|
|
 |
|
Section 6 Compliance Policies
Subject 6.2 Privacy Related
Policy 6.2.34 Use and Disclosure of Social Security Numbers (SSNs)
|
02/17/06 -Originated
-Reviewed w/o changes
Compliance Office -Author
|
Use and Disclosure of Social Security Numbers (SSNs)
|
Audience
|
The information in this document applies to all UTMB faculty, staff, students, volunteers, and any other contractors or agents.
|
|
Policy
|
UTMB shall use and collect social security numbers (SSNs) only as reasonably necessary for the proper administration or accomplishment of the institution’s business, governmental, education and medical purposes when the collection and use of SSN is necessary, but not required by applicable law .The use of the social security number (SSN) or any portion of the SSN as an individual’s primary identification number is prohibited, unless required by applicable law or by a third party. A unique identifier will be assigned based upon whether the individual is an employee, student or patient.
Except in those instances in which an institution is legally required to collect an SSN or a third party requires that the SSN is collected, an individual shall not be required to provide his or her SSN, nor shall the individual be denied access to the services at issue if the individual refuses to disclose his or her SSN.
An individual, however, may volunteer his or her SSN as an alternate means of locating a record or accessing services. UTMB’s request that an individual provide his or her SSN for verification of the individual’s identify where UTMB is already in possession of the individual’s social security number does not constitute a disclosure for purposes of this policy. Failure to comply with this policy may result in disciplinary action in accordance with IHOP 3.10.1, Discipline and Dismissal Policy.
|
|
Notification Requirements When Collecting the SSN
|
Each time UTMB requests that an individual disclose his or her SSN, UTMB shall provide the notice required by Section 7 of the Federal Privacy Act of 1974 (5 U.S.C. § 662a) (Notice), which requires that the institution inform the individual whether the disclosure is mandatory or voluntary, by what statutory or other authority the number is solicited, and what uses will be made of it. Several standardized forms exist. The Office of Institutional Compliance is to be contacted before use or disclosure of SSN’s.
It is preferable that the Notice be given in writing, but if at times it will be given orally, departments shall develop and implement procedures to assure and document that the Notice is properly and consistently given.
|
|
Notification Requirements When Collecting the SSN (continued)
|
It is preferable that the Notice be given in writing, but if at times it will be given orally, departments shall develop and implement procedures to assure and document that the Notice is properly and consistently given.
In addition to the Notice required by the Federal Privacy Act, when the SSN is collected by means of a form completed and filed by the individual, whether the form is printed or electronic, the institution must also provide the Notice required by Section 559.003 of the Texas Government Code. The Code requires that the institution state on the paper form or prominently post on the Internet site in connection with the form that:
with few exceptions, the individual is entitled on request to be informed about the information that the institution collects about the individual; under Sections 552.021 and 552.023 of the Government Code, the individual is entitled to receive and review the information; and under Section 559.004 of the Government Code, the individual is entitled to have the institution correct information about the individual that is incorrect.
|
|
Student Grades
|
Student grades may not be publicly posted or displayed in a manner in which any or all of either the SSN or the unique identifier identifies the individual associated with the information.
|
|
Protection of SSNs
|
The SSN may not be displayed on documents that can be widely seen by the general public (such as time cards, rosters, and bulletin board postings) unless required by law. This policy does not prohibit the inclusion of the SSN on transcripts or on materials for federal or state data reporting requirements.
If UTMB sends materials containing SSNs through the mail, it shall take reasonable steps to place the SSN on the document so as not to reveal the number in the envelope window. As an alternative, UTMB may leave the SSN field blank and ask the individual to complete and return the document. In that event, however, UTMB must include the Notice required above. UTMB shall prohibit employees from sending SSNs over the Internet or by e-mail unless the connection is secure or the SSN is encrypted or otherwise secured. The institution shall require employees sending SSNs by fax to take appropriate measures to protect the confidentiality of the fax.
