Mayo Clinic (Mayo) is one of the largest not‐for‐profit, academic health systems in the United States, with $14 billion in annual revenue and over 65,000 employees. Mayo’s three “shields” include research, education, and clinical practice, with a focus on caring for patients with serious, complex illnesses. Mayo operates in five states and internationally in London and cares for more than 1 million people a year from all 50 states and nearly 140 countries, with major campuses in Rochester, MN; Scottsdale and Phoenix, AZ; and Jacksonville, FL; as well as the Mayo Clinic Health System across the Midwest.
In 2017, the privacy officer with the Integrity and Compliance Office at Mayo Clinic initiated a project team to identify and mitigate unnecessary risk resulting from a potential data breach by removing certain patient identifiers from its electronic health record (EHR).
An initial assessment identified that in the event of unauthorized access to Mayo’s EHR where the investigation showed compromise of a patient’s Social Security number (SSN); government-issued identification numbers including driver’s license numbers, passport numbers, or state issued identification numbers; and/or a patient’s financial account number such as bank account numbers or credit card numbers, Mayo would need to provide the industry standard 12 months of tri-bureau credit monitoring to each affected patient at a significant cost. This service would be in addition to the federal Health Insurance Portability and Accountability Act (HIPAA) required reporting obligations. Although Mayo was not collecting or storing government identification numbers or financial account numbers in its EHR, it was routinely collecting and storing SSNs in a demographic field. By removing this demographic field and any previously collected data, the risk of identity theft was mitigated for its patients, as well as significant costs to Mayo in the event of an incident such as unauthorized access or ransomware.
Similarly, major payers such as Medicare announced plans to discontinue using SSNs on all Medicare cards by April 2019. This made healthcare providers an industry outlier by continuing to collect, use, and store patient SSNs in the EHR. At the same time, the privacy team was noting a trend in patient concerns related to public data breaches such as Target and Home Depot and found more and more patients were hesitant to provide their SSNs to register for healthcare treatment. A 2019 Forbes article, “Everyone’s Social Security Number Has Been Compromised. Here’s How to Protect Yourself,” encouraged consumers to stop giving out their SSNs to reduce the risk of compromise. The author interviewed an associate teaching professor of information technology, analytics, and operations at the University of Notre Dame’s Mendoza College of Business, who noted, “It’s routine to walk into a doctor’s office and they’re asking for your Social Security number on a form, but for years I’ve just always left those blank, and nobody really ever argues with it.”
The project team also found that because the SSN field was a required field in Mayo’s EHR, staff often entered default SSNs to complete the patient registration process. In 2020, 83.3 percent of newly created Mayo patients had a default SSN entered. In 2021, prior to a system and process change in May, 87.9 percent of newly created patients had a default SSN entered. A 2019 AHIMA article, “Close Doesn’t Count: Patient Matching Challenges in HIEs,” also recognized that while SSNs are often used to identify a patient, they were becoming less and less reliable. “Children’s Minnesota no longer collects the Social Security number (SSN). Noreen says it’s because patients sometimes don’t know their own SSN—prompting staff to enter a dummy number to bypass that portion of the registration—or staff accidentally transpose numbers or enter the wrong numbers, compromising data integrity.”
The project team originally worked with legal and Mayo Clinic’s chief compliance officer to gain support with approval from the privacy program medical director. The team also gained support from key compliance officers in revenue, pharmacy, and research. The strategy department was then engaged to work with a health system engineer to ensure the charter was managed properly. Information technology and EHR subject matter experts/engineers were consulted to ensure the removal was technically possible. State Medicare/Medicaid representatives were also contacted for key states such as Minnesota, Florida, Wisconsin, and Arizona, as well as benchmarking with additional Minnesota Compliance Association members. At the same time, several high-impact operational departments were engaged including revenue cycle, registration, transplant, occupational medicine, and health information management services.
The project team then obtained approval from key governance groups for Mayo. Endorsement to initiate and plan was sought from the Board of Governors, Mayo Clinic Health Information Coordinating Subcommittee, Master Data Management Stewardship Council, and the Clinical Systems Oversight Committee. Final approvals to remove the SSN demographic field from the EHR came from Electronic Health Record/Revenue Cycle Management Oversight Committee and the Mayo Clinic Health Information Coordinating Subcommittee. Additionally, the Mayo Clinic Security Committee endorsed and supported the project.
The project team, which included a health system engineer, leveraged a DMAIC (define, measure, analyze, improve, and control) process improvement approach to determine the root reasoning for collecting/using/storing SSNs. Throughout the “define” phase of the project, the team interviewed 77 key stakeholders from 40 different teams across the organization to understand if SSN was needed for regulatory compliance purposes or was a nice to have because we had always done it that way. It was determined that processes that did not have a regulatory or business requirement to collect, use, or store SSNs created unnecessary risk to patients and to the organization. Through stakeholder interviews, the project team determined that most existing organizational processes could be changed to reduce risk without impacting patient care or operational needs.
After a brief pause in the project due to COVID-19 and refocused priorities to meet patient care needs, the project team attained approval to execute from key governance committees by sharing results of the key stakeholder process reviews and redesigns. The project team showed that regulatory requirements and operational needs could still be met, and processes had been successfully redesigned to collect, use, or store patient SSNs only when necessary. The SSN would no longer be stored in a structured text demographic field but would be stored in a secured and fully auditable system with fewer users and more granular access controls. Examples of two processes that still require the use of SSNs include some state claims reporting requirements and remuneration for research study participants. In limited circumstances where SSNs are required and teams are not patient-facing, such as state claims reporting, processes include a query of the secure database as well as the use of a contracted vendor to obtain required SSNs.
