I liked the question and Mark's answer.
Privacy laws may come into effect if any part of your Claims/Policy number actually includes any address component more granular than the STATE. For structured data where "NYnnnnnnn-xx" was in the fixed field, it would not be an issue.
In last ten to fifteen years, there is a growing possibility where more technical formats are being used to define information using unstructured data (i.e., JSON, XML, etc.) which if applied to policy number or claim number, any subcomponent for even a single record, that addressed identifiable information more granular than state may fall under consideration as a privacy violation.
I won't give an example of a JSON record here, but review with your technical, risk or legal teams if new apps might think it a simple idea to expand on what is included in an API or Data exchange between cloud services, etc. I follow CSA (cloud security alliance) and many API focused groups to track whether there are cloud controls that focus on privacy too.
All the best, Larry
Original Message:
Sent: 10-11-2022 12:58 PM
From: Anonymous Member
Subject: Insurance Professionals...Claim # and PII
This message was posted by a user wishing to remain anonymous
Good morning,
I have a question for fellow insurance professionals. We've recently started discussion whether we should define Claim Number and Policy Number as NPI, when used with first and last name, due to that fact that it is a numerical identifier of potentially one individual (could also be more than one).
- How are your teams treating Claim and Policy Number?
- How are you addressing the same in third party contracts, specifically on the claims side when Claim Number needs to be disclosed as the connection between two information systems, filing and tracking purposes, but many of the third parties don't meet security standards for NPI or are use/based, low contract value and wont budge on limitations of liability?
- Examples would be auto, machine, building replacement cost experts, independent adjusters, private investigators, etc.
Thanks in advance!