Without a UPI, healthcare awash in SSNs
The healthcare industry is swimming in Social Security numbers, thanks to the necessities of patient record management systems. But balancing those requirements with fraud mitigation and privacy protections is proving a big challenge.
[See also: Rekindling the patient ID debate]
That's according to a LexisNexis Risk Solutions study published this week, which examines four different industries' reasons and methods for collecting, storying and using personal identification information, or PII.
The report looks at the practices of healthcare, financial services, retail and government – taking stock of these sectors' varying approaches to identity verification and consumer behavior.
As for healthcare, the study finds that providers and payers have to collect and secure sensitive PII from their patients – many of whom aren't keen to share their SSNs to begin with – and thus increase their liability in the case of a breach.
Meanwhile, "The industry currently lacks an easy, uniform way to identify patients and link them to their health data, doctors, hospitals, pharmacies and insurance plans, which is creating a wall of unrelated patient identity numbers bogging down the medical records system," according to the report.
Addressing healthcare's dependence on SSNs would call for more comprehensive tools, such as a universal healthcare ID, it points out, "but a lack of national appetite for such a system limits the chances of these tools gaining traction at a national level."
As such, healthcare organizations have had to turn to the "collection of the SSNs from patients instead."
As with the financial services industry, PII data collection in the healthcare is driven heavily by regulations. Unlike that industry, however, those rules – HIPAA and the ACA, most notably – are focused on ensuring patient privacy rather than deterring fraud or illegal activities, according to the LexisNexis report.
Moreover, "apart from regulations, PII collection in the healthcare industry is significantly influenced by vendor requirements," the authors write. "Vendors, also looking to meet HIPAA and ACA requirements, play a major role in patient identification, as mandates for data efficiency and security from the ACA and HIPAA are pushing vendors, payers and providers toward building and maintaining more electronic health records."
In healthcare, there's no "uniform code or standard regulating the types of PII to be collected," the report points out. "Industry regulations are instead focused on protecting patient privacy and regulating how the collected PII is stored and used. These regulatory restrictions place healthcare organizations in a unique role in which they must collect a large quantity of information as part of their operations but are limited in the use of this data."
As for patients, "despite the overall level of trust for healthcare organizations among patients, consumers are generally hesitant when it comes to sharing their SSN, mother's maiden name, place of birth, and screen name – with the greatest sensitivity displayed toward sharing their full SSN," according to LexisNexis.
Fewer than three in 10 consumers are willing to share their full SSN with healthcare providers, the study shows.
But it's not as if providers are enthusiastic about collecting these sensitive numbers. Survey respondents pointed out that "their collection of SSN is not driven by internal or regulatory policies but is instead dictated by the software tools they use," according to the report.
"From a privacy perspective, this puts some healthcare organizations in a difficult position. They must collect and secure sensitive PII from their patients (some of whom do not wish to share this information in the first place), increasing their information liability in the case of a data breach while not adding additional strength to their ID verification processes."
Indeed, the report cites one anonymous compliance officer who points out: "Our electronic medical records system here is designed so that you can't get past the system unless you have their Social Security number in that field. It's a required field – not an option. But this is not for compliance; it is a matter of software design."
"Over the years, the healthcare industry has recognized the inherent risks of using the SSN as a patient identifier and has taken some security measures against identify theft," according to a white paper put together by AHIMA. Still, there are plenty of reasons why it's a risky tool for patient ID.
"The expanded use of the SSN beyond its original intentions supports the contention that a unique individual identifier is a powerful business need," the authors contend.
Barring that, AHIMA outlines several best practices for limiting SSN use in healthcare. Among them:
- Organizations that are not currently using the SSN for identification purposes should not begin to do so.
- Organizations that collect the SSN for identity and record-linking purposes should establish a conversion plan to eliminate its collection and use. They should develop and train employees in other matching methods to reduce the organization's dependence on the SSN during the conversion process.
- Organizations that use the SSN for patient identification should limit its display to the minimum number of documents and screens necessary to accomplish its business use. They should further limit its display to the minimum number of digits necessary.