Social Security Number: Difference between revisions

From University of Nebraska Medical Center
Jump to navigation Jump to search
No edit summary
 
(31 intermediate revisions by 3 users not shown)
Line 20: Line 20:
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"  
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"  
width="20">[[Intellectual Property]]</td>
width="20">[[Intellectual Property]]</td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"
width="20">[[Faculty]]</td>
</tr>
</tr>
</table>
</table>
<br />
<br />
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Confidential Information]] | [[Protected Health Information (PHI)]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]] | [[Honest Broker]] | [[Social Security Number]]
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Retention and Destruction/Disposal of Private and Confidential Information]] | [[Use and Disclosure of Protected Health Information]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]] | [[Honest Broker]] | [[Social Security Number]] | [[Third Party Registry]] | [[Information Security Awareness and Training]]
<br /><br />
<br /><br />
Policy No.: '''6075'''<br />
Policy No.: '''6085'''<br />
Effective Date: '''DRAFT'''<br />
Effective Date: '''09/22/15'''<br />
Revised Date: ''''''<br />
Revised Date: '''03/30/18''' <br />
Revised Date: ''''''<br />
Revised Date: '''03/30/18'''<br />
<br />
<br />
<big>'''Use of Social Security Number Policy'''</big><br /><br />
<big>'''Use of Social Security Number Policy'''</big><br /><br />
Line 36: Line 39:
This policy governs the use of SSN within the UNMC campus. Use of SSN within information systems provided by University of Nebraska Central Administration shall follow the policies applicable to those systems.
This policy governs the use of SSN within the UNMC campus. Use of SSN within information systems provided by University of Nebraska Central Administration shall follow the policies applicable to those systems.
==Policy==
==Policy==
UNMC shall not use Social Security Numbers to identify students, employees, research subjects, alumni, donors, potential students, and affiliates outside of those uses specifically required by law, such as financial aid, payroll and benefit functions.
UNMC shall not use Social Security Numbers to identify students, employees, research subjects, alumni, donors, potential students and affiliates outside of those uses specifically required by law, such as financial aid, payroll and benefit functions.


Social Security Numbers (SSNs) - including any portion of the full nine digits-shall not be electronically collected, transmitted, or stored by members of the workforce unless specifically authorized in writing by authorized individuals as outlined in this policy. Individuals or departments that collect, transmit or store SSNs will take steps necessary to secure this data using best practices identified by the Information Security Office.
Social Security Numbers (SSNs) - including any portion of the full nine digits, shall not be electronically collected, transmitted, or stored by members of the workforce unless specifically authorized in writing by authorized individuals as outlined in this policy. Individuals or departments that collect, transmit or store SSNs will take steps necessary to secure this data using best practices identified by the Information Security Office.


