SSN & identity theft

[alexa]

A few of our employees have called in asking that our healthcare provider omit their SSN's from display on medical & prescription id cards (apparantly they have had a problem in the past with identity theft). Our healthcare provider cannot do this currently.

Do the employees currently have a legal recourse to require this ?

I know that CA has a law in place currently SB 168 for CA residents effective in the next 2 years for current group insured plans

Are there any other states out there with simialr laws to CA?

What about federal law(s)?

Thanks

[mroberts]

I'm not aware of any state or federal laws that could help your employees. Insurance carriers need a way to identify employees in their systems. They can't do it by name since there can be 53 Robert Smith's. The only other way of doing it is by ID number. This is something that you may already have internally or it's something that a carrier can create. The problem is, this will usually pose a bigger problem for your employees because they are probably not going to be able to remember a random 10 digit number.

Just out of curiosity, who leaves their medical and prescription ID cards laying around? Most people keep them in their wallets and present them upon a doctor's visit or picking up a prescription. Heck, most driver's licenses have a person's SSN on them. Some of the most suspicious looking people I've ever met are bouncers at a bar. What is a person supposed to do then? Occassionally you hear a story about someone's SSN number getting ripped off, but something tells me the majority of these cases aren't from someone scoping the person's prescription ID card out at the pharmacy. Tell your employees to be smart about it.

[jeanine]

Interesting subject--we get a request like this every once in a while. I believe there was a law introduced in Congress recently that has a lot of insurance companies lobbying for its failure. It would eliminate the use of SSN's by insurance companies. If you look at HIPAA, one of the original standards was an individual idenitifier that would stay with you all your life (but not an SSN). This is no longer a standard since you had all these people arguing that the govt would know everything about them based on this national identifier. The trouble is, you have certain people who are always going to have an issue no matter how you identify them. One of the concerns with allowing someone to pick their own identifier (or to have one generated by one company) is that people don't always have the same insurance coverage throughout their lives. How would you pre-ex someone when you can't verify any coverage they received or care they received? What about insurance fraud? I think it would be easier to perpetrate fraud if someone is not tied to a specific number no matter where they receive coverage.

[david rigby]

It is my understanding that the insurance company cannot require the use of SSN as the ID number. Others may have more information on this subject.

Identity theft (which by the way is really all about money) is a very serious problem. You might find some useful info here: http://www.idtheftcenter.org/

[MGB]

When the 1974 Privacy Act was passed, there was tremendous problems with providing a notice of how the SSN would be used every time it was required (I was in the military at the time and every piece of paper had these huge notices on them because your military ID number was your SSN). When I returned to the Univ. of Wis. the next year, they got around the law by using a 10-digit ID number which was just your SSN plus one more digit (I think it was calculated from the prior 9). They only provided the notice when you enrolled this way.

I have been very concerned about this lately with electronic funds transfers. I've been paying bills for the past 9 years through CheckFree. When I recently moved and changed banks to SunTrust, they would list the transactions on my bank statement as coming from a transfer identified by my SSN (they did the same thing with automatic deposits). This is the first bank (I've done this with a few) that reported it this way. I complained because here I had a bank statement in an unsecure mailbox with my address, SSN and account numbers all in one. They claimed they couldn't change their system -- I changed banks.

And yes, the federal proposed law on this (I would have been able to tell the bank not to do this under the proposal) is still alive and could come out of committee in the future.

[Jbentz]

The 1974 Privacy Act concerns only the use of SSNs by the government, not an insurance company or provider. I had our privacy attorney review our use of them under Indiana and federal laws a few months ago, and we can require a patient to provide it to us. It falls under the HIPAA definition of Protected Health Information (PHI) and therefore would be protected along with all the other information and not disclosed outside the clinic's use without the information being posted in our Notice of Privacy Practices or without written authorization.

Without posting a huge HIPAA sermon, i do not think there is any recourse for the employees. I do not know about the any possible legislation, however. I agree iwith mroberts and think some burden is on the person carrying the card.

[MGB]

This was the federal bill proposed last year (hasn't gotten very far):

The Social Security Number Privacy and Identity Theft Prevention Act (S. 848 and H.R. 4857) introduced by Senators Diane Feinstein

(D-CA) and Judd Gregg (R-NH) in the Senate and by representatives Clay Shaw (R-FL) and Robert Matsui (D-CA) in the House of Representatives.

Except for certain required uses of an SSN (tax reporting, etc.), no other organization may use or obtain an SSN without the affirmatively expressed consent of the individual. Even with consent, the SSN could not be publicly displayed (sounds like a grey area whether printed on a card is public).