Do Health Care Providers Need Your SSN?

The U.S. Social Security Number (SNN) was introduced in the 1930s as an identifier for the (then new) Social Security program, whose official name is actually the “Old-Age, Survivors, and Disability Insurance program” (OASDI). As you’ve no doubt read, the SSN was never intended to be a globally unique identifier (GUID), but has de facto sort of become one, even though it is not necessarily unique and certainly is not global.

SSNs are treated as GUIDs when it comes to credit-related actions, since the “big three-and-a-half” credit agencies (Equifax, Experian, TransUnion, and sometimes Innovis) all use the SSN as a primary identifier, as does Chex Systems, which provides similar services for deposit accounts (for writing checks, etc.). From their perspective, this makes sense: an SSN is a nice, short, invariable value, unlike names (Robert? Rob? Bob? Bobby? Bobbie? etc.).

Health CareAs privacy threats have evolved, we have become more protective of our SSNs. Most of us can remember when we used to be told to list our SSNs on our checks, to make them easier to use in stores. We don’t do that anymore, nor do most folks write checks for retail purchases, so that usage quietly faded away.

Going back further, I recently came across a box of old papers that included some of my wife’s college papers from the 1970s. There at the top of each was her name and SSN! Universities switched to student ID numbers long ago, so this is also an obsolete usage, as are most other non-government uses outside of credit reporting.

However, one area still uses SSNs far more than it should: health care. Most health insurance companies long ago figured out that using them as GUIDs was a bad idea, both for security reasons and because they have “repeat customers”—folks who have their insurance, leave, and return: the insurance company does not want to intermingle old and new records! But both hospitals and doctors’ offices routinely ask for SSNs. Having spent far more time than I care to think about dealing with health care providers in recent years, it’s been my experience that hospitals are typically fine if you tell them “We do not share that”.

Some doctors, however, are obdurate—forcing a choice between providing the number or leaving. When pressed to justify their position, answers vary. Some of them relate to collecting money they are owed for service. This dates back to a 2007 law called the Red Flags Rule, which attempts to reduce identity theft by requiring creditors to collect SSNs and other PII to prove a borrower’s identity. Failure to comply can result in fines.

However, after protests from health care providers, who do not consider themselves creditors in the traditional sense, Congress exempted them from the Rule in 2010. Some doctors (or their office managers) still like the idea of having this information “just in case”; others don’t much care, but are using practice management software that requires an SSN to create a patient record. (And in case you’re tempted to avoid the problem by providing a false SSN, don’t do that: it’s a crime.)

Once you turn 65, your Medicare number currently contains your SSN, cleverly disguised by adding a trailing character after the last digit. Medicare says this is changing soon, which should be interesting. Since you don’t really have any choice about providing your Medicare number, it at least resolves the dilemma—albeit not happily.

The fundamental problem is that medical practices are not IT shops, and typically either do not have proper protection for sensitive data, or at a minimum cannot describe the protection convincingly. As such, it is entirely reasonable for a security-minded person to be chary of providing an SSN, even to a doctor you would trust with your life. Identity theft is no fun, and medical providers are particularly rich targets, because thieves can also monetize the information to enable health care fraud—folks pretending to be you so they can receive medical treatment and bill it to your insurance. While that’s unlikely to cause you direct problems (it’s typically pretty easy to prove that you did not, indeed, have a brain transplant 1,000 miles from home last week), it does require some effort to straighten out, and of course costs everyone indirectly.

About the Author
Phil Smith III is a distinguished technologist and Senior Architect & Product Manager, Mainframe & Enterprise, at Micro Focus, formerly HPE Software. He is the author of the popular blog series, Cryptography for Mere Mortals.

Learn how Voltage can protect social security numbers and other sensitive information with SecureData.

Leave a Reply

Your email address will not be published. Required fields are marked *