Apr

28

More HIPAA Myths:  Much Thanks to the Industry

It is not uncommon for me to recommend clients pay attention to health care association publications, related industry publications, web sites and the like for HIPAA clarification, regulatory updates and compliance tools. As with all information, though, it is wise to question. If you find the information suspect, it is a good idea to ask around and even check out the actual regulation itself.

In the April 2010 issue of VSP’s newsletter, “VSP Member News,” member providers (generally optometrists, ophthalmologists, etc.) were informed that it was a HIPAA violation to request the patient’s full social security number (in this case a member of VSP’s vision insurance plan). The reality, though, is the social security number is as specially protected as the patient’s full name, the patient’s address, the patient’s diagnosis, the patient’s e-mail address and all other identifiers listed in the HIPAA Privacy Rule.

There are states that prohibit the use and disclosure of social security numbers for certain purposes. There are also state laws that include the social security number in that set of data that, if breached, would trigger a mandated reporting to the individual. These are state requirements and cannot necessarily be generalized to all situations where social security numbers may or may not be disclosed. Also, this has nothing to do with what is PHI and what HIPAA requires or prohibits.

It is true that if the last four digits of the social security number will suffice, and the purpose of use and disclosure is for other than treatment (always with a few additional exceptions), the minimum necessary standard must be met and only the last four digits of the social security number used and disclosed. On the other hand, physicians and other health care professionals are often advised by medical, specialty and other health care associations to request the full social security number from the patient to be used in the event the patient’s account is referred to a collection agency (in this case the collection agency would be a business associate) because the patient did not pay his or her bill. When it comes to collection activity, the social security number is often key to successful collection of unpaid medical bills (or at least key to locating the patient).

Healthcare operations related activity is specifically allowed by the HIPAA Privacy Rule. Collection activity is considered healthcare operations. As long as the use of the full social security number meets the minimum necessary standard, health care professional are not restricted from asking for it or using and disclosing it. Even if your association, your industry organization or other purported authority indicates it is so, if you have your doubts, it is a good idea to check it out. Just as with the VSP April 2010 publication, “legal” pronouncements are not necessarily true and can assist in furthering already existing HIPAA myths. Just like with the products and services you buy, it is a “buyer or reader beware” market when it comes to the written word.

And if you’re curious – check out VSP’s provider home page at https://www.vsp.com/cms/provider/provider-home.html. I doubt you will find a copy of the provider newsletter accessible from the Web site but maybe you can find out what VSP is saying when it comes to regulatory compliance.