I received an above average amount of responses to last week's email addressing patient forms, and collection of data, in particular to my point that if office policy requires identification of a social security number, that is okay, and acceptable office policy. Many of the comments were questioning whether HIPAA even authorizes maintenance of social security numbers, which it does, see below, other comments were dismay over a business taking on the responsibility of securely maintaining social security numbers given the higher risk of identity theft issues, etc. Given the response, I thought this topic deserved more attention.
First to HIPAA - from OCR's FAQs -
Yes. The HIPAA Privacy Rule permits covered entities to disclose the amount and type of protected health information that is needed for public health purposes. In some cases, the disclosure will be required by other law, in which case, covered entities may make the required disclosure pursuant to 45 CFR 164.512(a) of the Rule.
For disclosures that are not required by law, covered entities may disclose, without authorization, the information that is reasonably limited to that which is minimally necessary to accomplish the intended purpose of the disclosure. For routine or recurring public health disclosures, a covered entity may develop protocols as part of its minimum necessary policies and procedures to address the type and amount of information that may be disclosed for such purposes. Covered entities may also rely on the requesting public health authority’s determination of the minimally necessary information.
Social Security Numbers for payment - a few responders indicated reluctance to capture socials, but pointed out it is necessary because socials are still used by certain payors as the main patient identifier, while other commercial payors use the de-identified insurance ID. An informed responder indicated socials may go by the way-side sooner rather than later.
What I have taken from the exchanges is if your practice is not one where socials are required for processing, may be best to forego requesting socials on file. If you feel more comfortable for collection purposes to have on file, you are authorized to request and maintain.
While on the topic of patient history forms, please be aware that as you update or revise your patient history forms, CPT 2015 now requires documentation of any military history to be recorded.
So remember to either update a field in your EHR or on your paper forms.