SSN Memo

DEFENSE HEALTH AGENCY
7700 ARLINGTON BOULEVARD, SUITE 5101
FALLS CHURCH, VIRGINIA 22042-5101

Chief, DHA Privacy
& Civil Liberties

MEMORANDUM FOR DEFENSE PRIVACY, CIVIL LIBERTIES AND TRANSPARENCY
DIVISION
SUBJECT: Justification for the Continued Use of the Social Security Number (SSN) in the
Armed Forces Billing and Collection Utilization Solution (ABACUS) (DITPR ID #15754)
This memorandum is to satisfy the requirements of the Department of Defense
Instruction DoDI 1000.30, Reduction of Social Security Number (SSN) Use Within DoD, dated
August 1, 2012 that requires justification of the collection and use of the SSN in ABACUS.
ABACUS supports medical billing and is the DoD standard system designed to assist military
treatment facilities (MTFs) in the collection, tracking, and reporting of data required for Third
Party Collection Program. ABACUS provides a mechanism to MTFs for identifying, recording,
billing and collecting reasonable costs for medical and dental care provided. ABACUS supports
processing of Medicare Billing Claims form UB-04, and Health Insurance Claims Form CMS1500, and invoices which are populated using an electronic interface from on-site systems
including Composite Health Care System (CHCS) and MHS Genesis. ABACUS also supports
the following processes:
• Data migration
• Help desk support
• Training and maintenance
• Clearinghouse services
• Electronic Other Health Insurance discovery
• Pharmacy Claims
• High Cost Ancillary Services Claims
• Supplemental Billing
• Secondary Transaction Codes
• Audit Trail (for purposes of fraud prevention)
• Batch Processing
The system of records notice (SORN) applicable to ABACUS is EDHA 12, Third Party
Collection System (July 15, 2016, 81 FR 46069) (Attachment 1). An updated Privacy Impact
Assessment (PIA) for ABACUS is in coordination. The DITPR ID assigned to ABACUS is
15754.
The Paperwork Reduction Act is applicable to ABACUS because the system collects
SSNs from members of the public to include federal employees and contractors. The Office of
Management and Budget (OMB) Control Number for this system of records is 0720-0055, Third
Party Collection Program, effective through June 30, 2016; update pending. A copy of the

current DD Form 2569, Third Party Collection Program/Medical Services Account/Other Health
Insurance included (Attachment 2).
According to DoDI 1000.30, continued use of SSNs within ABACUS must be justified
by one or more of the Acceptable Use Cases set forth in DoDI 1000.30, Enclosure 2. The
Acceptable Use Case applicable to ABACUS is:
2.c(13) Other Cases. The previous categories may not include all uses of the SSN
delineated by law. Should an application owner be able to show sufficient grounds that a use
case not specified in subparagraphs 2.c.(1) through 2.c.(12) of this enclosure is required by law,
then that use case may continue to use the SSN. Any application that seeks to use this clause as
justification must provide specific documentation in order to continue use under this provision.
As a Health Insurance Portability and Accountability Act (HIPAA) covered entity, DoD
must comply with electronic health care transaction standards adopted in the Final Rule entitled:
Health Insurance Reform; Modifications to the HIPAA Electronic Transaction Standards (45
CFR Part 162 [CMS-0009-F] RIN 0938-AM50). HIPAA named and adopted standards for
electronic Professional, Institutional and Retail Pharmacy drug claims are as follows:
•
•

•

Professional Health Care Claims: Data Interchange Technical Report Type 3-Health
Care Claim: Professional (837), May 2006, ASC X12N/005010X222
Institutional Health Care Claims: The ASC X12 Standards for Electronic Data
Interchange Technical Report Type 3-Health Care Claim: Institutional (837), May
2006, ASC X 12N/0050 IOX223, and Type 1 Errata to Health Care Claim:
Institutional (837) ASC Xl2 Standards for Electronic Data Interchange Technical
Report Type 3, October 2007, ASC X12N/0050IOX223Al
Retail Pharmacy Drug Claims: National Council for Prescription Drug Programs
(NCPDP) Telecommunication Standard Implementation Guide, Version D, Release
0 (Version D.O), August 2007

These standards specify the data that are required for electronic Professional,
Institutional, and Pharmacy health care claims and provide for use of SSNs under certain
circumstances to identify providers, prescribers, subscribers, and patients when other identifiers
are not available. The DoD Identification Number, which is used for internal DoD business
transactions and operations, cannot be used for transactions with third party payers and other
health insurance providers. Additionally, not all patients treated by the DoD are in fact DoD
Beneficiaries and are not assigned a DoD Identification Number. Another situation in which
SSNs may be necessary is in connection with pharmacy claims. The NCPDP Pharmacy claim
allows a Prescriber to be identified with an SSN when the Prescriber's National Provider
Identifier (NPI) is not available. Likewise, the SSN is used in the 2010BA Subscriber Name
Loop in X12 Professional and Institutional claims as a Secondary Identifier for the Subscriber
when other identifiers are not available.
As the system of record for medical appointment, billing insurance and sensitive patient
information which is considered PII and PHI, ABACUS has been designed to adhere to all
applicable laws, standards and guidance covering operations with this type of information.

These include (but are not limited to) HIPAA and Statement on Standards for Attestation
Engagements (SSAE18) auditing standards. DoD mandated security controls are implemented
to restrict access to, and manipulation of, these types of information within the ABACUS
application – both hardware and software. All transfer of information is encrypted in compliance
with federal standards and accessed only in accordance with approved system requirements. In
addition, all data at rest is encrypted to prevent further access to any sensitive information
without proper authorization. Further care is taken to forensically record access/actions within
the program for auditing and investigatory purposes, if ever the need arises. The ABACUS
system undergoes in-depth product reviews quarterly; and security reviews are conducted
annually to certify that all current, and past, requirements are being met, including the addition of
any updates to policy and/or requirements that may arise. Any operations or adherence outside
of these policies are expressly written, and recorded, to sufficiently show evidence of due
diligence to system requirements, policies, and federal laws, as applicable. Further, SSNs are
only used in instances where no other solution is available such as with external payers who use
only the SSN to uniquely identify the patient.
The Solution Delivery Division Program Executive Office point of contact for this
program is Mr. James Marsden, Project Manager and Contracting Officer Representative,
ABACUS. Mr. Marsden may be reached at (210) 356-7052 or [email protected].
Digitally signed by

MARSDEN.JAMES MARSDEN.JAMES.L.JR.1130667
.L.JR.1130667305 305
Date: 2018.10.15 07:20:43 -05'00'

James L. Marsden
Program Manager, ABACUS

Attachments:
As Stated