Health Information Compliance Alert

Published on Thu Oct 04, 2012 PDF

Follow these expert tips to keep your patients happy while ensuring your practice gets paid.

Patients are getting wary of sharing their social security number (SSN) for fear of falling prey to medical ID theft. But not having a SSN on file could mean you'll have trouble billing a patient's insurance. Make the most of what our experts advise on when to collect the SSN.

1. Collect Only When Necessary

Experts suggest that practices should not collect SSNs unless absolutely necessary. Some insurance companies still require SSNs for billing purposes (for example, some still use SSNs as patient ID numbers). But if the patient's insurance does not require the information on your claims, you should protect your practice by not collecting the SSN.

"Unless the person is on Medicare or in the armed forces, the need to use social security numbers is no longer necessary," says Ester Horowitz, CMC, CITRMS, certified management counselor and owner/practice marketing advisor with M2Power Inc. in Merrick, N.Y. "While many organizations still push for such, both out of habit and for skip tracing purposes mostly, it is no longer needed."

It's a good security protocol for your practice not to collect more information than you need. If you are asking for a social security number, but not actually using it for billing and collections, reconsider whether you really need to collect and maintain that information.

"It's better not to collect them unless you need them for insurance purposes (Medicaid, Medicare) because they are prime information for identity thieves, and if your information security is breached, you will have to report the breach under state law as well as the HIPAA Breach Notification Rule," warns Jim Sheldon-Dean, Director of Compliance Services with Lewis Creek Systems, in Charlotte, Vt.

Some practices may choose to continue collecting social security numbers to help with collecting from the patient himself, too. Some third-party collectors use SSNs to track down patients with past-due accounts. You may need social security numbers to verify patient identity and avoid contacting the wrong person when collecting on past-due accounts.

Critical: If you do either choose to collect social security numbers or you are required to by a payer, you need to protect the information. "Make sure you provide the same protections for SSNs as for protected health information (PHI)," Sheldon-Dean says. "Ensure your records and systems are secured properly, and don't use the SSNs internally if you can avoid it."

2. Don't Fight the Patient

If a patient refuses to supply his social security number, many practices choose not to press the issue and risk upsetting the patient.

"We still ask for a patient's SSN," says Elizabeth Hollingshead, CPC, CUC, CMC, CMSCS, corporate billing/coding manager of Northwest Columbus Urology Inc. in Marysville, Ohio. "If they refuse, we don't press it unless their insurance company requires it."

"We still try and collect but if patient refuses to give [the social security number], we do not make a big deal out of it unless they have one of the rare insurance carriers, such a Tricare, that still uses it as their ID number," agrees Susan A. Billock, patient accounts manager for Certified Emergency Medicine Specialists, PC in Grand Rapids, Mich.

You can also provide the patient a document that explains why you collect patient SSNs, your agreement to not share the information for reasons other than by law or for billing/collections purposes, and the ways you protect the data you collect. A simple statement such as "This notice is to help you understand the purpose for our collection of your social security number and the measures that we take to ensure that your information is not disclosed." can make even wary patients feel better about providing personal data.

No insurance? "If there is no insurance coverage, you need to have good ways of collecting, and an SSN can help with that," Sheldon-Dean says. "But if the patient pays upfront, there should be no need for a SSN. Only collect the data you actually need for that patient."

3. Implement Self-Pay Policy If You Can't Get the SSN

If a patient refuses to provide an SSN, you can require the patient to pay upfront, especially if the SSN is required for billing the patient's insurance.

"I've had a few people whose ID is still their SSN and they don't want to give it to us," Hollingshead says. "I just tell them to get their check books out because they're self pay at that point. They can file it to the insurance company themselves. They normally change their tune."

Check your state laws: There may be individual state laws about whether or not practices can collect SSNs. Also, the Social Security Administration states that patients can refuse to give their SSN.

"No reg gives specifics about the use and disclosure, only that the organization demonstrate good faith to protect it," Horowitz says. "The methods and levels of risk are different for everyone."

Bottom line: "Avoid SSNs if possible," Sheldon-Dean says. "If you need to keep them, see if there is some way the file can be encrypted, and have good information security practices and procedures to protect any systems that use or hold SSNs. Fully complying with the HIPAA Security Rule can go a long way toward minimizing SSN issues."