Social Security Number

From University of Nebraska Medical Center
Jump to navigation Jump to search
Human Resources   Safety/Security   Research Compliance   Compliance   Privacy/Information Security   Business Operations   Intellectual Property   Faculty


Identification Card | Secure Area Card Access | Privacy/Confidentiality | Computer Use/Electronic Information | Retention and Destruction/Disposal of Private and Confidential Information | Use and Disclosure of Protected Health Information | Notice of Privacy Practices | Access to Designated Record Set | Accounting of PHI Disclosures | Patient/Consumer Complaints | Vendors | Fax Transmissions | Psychotherapy Notes | Facility Security | Conditions of Treatment Form | Informed Consent for UNMC Media | Transporting Protected Health Information | Honest Broker | Social Security Number | Third Party Registry | Information Security Awareness and Training

Policy No.: 6085
Effective Date: 09/22/15
Revised Date: 03/30/18
Revised Date: 03/30/18

Use of Social Security Number Policy

Basis for Policy

UNMC has a responsibility to protect the identity of its faculty, staff and students, as well as all individuals with whom it has an association including alumni, donors, research subjects, potential students, and affiliates. Since an individual's Social Security Number (SSN) is one of the most critical data items used to establish an identity, UNMC needs to take extra precautions to safeguard SSNs from unauthorized use.

Scope of Policy

This policy governs the use of SSN within the UNMC campus. Use of SSN within information systems provided by University of Nebraska Central Administration shall follow the policies applicable to those systems.

Policy

UNMC shall not use Social Security Numbers to identify students, employees, research subjects, alumni, donors, potential students and affiliates outside of those uses specifically required by law, such as financial aid, payroll and benefit functions.

Social Security Numbers (SSNs) - including any portion of the full nine digits, shall not be electronically collected, transmitted, or stored by members of the workforce unless specifically authorized in writing by authorized individuals as outlined in this policy. Individuals or departments that collect, transmit or store SSNs will take steps necessary to secure this data using best practices identified by the Information Security Office.

The following individuals are authorized to approve use of Social Security Numbers.

  • Employees - Assistant Vice Chancellor for Human Resources
  • Students - Assistant Vice Chancellor for Academic Affairs/Student Affairs
  • Research Subjects - Institutional Review Board
  • Other - Assistant Vice Chancellor for Business and Finance
  • Other - Chief Information Security Officer

General

  • UNMC is responsible for safeguarding and protecting Social Security Numbers against loss, tampering and disclosure. The safeguarding of confidential information in any form includes when the information is stored and/or being transferred outside the facility (see UNMC Policy No. 6073, Transporting Protected Health Information).
  • UNMC shall reasonably mitigate or reduce any harmful effects that may result from privacy breaches involving Social Security Numbers.
  • Workforce members who suspect a Social Security Number violation must report it immediately to their respective manager, the Privacy Office, or the Information Security Office. A full investigation of the suspected violation shall be conducted. Staff who wish to remain anonymous may report the suspected violation to the Compliance Hotline at 1-844-348-9584. Sanctions shall be imposed for substantiated breaches or failure to report suspected violations.
  • Sanctions for violations of privacy or information security policies may include scholastic or employee corrective action up to and including student dismissal or termination of employment. (See UNMC Policy No. 1098, Corrective and Disciplinary Action Policy).

Student Education Record Information

  • The Social Security Number of a student is considered confidential information and must not be used to identify a student.
  • Information Technology Services (ITS) shall be available to assist in identifying alternatives to use of Social Security Number. Alternatives which should be considered, include but are not limited to:
  • UNMC Student Number
  • In the event that the Social Security Number of a student must be maintained, a form, Request to Use Social Security Number, must be completed and submitted to the Information Security Office which will facilitate approval from the Assistant Vice Chancellor for Academic Affairs/Student Affairs. If Social Security Number must be used and stored in a database, the use of the student’s Social Security Number must comply with ITS Database Security Procedures.

Employee Information

  • The Social Security Number of an employee is considered confidential information and should not be used to identify an employee unless legally mandated.
  • The Information Security team shall be available to assist in identifying alternatives to the use of the Social Security Number. Alternatives which should be considered, include but are not limited to:
  • Personnel (SAP) Number
  • In the event that the Social Security Number of an employee must be maintained, a form, Request to Use Social Security Number, must be completed and submitted to the Information Security Office who will facilitate approval of the Assistant Vice Chancellor for Human Resources for approval. In cases where the employee Social Security Number must be stored in a database, the database must comply with ITS Database Security Procedures.

Research Information

  • The Social Security Number of a research subject is considered confidential information and should not be used to identify a research subject unless legally mandated.
  • ITS shall be available to assist in identifying alternatives to use of Social Security Number.
  • In the event that the Social Security Number of a research subject must be maintained, a form, Request to Use Social Security Number, must be completed and submitted the Information Security Office which will facilitate approval from the Institutional Review Board. In cases where the research subject Social Security Number must be stored in a database, the database use must comply with ITS Database Security Procedures.

Other

  • The Social Security Number of someone in a category not previously defined is considered confidential information and should not be used to identify an individual unless legally mandated.
  • The information Security team shall be available to assist in identifying alternatives to use of Social Security Number.
  • In the event that the Social Security Number must be maintained, a form, Request to Use Social Security Number, must be completed and submitted to the Information Security Office which will facilitate approval from the Senior Associate Vice Chancellor for Business and Finance for approval. In cases where the Social Security Number must be stored in a database, the database use must comply with ITS Database Security Procedures.

Approval/Disapproval Process

The Information Security Office will notify unit management and the requestor of the decision to approve/disapprove the request.

If the request to use the Social Security Number is approved, the Information Security Office will send the approval document to the unit management and requestor.

If the request to use the Social Security Number is disapproved and the requestor wishes to appeal the decision, the Vice Chancellor for Business and Finance will be asked to review the request and render a final decision.

Review of Electronic Data storage

Periodically the Information Security Office will generate reports which will identify the storage locations of Social Security Numbers. These reports will be distributed to unit management for review. The intent of the report is to help unit management know where Social Security Numbers are used within their unit.

Record Retention

The Information Security Office will maintain the exception forms. The forms will be reviewed periodically to verify that the exception is still valid.

Definitions

Information Security

Policies and practices designed to control access and protect information from unauthorized access, alteration, destruction, loss or disclosure.

Workforce

Employees, medical staff, volunteers, trainees and other persons whose conduct, in the performance of work for Nebraska Medicine/UNMC, is under the direct control of Nebraska Medicine/UNMC, whether or not they are paid by Nebraska Medicine/UNMC.

Additional Information

This page maintained by dkp.