UTMB requires all records containing SSNs be secured and maintained in accordance with UTMB’s security plan. Records or media (such as disks,
|
Protection of SSNs, continued
|
tapes, hard drives) containing SSNs shall be discarded in accordance with IHOP 2.1.4
Information containing SSNs should be destroyed by shredding, reformatting, erasing or otherwise modifying the material to make it unreadable or indecipherable, and in accordance with the institution’s record retention schedule.
|
|
Control Access to SSNs
|
Each department shall limit access to records containing SSNs to those employees who need to see the number for the performance of the employees' job responsibilities.
Each department shall monitor access to records containing SSNs by the use of appropriate measures as reasonably determined by UTMB.
Each department shall protect the security of records containing SSNs during storage using physical and technical safeguards (such safeguards may include encrypting electronic records, including backups, and locking physical files).
Records containing SSNs should not be stored on institutional or personal computers or other electronic devices that are not secured against unauthorized access.
SSNs may not be shared with third parties except:
• As required or permitted by law
• With the consent of the individual
• Where the third party is the agent or contractor for the institution and the safeguards described below under “Disclosure to Third Parties” are in place to prevent unauthorized distribution; or,
• As approved by the Office of Legal Affairs
|
|
Disclosures to Third Parties
|
When SSNs are shared with a third party that is the agent or contractor for UTMB, a written agreement should be entered into to protect the confidentiality of the SSN as required by this policy. UTMB should hold the third party accountable for compliance with the provisions of the written agreement through regular monitoring or auditing. The written agreement should:
• Prohibit the third party from disclosing the SSN, except as required by law; and,
|
Disclosures to Third Parties, continued
|
• Require the third party to use adequate administrative, physical, and technical safeguards to protect the confidentiality of records or record systems containing SSNs.
|
|
Acquisition of New Data Systems
|
All systems acquired or developed after the effective date of this policy must comply with the requirements stated below. If the acquisition or development is in process on the date that this policy was implemented, the system is exempt from these requirements:
• The system must use the SSN only as a data element or alternate key to a database and not as a primary key to a database;
• The system must not display SSNs visually (such as on monitors, printed forms, system outputs) unless required by law or permitted by this policy;
• Name and directory systems must be capable of being indexed or keyed on the unique identifier, once it is assigned, and not on the SSN; and,
• For those databases that require SSNs, the databases may automatically cross-reference between the SSN and other information through the use of conversion tables within the system or other technical mechanisms.
The Office of Institutional Compliance, in conjunction with Information Services will be required to approve any proposed use of SSNs in any new electronic system to be acquired or developed by UTMB.
|
|
Inappropriate Disclosure of SSNs
|
UTMB requires all employees to report promptly inappropriate disclosure of SSNs to their supervisor, who shall report the disclosure to the Office of Institutional Compliance.
Reporting by the employee may be anonymous, in accordance with the institution’s compliance program, if the employee chooses. Retaliation against an employee who in good faith reports an inappropriate disclosure of a SSN is prohibited. If the supervisor and Institutional Compliance Officer determine that the SSN was inappropriately disclosed and individuals have been put at risk of identity theft or other harm as a result of the disclosure, UTMB shall take all reasonable steps to promptly notify the individuals affected.
|
|
Employee and Student Responsibilities
|
All UTMB faculty, staff, students, volunteers, and any other contractors or agents shall comply with the provisions of this policy. Specifically:
• Employees may not request disclosure of a SSN if it is not necessary and relevant to the purposes UTMB and the particular function for which the employee is responsible;
• Employees and students may not disclose SSNs to unauthorized persons or entities;
• Employees and students may not seek out or use SSNs relating to others for their own interest or advantage; and,
• Employees responsible for the maintenance of records containing SSNs shall observe all UTMB established administrative, technical, and physical safeguards in order to protect the confidentiality of such records.
Questions about whether a particular use is required by law should be directed to the Office of Institutional Compliance.
|
References
|
IHOP Policy 2.1.4, Records & Information Management
IHOP Policy 3.10.1, Discipline & Dismissal
IHOP Policy 6.2.12, Disposal of PHI
5 U.S.C § 662a Section 7 Federal Privacy Act of 1974
Texas Government Code, Section 559.003, 559.004, 552.021 and 559.023
BPM 66
|
|
|
