Browse > Home / Uncategorized / Baptist Healthcare Bans SSNs to Reduce Risk, Please Patients

| Subscribe via RSS

Baptist Healthcare Bans SSNs to Reduce Risk, Please Patients

July 31st, 2015 Posted in Uncategorized

As soon as Americans get Social Security cards, they’re told to guard them with their lives, as lost or stolen Social Security numbers (SSNs) raise the stakes for financial fraud and identity theft.

So why, patients started asking Baptist Healthcare, was the South Florida system regularly asking for their SSNs? Why indeed, wondered Baptist officials.

In the hands of criminals, SSNs really are the Holy Grail of protected health information (PHI) and weren’t always necessary for Baptist to have, reasoned administrators at the six-hospital system. Or, perhaps they could severely restrict their use and develop work-arounds to where they might be needed.

And so began a three-year odyssey to scrub SSNs from the hospital system’s electronic records, forms and other documents. The effort has been such a success that it is now at the point where there should be so few numbers in use that Baptist launched a “scavenger hunt,” complete with prizes, to ensure SSNs don’t begin to creep back into use.

Mercy del Rey, Baptist’s chief privacy officer, briefly described getting rid of SSNs during a session with other privacy officers at the recent 23rd National HIPAA Summit in Washington, D.C. (RRC 4/15, p. 1). She also provided additional details to RPP after the meeting.

Removing SSNs Is ‘Data Cleansing’

How Baptist went about the process may spur others to undertake similar actions. These may be especially worthwhile in light of increasing data breaches and serve as a relatively inexpensive fix to increase safeguards around PHI. HIPAA consultant John Gomez tells RPP that banning or reducing the use of SSNs is a form of “data cleansing,” a strategy that he recommends.

Del Rey tells RPP the reasons Baptist removed SSNs centered on “patient safety and security.”

“With the increase of identity theft and medical identity theft, patients were questioning why this information [SSNs] appeared in their record,” she says. “Although this was sometimes a technically challenging process for us, we knew [removing them] was the right thing for our patients.”

In July 2013, Baptist announced a breach at one of its medical centers, South Miami Hospital, the result of a theft of more than 800 medical records by a respiratory therapist. During 2011 and 2012, the therapist sold PHI, including SSNs, to two men who filed false tax returns. “We began removing the SSNs from our system before the 2013 breach,” del Rey tells RPP.

When pressed a little further about whether there was a connection between the SSN removal and the medical records theft, a spokeswoman for the system told RPP by email that “Baptist Health generally doesn’t provide public comment on specific timeframes or other specific details surrounding implementation of compliance projects.”

Hunting for the ‘Source’

To get started, Baptist systematically “analyzed our clinical systems to determine where and why [an] SSN was present,” she explains. “A methodical approach was then followed to review all clinical systems to identify the location of the source where SSNs resided in order to ultimately remove it from that system.” If the source of the number isn’t found, it “could potentially reappear in a report or be sent to another system during an interface,” del Rey says.

It took three years to “remove all of the SSNs from all of our clinical systems,” a task del Rey described as “tough.”

“As mentioned during the conference, many of our clinical systems are legacy systems that have been in place for a very long time, so we had to carefully begin our analysis,” she says.

Baptist also recognized that officials couldn’t stop there. “As we have removed SSNs from particular systems or other records, we have provided our staff with additional appropriate training,” del Rey says.

Del Rey also tells RPP that, on top of the “basic HIPAA training that all workforce members receive, we have focused education on areas that have highly sensitive patient information as well as strict role-based security where we constantly re-evaluate the need for that access.”

Baptist officials, she adds, “also run criminal background checks on all employees, which includes those members of our workforce who will have access to PHI.”

Perhaps ironically because Social Security numbers can be used to commit identity theft, del Rey says “[one of the biggest] challenges we faced involved the use of the SSNs to assist with the accurate identification of a patient.”

Del Rey points out that “many patients in our service areas have the same name with similar demographics so in the past we relied on the SSNs as one of the identifiers. Once we made these changes, our processes focused on other demographics and the use of only the last four digits in those cases where patients shared similar demographic data.”

Not all uses can be eliminated. For example, when they appear “in billing systems where the Medicare identification number is the individual’s SSN, [Baptist officials] restrict access and have provided staff that do need access with additional training on safeguards and sensitivities regarding the use of SSNs,” del Rey says.

The government has made little progress in developing a unique patient identifier; calls for this have been renewed. Congress recently told HHS to remove SSNs from Medicare cards (see box, p. 4).

During the summit discussion, del Rey stressed the value of positive reinforcement as a form of workforce training. When it comes to the SSN issue, Baptist developed a special contest, or a scavenger hunt, under which employees call del Rey’s office if they find an SSN, for which they receive a special gift — a tiny cup used for Cuban coffee.

Scavenger Hunt Is a Win-Win

“We have had employees find them through our scavenger hunt,” del Rey reports. “This is a win-win scenario for our patients, our employees and our organization. Our patients’ information is further secured, our employees are actively engaged in our compliance activities and are recognized for their efforts and finally our commitment to protecting our patients’ information is reinforced throughout the organization.”

John Gomez, former chief technology officer at Allscripts Healthcare Solutions and WebMD, tells RPP that removing SSNs and other sensitive data — especially if it’s not needed — is a good compliance strategy. Gomez, founder and CEO of the cybersecurity firm Sensato, Inc., says this is a type of “data cleansing.”

Gomez adds that even though it took Baptist three years to do this, “it’s probably a cheap thing to do” and is among the more basic strategies that CEs can undertake without costly IT investments.

He also likes the idea of getting all staff involved in searching for SSNs. Such programs, he says, make it clear for the workforce that “this is our data. We own all that” and spreads the sense that each worker has a responsibility to safeguard the PHI.

As Baptist’s experience shows, removing the SSNs and keeping them from creeping back in takes a redesign of paper forms, a blocking of data fields that ask for them and other IT fixes. It also takes a concerted effort to stop staffers from creating new forms as well as adding new software or programs that ask for them.

As del Rey says, “It’s important to note that this review, though, really never ends. When any new system is being implemented, the use of the SSNs is assessed and evaluated as part of our routine reviews.”

Reprinted from REPORT ON PATIENT PRIVACY, the industry’s #1 source of timely news and business strategies for safeguarding patient privacy and data security.

Featured Health Business Daily Story, May 13, 2015


Leave a Reply