN) and driver’s license number, but those of my husband as well because we get our health insurance through his employer. I declined to do so.
Healthcare providers used to routinely collect the SSN and driver’s license number of each patient. Hospitals and other large healthcare providers have stopped asking patients for this information, but this is still a common practice in physician practices. If your practice is routinely collecting this information, you should reconsider unless you have proper policies and procedures in place to ensure that it is protected.
Including an SSN or driver’s license number in a patient’s computerized file makes the file subject to New York’s Information Security Statute, which requires notification of a breach of an organization’s computer system when the system contains private information.
Collecting SSN data and including it, or any number derived from the SSN, in a patient’s file also subjects your practice to penalties under New York’s Social Security Number Protection Law. Firms that collect SSN data have to take steps to prevent its unauthorized disclosure and must limit access to those employees who need it for legitimate business purposes. Violations of the statute are subject to civil penalties in proceedings instituted by the Attorney General’s office. These protections cannot be waived by the consumer.
So, if you are collecting SSNs (or even part of an SSN) and drivers’ license numbers, make sure that you need to do so for legitimate reasons. Avoid requesting the SSN or driver’s license number at registration for every patient. SSN data is often needed to verify third-party payor information, but there is no reason to collect a patient’s driver’s license number or make a copy of the driver’s license.
You should not use the patient’s SSN or any part of the SSN as a patient identifier. Using the SSN as a patient identifier gives all your employees access to such data and violates the requirement to ensure that reasonable measures are taken to avoid unnecessary disclosure of this information.
Design your systems in a way that avoids the collection and storage of this data. It will save you money in the long run.