The following individuals are authorized to approve use of Social Security Number.
The following individuals are authorized to approve use of Social Security Numbers.
*Employees - Assistant Vice Chancellor Human Resources
*Employees - Assistant Vice Chancellor for Human Resources
*Students - Assistant Vice Chancellor Academic Affairs
*Students - Assistant Vice Chancellor for Academic Affairs/Student Affairs
*Research Subjects - Institutional Review Board  
*Research Subjects - Institutional Review Board  
*Other - Senior Associate Vice Chancellor for Business and Finance
*Other - Assistant Vice Chancellor for Business and Finance
*Other - Chief Information Security Officer
===General===
===General===
*UNMC is responsible for safeguarding and protecting Social Security Numbers against loss, tampering, and disclosure to individuals. The safeguarding of confidential information in any form includes when the information is stored and/or being transferred outside the facility (see UNMC Policy No. 6073, [[Transporting Protected Health Information]]).
*UNMC is responsible for safeguarding and protecting Social Security Numbers against loss, tampering and disclosure. The safeguarding of confidential information in any form includes when the information is stored and/or being transferred outside the facility (see UNMC Policy No. 6073, [[Transporting Protected Health Information]]).
*UNMC shall reasonably mitigate or reduce any harmful effects that may result from privacy breaches involving Social Security Numbers.  
*UNMC shall reasonably mitigate or reduce any harmful effects that may result from privacy breaches involving Social Security Numbers.  
*Workforce members who suspect a Social Security Number violation must report it immediately to their respective manager, the Privacy office, or Information Security Office. A full investigation of the suspected violation shall be conducted. Staff who wish to remain anonymous may report the suspected violation to the Compliance Hotline at 1-866-568-5430. Sanctions shall be imposed for substantiated breaches or failure to report suspected violations.  
*Workforce members who suspect a Social Security Number violation must report it immediately to their respective manager, the Privacy Office, or the Information Security Office. A full investigation of the suspected violation shall be conducted. Staff who wish to remain anonymous may report the suspected violation to the Compliance Hotline at 1-844-348-9584. Sanctions shall be imposed for substantiated breaches or failure to report suspected violations.  
Sanctions for violations of privacy or information security policies may include scholastic or employee corrective action up to and including student dismissal or termination of employment. (See UNMC Policy No.1098, [http://wiki.unmc.edu/Corrective/Disciplinary_Action Corrective and Disciplinary Action Policy]).  
*Sanctions for violations of privacy or information security policies may include scholastic or employee corrective action up to and including student dismissal or termination of employment. (See UNMC Policy No. 1098, [http://wiki.unmc.edu/index.php?title=Corrective/Disciplinary_Action Corrective and Disciplinary Action Policy]).
===Student Education Record Information===
===Student Education Record Information===
*The Social Security Number of a student is considered confidential information and must not be used to identify a student.
*The Social Security Number of a student is considered confidential information and must not be used to identify a student.
*Information Technology Services (ITS) shall be available to assist in identifying alternatives to use of Social Security Number. Alternatives which should be considered, include but are not limited to:  
*Information Technology Services (ITS) shall be available to assist in identifying alternatives to use of Social Security Number. Alternatives which should be considered, include but are not limited to:  
:*Student Number
:*UNMC Student Number
*In the event that the Social Security Number of a student must be maintained, a form [http://www.unmc.edu/its/security/procedures/ssn-use.docx Request to Use Social Security Number] must be completed and submitted to the Information Security Office who will facilitate approval from the Assistant Vice Chancellor for Academic Affairs. If Social Security Number must be used and stored in a database, the use of the student’s Social Security Number must comply with [http://www.unmc.edu/its/security/procedures/database-security.html ITS Database Security Procedures].
*In the event that the Social Security Number of a student must be maintained, a form, [https://support.security.unmc.edu/exceptions/ssn Request to Use Social Security Number], must be completed and submitted to the Information Security Office which will facilitate approval from the Assistant Vice Chancellor for Academic Affairs/Student Affairs. If Social Security Number must be used and stored in a database, the use of the student’s Social Security Number must comply with [https://info.unmc.edu/its-security/policies/procedures/database-security.html ITS Database Security Procedures].
===Employee Information ===
===Employee Information ===
*The Social Security Number of an employee is considered confidential information and should not be used to identify an employee unless legally mandated.
*The Social Security Number of an employee is considered confidential information and should not be used to identify an employee unless legally mandated.
*ITS shall be available to assist in identifying alternatives to use of Social Security Number. Alternatives which should be considered, include but are not limited to:
*The Information Security team shall be available to assist in identifying alternatives to the use of the Social Security Number. Alternatives which should be considered, include but are not limited to:
:*Personnel (SAP) Number
:*Personnel (SAP) Number
:*Last four digits of Social Security Number 
*In the event that the Social Security Number of an employee must be maintained, a form, [https://support.security.unmc.edu/exceptions/ssn Request to Use Social Security Number], must be completed and submitted to the Information Security Office who will facilitate approval of the Assistant Vice Chancellor for Human Resources for approval. In cases where the employee Social Security Number must be stored in a database, the database must comply with [https://info.unmc.edu/its-security/policies/procedures/database-security.html ITS Database Security Procedures].
*In the event that the Social Security Number of an employee must be maintained, a form [http://www.unmc.edu/its/security/procedures/ssn-use.docx Request to Use Social Security Number] must be completed and submitted to the Information Security Office who will facilitate approval of the Assistant Vice Chancellor for Human Resources for approval. In cases where the employee Social Security Number must be stored in a database, the database must comply with [http://www.unmc.edu/its/security/procedures/database-security.html ITS Database Security Procedures].
===Research Information ===
===Research Information ===
*The Social Security Number of a research subject is considered confidential information and should not be used to identify a research subject unless legally mandated.
*The Social Security Number of a research subject is considered confidential information and should not be used to identify a research subject unless legally mandated.
*ITS shall be available to assist in identifying alternatives to use of Social Security Number.   
*ITS shall be available to assist in identifying alternatives to use of Social Security Number.   
*In the event that the Social Security Number of a research subject must be maintained, a form [http://www.unmc.edu/its/security/procedures/ssn-use.docx Request to Use Social Security Number] must be completed and submitted the Information Security Office who will facilitate approval from the Institutional Review Board. In cases where the research subject Social Security Number must be stored in a database, the database use must comply with [http://www.unmc.edu/its/security/procedures/database-security.html ITS Database Security Procedures].
*In the event that the Social Security Number of a research subject must be maintained, a form, [https://support.security.unmc.edu/exceptions/ssn Request to Use Social Security Number], must be completed and submitted the Information Security Office which will facilitate approval from the Institutional Review Board. In cases where the research subject Social Security Number must be stored in a database, the database use must comply with [https://info.unmc.edu/its-security/policies/procedures/database-security.html ITS Database Security Procedures].
===Other===
===Other===
*The Social Security Number of someone in a category not previously defined is considered confidential information and should not be used to identify an individual unless legally mandated.
*The Social Security Number of someone in a category not previously defined is considered confidential information and should not be used to identify an individual unless legally mandated.
*ITS shall be available to assist in identifying alternatives to use of Social Security Number.
*The information Security team shall be available to assist in identifying alternatives to use of Social Security Number.
*In the event that the Social Security Number must be maintained, an a form [http://www.unmc.edu/its/security/procedures/ssn-use.docx Request to Use Social Security Number] must be completed and submitted to the Information Security Office who will facilitate approval from the Senior Associate Vice Chancellor for Business and Finance for approval. In cases where the Social Security Number must be stored in a database, the database use must comply with [http://www.unmc.edu/its/security/procedures/database-security.html ITS Database Security Procedures].
*In the event that the Social Security Number must be maintained, a form, [https://support.security.unmc.edu/exceptions/ssn Request to Use Social Security Number], must be completed and submitted to the Information Security Office which will facilitate approval from the Senior Associate Vice Chancellor for Business and Finance for approval. In cases where the Social Security Number must be stored in a database, the database use must comply with [https://info.unmc.edu/its-security/policies/procedures/database-security.html ITS Database Security Procedures].
===Approval/Disapproval Process===
===Approval/Disapproval Process===
The Information Security Office will notify unit management and the requestor of the decision to approve/disapprove the request.  
The Information Security Office will notify unit management and the requestor of the decision to approve/disapprove the request.  


