Should Health Plans Use Social Security Numbers as Participant ID Numbers?

Ronald L. Scott
rscott@central.uh.edu

Most health insurance plans currently use an individualís social security number (SSN) as the participantís identification number and display the SSN on the card issued to the participant.  Identify theft and other misuse of SSNs has prompted some legislators at the federal and state levels to introduce legislation prohibiting the display of SSNs on most identification cards.

The Health Insurance Portability and Accountability Act (HIPAA) originally provided for a unique health identifier for individuals.  Consensus could not be developed on how or whether to develop such identifiers for individuals and the federal Department of Health and Human Services and Congress have indefinitely postponed any effort to develop such a standard.  See Administrative Simplification Under HIPAA:  National Standards For Transactions, Security And Privacy (March 3, 2003) available at http://www.hhs.gov/news/press/2002pres/hipaa.html.

Recently introduced Texas Senate Bill 61would amend Chapter 35, Texas Business & Commerce Code to provide that a person may not display an individualís social security number on a card or other device required to access a product or service provided by the person.  The law does not apply to use of a social security number that is required by state or federal law, or the use of a social security number for internal verification or administrative purposes.  The law would take effect January 1, 2004, and applies to a card that is issued in connection with an insurance policy only if the policy is delivered, issued for delivery, or renewed on or after January 1, 2005.

The Privacy Act of 1974, 5 USC §552a is the primary federal law regarding the privacy of SSNs.  The Privacy Act requires government agencies to disclose what use they will make of a requested SSN and their legal authority for requesting the SSN, and it provides that government benefits cannot be denied on basis of refusal to provide SSN unless there is legal authority to request the SSN with some exceptions. The text of the Privacy Act is available at http://www.usdoj.gov/foia/privstat.htm.

Several bills have been introduced at the federal level to better regulate the disclosure and use of SSNs by both government and private entities.  Two examples include the Social Security Number Misuse Prevention Act (H.R. 637, S.228 and The Social Security Number Misuse Prevention Act (H.R.220, S.223).  See http://thomas.loc.gov (full text of legislation available at the site).

When your physician orders lab tests the results are likely returned to the physician with the patientís health insurance ID number, commonly the patientís SSN.  It is obviously important that the lab results be correctly correlated with the patientís medical record.  Since HIPAA has rejected a national unique patient identifier, discontinuing use of SSNs may increase the risk of misidentification of patient medical information.  While the legislative reaction to misuse of SSNs is understandable and perhaps appropriate, such a change may increase the possibility of misidentifying patient medical data with the resultant risk of medical harm to the patient.  In fairness, the pending legislation reviewed would only limit the use of SSNs rather than prevent their use completely.  For example, under Texas SB 61, a health plan might issue a patient ID card with an identifying number generated by the health plan but still use the patientís SSN on all requests for laboratory work.  For a good overview of the laws relating to use and disclosure of SSNs, see Utility Consumersí Action Network Privacy Rights Clearinghouse, Fact Sheet 10: Your Social Security Number: How Secure Is It? Copyright 1993-2003  (June 1993 / Rev. June 2002), available at http://www.privacyrights.org/fs/fs10-ssn.htm.