April 26, 1993 Mrs Hillary Rodham Clinton, Chairperson Health Care Reform Task Force The White House 1600 Pennsylvania Ave., NW Washington, DC 20550 Dear Mrs. Clinton, We are writing to you regarding privacy protection and the anticipated report of the Health Care Reform Task Force. There are many privacy issues in the management of medical records, but one issue we are specifically concerned about is the possible use of the Social Security Number as a patient identifier. It is our belief that the SSN should not be used for medical record identification and that an alternative identification scheme must be developed. Now is the right time to develop an appropriate identification scheme. A good plan will serve the goal of streamlining health care administration while avoiding the risk inherent in the use of the Social Security number. A poorly designed system will create privacy problems for many years to come. There are several reasons we believe the SSN should not be used as a patient identifier. First, the widespread use of the SSN has led to an increase in credit and banking fraud and invites many types of abuse. A recent decision from a federal appeals court said simply that "the harm that can be inflicted from the disclosure of a SSN to an unscrupulous individual is alarming and potentially financially ruinous." For this reason, the Social Security Administration has said that it opposes new uses of the SSN for record identification. Second, the use of the SSN increases the likelihood that medical information will be improperly disclosed to insurers, employers, and others. Direct marketing firms use the SSN to link discrete records about individuals. While it may be appropriate to collect the SSN for some purposes, there is no reason that it should be publicly disseminated. Third, section 7 of the Privacy Act of 1974 creates a presumption that the Social Security number should not be used for record- keeping purposes unrelated to Social Security and taxation. Congress recognized the dangers of widespread use of the SSN as a universal identifier. The Senate report stated that the widespread use of SSNs is "one of the most serious manifestations of privacy concerns in the Nation." Since passage of the Privacy Act, concern about SSN confidentiality and misuse has become even more compelling. Fourth, from a technical viewpoint, the SSN is not a good identifier. It is not unique, there are multiple users of a single SSN, and the absence of certain technical features makes it difficult to determine whether a random nine-digit number is in fact an SSN. The use of the current SSN as a patient identifier will likely lead to record misidentifications that could otherwise be avoided. Many organizations that provide comprehensive health services do not use the SSN as a patient identifier. For example, the Harvard Community Health Plan, with over half a million subscribers, uses a separate number for patient identification in its automated records system. The SSN is collected for administrative use but is not publicly disclosed. Also, when Canada confronted the issue of patient record identification several years ago, the province of Ontario decided not to use the Social Insurance Number, and instead to develop a separate Medical Identification Number. Ontario also passed legislation restricting the use of the MID for health care purposes. We believe that a similar approach, based on an identification scheme unique for medical records and supported by clear legal safeguards, should be pursued in the United States. The protection of privacy is a critical part of the delivery of quality health care services. Patients and health care providers both require the assurance of confidently so that accurate and complete information will be available for diagnosis and ongoing patient care. Absent clear safeguards for privacy protection, patients may not be forthcoming about potentially embarrassing but medically relevant facts which providers should know. For these reasons, privacy protection must be incorporated into the recommendations of the Health Care Reform Task Force. Identification schemes that diminish the confidentiality of patient records should be avoided. In spite of the superficial attractiveness of the SSN, we urge the Health Care Task Force to state clearly in the anticipated report that the Social Security Number should not be used as a patient identifier. We would be pleased to meet with those members of the Task Force that you have asked to examine privacy concerns, and also to work with you personally or any other members of your staff regarding the problems with the use of the SSN. Sincerely yours, Marc Rotenberg, Director, CPSR Washington office Professor Eric Roberts, Department of Computer Science, Stanford University; President, Computer Professionals for Social Responsibility (CPSR) Janlori Goldman, Director, ACLU Privacy and Technology Project Evan Hendricks, Chair, US Privacy Council Sheri Alpert, author, "Medical Records, Privacy and Health Care Reform" Michael S. Baum, Chair, EDI and Information Technology Division, Section of Science and Technology, American Bar Association Professor Mary J. Culnan, School of Business Administration, Georgetown University Simon Davies, Director General, Privacy International Jack Esbin, Secretary, Association of Computing Machinery Professor Oscar Gandy, Annenberg School for Communication, University of Pennsylvania Marc Greidinger, plaintiff in Greidinger v. Davis Chris Hibbert, Chair, CPSR Palo Alto Civil Liberties Working Group Professor Lance Hoffman, Department of Electrical Engineering and Computer Science, George Washington University Jim Horning, Systems Research Center, Palo Alto, Digital Equipment Corporation Larry Hunter, Chair, CPSR/DC Professor Gary Marx, Director, Center for the Social Study of Information Technology, University of Colorado Peter G. Neumann, Principal Scientist, Computer Science Laboratory, SRI International Amy Pearl, Member of Technical Staff, Sun Microsystems Professor Henry H. Perritt, Jr., Villanova University School of Law Professor Priscilla M. Regan, Department of Public and International Affairs, George Mason University Virginia Rezmierski, Information Technology Division, University of Michigan Professor Ron Rivest, Laboratory for Computer Science, MIT Professor Rohan Samarajiva, National Regulatory Research Institute, Ohio State University Barbara Simons, Chair, ACM Public Policy Committee Robert Ellis Smith, Publisher, Privacy Journal Professor George Trubow, John Marshall School of Law A. Joe Turner Fred W. Weingarten, Executive Director, Computing Research Associates Paul Wolfson, staff attorney, Public Citizen Litigation Group (Affiliations listed for identification purposes) cc: Ira Magaziner Dennis Steinhauer, NIST