The GAO recommends that CMS initiate an IT project to develop a solution for SSN removal and incorporate such a project into plans for ongoing IT modernization initiatives. HHS agreed with GAO's recommendations, if certain constraints were addressed. However, GAO maintains that its recommendations are warranted as originally stated.
What they really need to do is de-identify and anonymize data.
Of course, we have books that will help solve the problem.
Guide to the De-Identification of Personal Health Information
In this book Khaled El Emam, the founder and CEO of Privacy Analytics, Inc., offers compelling practical and legal reasons why de-identification should be one of the main approaches to protecting patients’ privacy, this book outlines a proven, risk-based methodology for the de-identification of sensitive health information. It situates and contextualizes this risk-based methodology and provides a general overview of its steps. The book supplies a detailed case for why de-identification is important as well as best practices to help you pin point when it is necessary to apply de-identification in the disclosure of personal health information.
The Complete Book of Data Anonymization: From Planning to Implementation
Data anonymization provides a systematic and integrated approach to privacy protection that goes far beyond simple data-masking or network security from external or internal theft. In book, Balaji Raghunathan of Infosys Ltd. discusses the analysis, planning, set-up, and governance, this timely manual illuminates the entire process of adapting and implementing anonymization tools and programs to increase the success of privacy protection in vulnerable organizations. Providing a 360 degree view of data privacy protection, it details data anonymization patterns, automation/tool capabilities, and the key factors for success in disguising the person behind the data.