New privacy issue not about HIPAA

CA law affects Blue Cross policies

There’s a new patient confidentiality development access personnel should know about, and it has nothing to do with the Health Insurance Portability and Accountability Act privacy standard.

A California law that took effect July 1, 2002, and is being implemented in phases puts measures in place to protect the integrity of the Social Security number (SSN), among them the prohibition of using the number as an insurance subscriber identifier, points out Liz Kehrer, CHAM, system administrator for patient access at Centegra Health System in McHenry, IL.

In anticipation of a Jan. 1, 2004, deadline for entities providing or administering health care or insurance, Blue Cross Blue Shield (BCBS) is issuing insurance cards for new accounts/policies in 2003 in which a generic number, not the subscriber’s SSN, is used as an individual identifier, Kehrer explains. Beginning July 1, 2005, those entities must comply with all requirements of the law for all individual and group policyholders in existence prior to Jan. 1, 2004.

"Access managers need to start looking at having registrars really double-check those Blue Cross cards and the accuracy of that subscriber ID number," she cautions. "We’re already seeing instances in which the change has been made."

What can happen, Kehrer notes, is that with all other insurance information — group number, mailing address, etc. — the same as on a patient’s last visit, the registrar may neglect to make note of the different subscriber identifier, thus resulting in inaccurate claims.

Her research on the subject, she adds, suggests that it is only a matter of time before similar laws protecting the SSN are enacted in other states.

Under the California law, which is found in Civil Code Sections 1798.85-1798.86 and 1786.60, companies may not do any of the following:

  • post or publicly display SSNs;
  • print SSNs on identification cards or badges;
  • require people to transmit an SSN over the Internet unless the connection is secure or the number is encrypted;
  • require people to log onto a web site using an SSN without a password;
  • print SSNs on anything mailed to a customer unless required by law or the document is a form or application.

Providing background on the unique status of the SSN as a privacy risk, the Office of Privacy Protection in the California Department of Consumer Affairs explains on its web site that the SSN was created by the federal government in 1936 to track workers’ earnings and eligibility for retirement benefits.

Now, however, the SSN is used in both the public and private sectors for myriad purposes totally unrelated to that original purpose, the site points out. That broad use and public exposure of SSNs, it adds, has been a major contributor to the tremendous growth in recent years of identify theft and other forms of credit fraud.

For more information, go to www.cdc.gov/nchs/.