NEW SENATE BILL PROVIDES PROTECTION AGAINST IDENTITY THEFT

California Senate Bill 168 Use of Social Security Number

Background

The new California Law SB 168 regulates the usage and disclosure of individual social security numbers. It is intended to provide additional protection against identity theft by limiting the use of an individual's social security number. This law is not limited to the Health Care Industry but applies to all persons or entities that use social security numbers to identify an individual. All federal, state and local agencies are exempt.

The intent of the law is to protect California residents. Consequently, all persons or entities that communicate with individuals by US mail or via the internet and use or disclose an individual's social security number may need to comply with the law by the relevant effective dates for its California population.

The law does not apply to individuals who travel to California but reside in another state. In addition, the law does not prohibit the collection of social security numbers nor does it apply to communications that take place between health plans, employers, and healthcare providers. Social security numbers can still be used for internal verification or administrative purposes so long as the use does not result in the public display or disclosure of the number in violation of requirements outlined in SB 168. Social security numbers can also still be used when it is required under state or federal law.

Restrictions

SB 168 prohibits persons or entities from engaging in the following activities:

  1. Publicly posting or displaying in any manner an individual's social security number;
  2. Printing an individual's social security number on any card required for the individual to access products or services provided by the person or entity (the ID card requirement);
  3. Requiring an individual to transmit his or her social security number over the Internet unless the connection is secure or the social security number is encrypted;
  4. Requiring an individual to use his or her social security number to access an Internet web site unless a password or unique personal identification number or other authentication device is also required; and
  5. Printing an individual's social security number on any materials that are mailed to the individual, unless state or federal law requires the inclusion of the social security number on the document to be mailed. However, applications and forms sent by mail may include social security numbers.

Definitions

SB 168 applies to health care entities which includes health care service plans, health care service providers, insurers, pharmacy benefit managers or contractors.

SB 168 also applies to non-health care entities which includes employers, agents, brokers, credit reporting agencies, etc. These entities must comply by July 1, 2002 on non-healthcare related functions. For healthcare related administrative functions, these entities should be able to apply the compliance dates for health care entities as shown under "Effective Dates" below.

WellPoint's approach to it's non-healthcare related functions, such as when it is acting as an employer will be to suppress the printing of social security number from July 1, 2002 until January 1, 2004 at which time a unique identification number will be created for WellPoint associates. For our interaction with agents and brokers, such as commission payments, the social security number will be encrypted, where applicable.

Continuous Use Exception For Non-Health Care Entities

SB 168 provides a limited exemption to the prohibition on the use of social security numbers if all of the following conditions are met:

  • The person or entity has used the individual's social security number prior to July 1, 2002;
  • The use of the social security number is continuous. If the use is stopped for any reason, the prohibitions outlined above under Restrictions apply;
  • The individual is provided an annual disclosure, beginning in 2002, that informs the individual that he or she has the right to stop the use of his or her social security number in a manner that is inconsistent with SB 168;
  • A written request by an individual to stop the use of his or her social security number in a manner that is inconsistent with SB 168 must be implemented within 30 days of receipt of the request. There shall be no fee or charge for implementing the request;
  • The person or entity cannot deny services to an individual because the individual makes a written request to stop the use of his or her social security number in a manner that is inconsistent with SB 168.

Effective Dates

Except as provided below for health care entities, the prohibitions of SB 168 apply to the use of social security numbers on or after July 1, 2002. Therefore, non-health care entities, such as employers, agents and brokers must come into compliance by July 1, 2002.

SB 168 provides separate effective dates for health care entities to allow time for testing and implementation of the changes that are required under the law. These dates are staggered between January 1, 2003 through July 1, 2005 for different lines of existing and new business.

The effective dates for individual policyholders are as follows:

  • For existing individual policyholders that are in existence on January 1, 2003, the health care entity must comply with the prohibitions in SB 168 - except for the ID card requirement - on or before January 1, 2003. Health care entities must come into compliance with the ID card requirement for these members on or before the renewal date of the individual's policy between July 1, 2004 through July 1, 2005. Individual policyholders who enroll in a health plan between January 1, 2003 and December 31, 2003 would fall under this effective date as well.
  • For new individual policyholders that are issued on or after January 1, 2004, the health care entity must comply with all of the prohibitions - including the ID card requirement - on or before January 1, 2004 (upon issuance of the policy).

The effective dates for employer group policyholders are as follows:

  • For new employer groups that are issued on or after January 1, 2004, the health care entity must comply with all of the prohibitions in SB 168 - including the ID card requirement - on or before January 1, 2004 (upon issuance of the policy).
  • For employer groups that are in existence prior to January 1, 2004, the health care entity must comply with all of the prohibitions in SB 168 - including the ID card requirement - on or before the group's renewal date between July 1, 2004 through July 1, 2005.

Health Care Provider Compliance

Since health care providers are unable to determine whether policies are existing or new, and have no knowledge of group renewal dates, they are encouraged to discontinue all SSN disclosures on or before January 1, 2003, to ensure compliance.

Blue Cross of California Planning Activities

  • Formation of corporate project team to address all aspects of SB 168 to ensure compliance of all it's provisions
  • Impact assessment of business processes and systems to identify remediation requirements
  • Develop communication plans for members, healthcare providers, employer groups, agents, brokers and other trading partners.
  • Participation on the Blue Cross/Blue Shield Association task force
  • Industry collaboration with the California Health Care Association (HCA), the Hospital Association of Southern California (HASC), and other health plans
  • Monitoring of similar legislation introduced in other states
  • Develop strategy for assigning new individual identifiers to replace existing social security numbers
  • Develop training program for Blue Cross of California associates to ensure privacy protections for our members are properly enforced.

Additional Information

This document is being provided for informational purposes and should not be considered legal advice or relied upon as such. All external entities should review the statute in order to gain a full understanding of, and to ensure compliance with, the law.

Additional information and guidance will be provided, as it becomes available.

A copy of SB 168, which restricts the use of social security numbers, can be accessed at:

http://www.leginfo.ca.gov/pub/bill/sen/sb_0151-0200/sb_168_bill_20011011_chaptered.html. The portion of SB 168 that relates to health care entities will be codified at Cal. Civil Code § 1798.85. The Official California Legislative Information homepage (which provides access to legislative and statutory information) can be accessed at: http://www.leginfo.ca.gov/.