Providers Use of Patients' Social Security Numbers

VHCA (6/20/2008)

Some health care providers recently received misleading information regarding 2008 changes to Virginia law regarding providers’ use of patients’ social security numbers (SSNs).  We want to clarify for providers what their responsibilities are in this respect.  While there were 2008 amendments to the Virginia Personal Information Privacy Act (§59.1-443.2), they did not change the 2005 law governing health care providers’ use of SSNs.  As enacted in 2005, the law prohibits:

• Providing another person’s SSN to the general public
• Requiring the SSN to be on a card in order to receive products or services
• Requiring a SSN for access to a website unless another authorization device is also required for access
• Displaying a SSN in view on envelopes or packages

The statute also prohibits the use of an encrypted or unencrypted SSN on documents, including use in bar codes, chips, magnetic strips or other technology.

However, the statute continues to allow the collection, use or release of a SSN as permitted by state or federal law or the use of a SSN for “internal verification or administrative purposes” unless such use is prohibited by state or federal law. 

Thus, health care providers must protect SSNs from public access and should not display SSNs on wristbands or elsewhere where they can be seen by the general public.  However, providers still may use SSNs as necessary in connection with providing care and conducting their operations within accepted standards of health care practice.  Additionally, the law allows use of SSNs as an identifier for patient level data system and other reporting required under state law where public access is prohibited.   

Again, these requirements continue in effect as enacted by the General Assembly in 2005; the 2008 amendments have not changed them.