Does it really matter how many providers the number has been shown to, as long as the database that links that number to identifying information is kept under tight security? It is that identifying information that is not readily available. Now if the patient chooses to reveal identifying information to the provider in addition to the health plan beneficiary number, that is done with the patient's consent and the health plan is not responsible.
-----Original Message----- From: David Blasi [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 05, 2002 6:33 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Obtaining social security numbers I think we are coming at this from two different perspectives. I'm guessing from your e-mail address that you are looking at it from the research perspective. This is especially relevant since the majority, if not all health plan reporting will be to the plan sponsor or their business associate. Your comments make sense from the research perspective about your need to issue and support your research and reports. However, from a health plan administration perspective, the number we are talking about assigning is not the SS# in 164.514(b)(2)(i)(H), but it is a "health plan beneficiary number" as is noted in 164.514(b)(2)(i)(I). You can make the argument that this number is not "reasonably available"and do your statistical analysis as you noted under 164.514(b)(1), but this is only good for a health plan for a period of time. When the SS# was first issued, it was also not reasonably available. When an employee has been with a plan for many years and has been showing that number to umpteen providers as well as HR reps, is it still not reasonably available? Please see the comments on 82709 "The risks of disclosure increase as the number of external resources increases.." That is essentially what happened with the SS# to the point where it is considered identified. Research reports, identifiers and the underlying records are much more likely to remain de-identified. I guess the point I was trying to get across is that the New# is PHI at some point, just as much as the SS#. A health plan or its business associate needs to evaluate how it will protect it. >>> "Clay III, Roy G. (MCLNO)" <[EMAIL PROTECTED]> 02/05/02 05:33PM >>> I have to disagree with both of you. Although what you say is correct in terms of the language in 164.514(b)(2), HHS gives you and alternative in 164.514(b)(1) where you can develop your own method of de-identifying the data and document by statistical analysis that the method is effective. For example, you could follow the procedure in 164.514(b)(2) except that you add a key field that allows you to index the data against a database of identifying information. That means that 164.514(b)(2) can not be the basis of your information being de-identified. But then you document that access to the database with the linking index to the identifiable information is restricted to only those who were identified in the patient's consent to disclose and that can be considered de-identified since the identifying information is not "reasonably available" as defined in 164.514(b)(1)(i). -----Original Message----- From: Dennis Melamed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 05, 2002 3:00 PM To: David Blasi; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Obtaining social security numbers Mr. Blasi's point is right on target. If you create another number which identifies a patient, you have not de-identified the data. This activity falls under the omnibus provision (section R) of the safe harbor for de-identified data. Simply substituting another number for the SSN is not enough. Even if you bury the key so no one can convert that number, you have still created an identifiable number and thus do not have de-identified data. That's straight from senior HHS officials. There is no equivocation on this point. The SSN has its own problems above and beyond those mentioned in earlier emails. Also remember that the HIPAA Privacy Rule does not have to be implemented until April 2003. Of course, these people may be referring to some other state or federal law. But I'm not aware of how the federal Privacy Act would affect you. That governs federal agencies and their contractors, not the private sector. Dennis Melamed Editor Health Information Privacy Alert (202) 296-3069 -----Original Message----- From: David Blasi [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 05, 2002 1:41 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Obtaining social security numbers I agree that each plan can make a business decision to move away from the SS#, but I don't see how that helps you avoid any responsibilities under the privacy rule. You are just creating another identifier that could be used to identify an individual and their health information. If you put your proprietary number on the ID card which then gets matched up against clinical information for billing purposes and all subsequent claims information (EOB's), how is that new identification number not PHI? PHI can be many things beyond SS#. It can be a URL, ISP, etc. I'd consult with your counsel to make sure you aren't making an incorrect assumption that you can avoid certain responsibilities just by not using a SS#. >>> "Beth Kranda" <[EMAIL PROTECTED]> 02/05/02 12:40PM >>> While I agree with David that the use of an SSN simplifies COB, I have also taken the position of eliminating the SSN as ID number. In the definition of Payment and in section 164.514 on de-identification, the SSN is referenced as an element that is considered PHI. Some have interpreted this to mean it is then protected, and taken that further to imply that, if the ID card has the SSN on it, it is then considered PHI and subject to the same type of protection requirements as the clinical record. Not sure if this is true, but certainly, reporting is easier if you have a unique identifier that is not the SSN with which to tie de-identified information back to a member. As for the HEDIS problem, this simply means your company needs a "person ID" to tie a person's health history together across systems and across enrollment records. While convenient, it is not necessary to use the SSN to accomplish this. This is one of those decisions that needs to be driven by the legal and business issues. My guess is that the "Privacy Act" this patient cited is state based or some other provacy legislation, not HIPAA. Most of the general public is still not aware of HIPAA's rules. All of the Health Plans I have talked to in Indiana are moving away from the SSN. -- M. Beth Kranda Sr. Project Consultant and Privacy Director OASYS t- (317) 614-2139 f- (317) 614-2001 e- [EMAIL PROTECTED] info- www.oasys.com David Blasi wrote: > Don't see this as a HIPAA Privacy Rule requirement. In fact, until > there is an alternative individual identifier, each plan or provider > assigning a proprietary number to identify an individual creates even > more confusion than we currently have. Especially in COB situations. > But, are you in California? California recently passed SB 168 regarding > the use of SS#'s. However, the law does allow use of SS# for "internal > verification or administrative purposes." This is what most plans or > providers use the SS# for anyway. What it will require is for a plan or > provider to take a look at notifications sent or ID cards used. Have > your counsel take a look at this bill or similar bills proposed in other > states. Essentially, you can prepare a response that states you are > permitted to use SS# in certain limited situations, such as eligibility > and claims payment. > > >>> "Waterhouse, Melissa" <[EMAIL PROTECTED]> 02/05/02 09:33AM > >>> > Recently, we have been experiencing resistance from members when we > request > their social security number and the numbers of their dependents. > Several > letters from employees quote The Privacy Act. We are considering not > requiring dependents socials but this could negatively impact HEDIS > numbers > since SSN's are the only way to track continuous enrollment. > > I am wondering if other health plans are also experiencing this and if > they > decided to not require social security numbers or have moved to using > another identifier. > > Thank you, > Melissa Waterhouse > SummaCare Health Plan > > ********************************************************************** > To be removed from this list, go to: > http://snip.wedi.org/unsubscribe.cfm?list=privacy > and enter your email address. > > ********************************************************************** > To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy > and enter your email address. CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address.