During this “execution” phase of the project, media reports of ransomware specifically targeting healthcare organizations were raising information security concerns. This further supported the need to reduce risk to patients by removing this data element from Mayo’s EHR. Additionally, many healthcare organizations support the need for a National Patient Identifier to help with linking unique patient records without the risk of using a number that can be misused for financial identity theft. There was some success in 2021 in moving toward a better identifier. A Politico article explains: “The ID is a number that health providers would use to match and manage patient information and, for example, help distinguish patients with the same name. Unique identifiers have been billed as a way to reduce clinical mix-ups and improve patient safety and data sharing, while fortifying a patchwork medical privacy system. The United States is an outlier among developed countries in not having a universal patient identifier, experts say.”
Results and Next Steps
In April 2022, Mayo successfully disabled the SSN demographic field in the EHR. At this time, patient SSNs can no longer be entered, stored, or viewed in this single demographic field of Mayo’s EHR. The benefit to our patients is significant. A 2019 Forbes article, “What Cybercriminals Steal When They Hack Hospitals, New Study,” published findings from a comprehensive study analyzing large privacy breaches from 2009 to 2019. “The study shows that out of the 168 million patients affected, 70% of the breaches impacting approximately 95% of patients were targeting demographic or financial information. Hackers picked up medical information exclusive of demographic or financial information in only 16% of the breaches affecting 6 million patients. Sensitive medical information was stolen in only 2% of breaches impacting 2.4 million patients.”
The team was able to accomplish the five-year-long project without any project budget or spending. While different teams across Mayo were engaged and project managers and health system engineers changed throughout the project, all were existing resources willing to support the success of the project.
Many of the SSN use cases that came forward for evaluation were for patient identification or matching. When working with these groups to redesign processes, many found that additional identifiers such as email addresses or cellphones were equally helpful. In addition, the project team identified several teams utilizing vendors to obtain SSNs when needed to assist the patient. The project team worked with contracting partners to coordinate consistency in vendor use and ensure secure storage when necessary.
Throughout the project, the team worked to develop a toolkit that will be available to internal and external interested parties after the final project monitoring phase has been completed. The toolkit will provide recommendations for a successful change management approach, examples of high-impact user groups, internal and external stakeholder communications, current and future state workflow examples for common use cases, and more. The toolkit can be requested by contacting the project team at SSNRemovalproject@mayo.edu.
By sharing the toolkit, other organizations and partners can outline a similar plan and begin the process of eliminating routine SSN collection and storage from their processes. By sharing this toolkit and sharing in the success of this important initiative, Mayo Clinic demonstrates a commitment to patient safety and knowledge sharing with healthcare partners.
For organizations beginning this process, it is important to ensure the project has executive level support from the onset. In this case, leadership provided a clear directive that all user groups were expected to help the project team by being open to alternative solutions that could accomplish the patient care and/or business need.
Along with leadership support, stakeholder engagement should be emphasized. The project was successful largely because of a knowledgeable and skilled IT contact. The IT role serves to ensure the technical aspect of the project is achievable, outline important timelines and resources to pay attention to, and provide key data to support communications. A strong contracting partner was also important to support groups that had an ongoing need for obtaining SSNs through a vendor.
While the scope of the project was limited to assessment of Mayo Clinic’s routine collection and storage of patient SSNs, the team also identified external stakeholders that would be impacted by the change. More specifically, in some discharge or transfer processes, external partners obtained patient SSNs from Mayo and would need to adjust their processes. The team worked with case managers to identify key partners and drafted a courtesy communication to be sure the project and impact was communicated to these partners prior to any process changes. An email was designed to receive questions or concerns from both internal and external stakeholders.
The project proved to be substantial and required consistent messaging and resources for a long period of time. A small budget and dedicated project manager would be critical for a more focused and succinct timeline. Expertise from a health system engineer significantly improved the team’s ability to fully understand and document current and future state process for high-impact user groups. A public podcast highlighting the project and the team’s partnership with the strategy department will be released this month in Mayo Clinic’s Consulting Edge library. In addition, an intranet information site was designed to ensure a single source of truth for project information. The site included the project timeline, links to past communications, committee approvals, and trending publications supporting the need for project success. The site was helpful for newer leaders to understand the project history and timeline.
Willingness to help problem solve increased dramatically when group members understood the value of the SSN removal initiative and felt empowered to create positive, lasting change that supported the needs of the patients. Critical to advancing this initiative was engaging and attaining leadership buy-in, working through a group’s concerns, and promoting a sense of process ownership amongst group members. Moreover, change management does not occur overnight; as the team learned during this project, it is often the product of consistent and gradual engagement.
April Carlson is the senior manager of data security and architecture in the Office of Information Security at Mayo Clinic. During most of this project, she was the Mayo privacy officer. She is also an instructor in health care administration for Mayo Clinic’s College of Medicine.
Leah Mudler is currently a manager in the Integrity and Compliance Office at Mayo Clinic and assists with structuring and facilitating strategic enterprise-wide initiatives.
Allyssa Stevens is a senior health systems engineer in the Strategy Department at Mayo Clinic.
Jaclyn Melvin is a senior global security analyst for Global Security Support Services at Mayo Clinic.
Patient ID Now, a coalition of leading healthcare organizations, is hosting Patient ID Week, May 9-13, 2022. The week will focus on efforts to educate members of Congress and the public about the issues the healthcare and public health systems face due to the lack of a national strategy around patient identification and matching. Learn more.