If the request to use Social Security number is approved, the Information Security Office will send the approval document to the unit management and requestor.
If the request to use the Social Security Number is approved, the Information Security Office will send the approval document to the unit management and requestor.


If the request to use Social Security number is disapproved and the requestor wishes to appeal the decision, the Vice Chancellor for Business and Finance will be asked to review the request and render a final decision.
If the request to use the Social Security Number is disapproved and the requestor wishes to appeal the decision, the Vice Chancellor for Business and Finance will be asked to review the request and render a final decision.
===Review of Electronic Data storage===
===Review of Electronic Data storage===
Periodically the Information Security Office will generate reports which will identify the storage locations of Social Security Numbers. These reports will be distributed to unit management for review. The intent of the report is to help unit management know where Social Security Numbers are used within their unit.
Periodically the Information Security Office will generate reports which will identify the storage locations of Social Security Numbers. These reports will be distributed to unit management for review. The intent of the report is to help unit management know where Social Security Numbers are used within their unit.
===Record Retention===
===Record Retention===
The Information Security Office will maintain the exception forms. The forms will be reviewed periodically to verify that the exception is still valid.  
The Information Security Office will maintain the exception forms. The forms will be reviewed periodically to verify that the exception is still valid.  
===Definitions===
===Definitions===
'''''Information Security''''' is the ability to control access and protect information from unauthorized alteration, destruction, loss or accidental or intentional disclosure to unauthorized persons.
'''Information Security'''
 
Policies and practices designed to control access and protect information from unauthorized access, alteration, destruction, loss or disclosure.
 
'''Workforce'''
 
Employees, medical staff, volunteers, trainees and other persons whose conduct, in the performance of work for Nebraska Medicine/UNMC, is under the direct control of Nebraska Medicine/UNMC, whether or not they are paid by Nebraska Medicine/UNMC.


'''''Workforce''''' means students, employees, the medical staff, volunteers, trainees, and other persons whose conduct, in the performance of work for UNMC is under the direct control of UNMC, whether or not they are paid by UNMC.
==Additional Information==
==Additional Information==
*UNMC Policy No. 6045, [[Privacy/Confidentiality Privacy, Confidentiality and Information Security]]
*Contact [mailto:lbazis@unmc.edu Chief Info Security Officer, IT Information Security], 402.559.2882
*UNMC Policy No. 6073, [[Transporting Protected Health Information]]).
*Compliance Hotline - 1-844-348-9584
*UNMC Policy No. 1098, [http://wiki.unmc.edu/Corrective/Disciplinary_Action Corrective and Disciplinary Action Policy]
*UNMC Policy No. 6045, [http://wiki.unmc.edu/index.php?title=Privacy/Confidentiality Privacy, Confidentiality and Security of Patient and Proprietary Information]
*[http://www.unmc.edu/its/security/procedures/database-security.html ITS Database Security Procedures]
*UNMC Policy No. 6051, [http://wiki.unmc.edu/index.php?title=Computer_Use/Electronic_Information Computer Use and Electronic Information Security]
*[http://www.unmc.edu/its/security/information-security-plan.pdf Information Security Plan]
*UNMC Policy No. 6073, [[Transporting Protected Health Information]]
*[http://www.unmc.edu/its/security/procedures/destruction-confinfo.html Destruction of Private and Confidential Information Procedures]
*UNMC Policy No. 1098, [http://wiki.unmc.edu/index.php?title=Corrective/Disciplinary_Action Corrective and Disciplinary Action]
*[http://info.unmc.edu/wiki/index.php/Faculty_Handbook UNMC Faculty Handbook: Operating Procedures]
*[https://support.security.unmc.edu/exceptions/ssn Request to Use Social Security Number] Form
* [http://www.unmc.edu/studentservices/_documents/handbook.pdf Student Handbook]
*[https://info.unmc.edu/its-security/policies/procedures/database-security.html ITS Database Security Procedures]
*[https://info.unmc.edu/its-security/policies/plan.html Information Security Plan]
*[https://info.unmc.edu/its-security/policies/procedures/destruction-confinfo.html Destruction of Private and Confidential Information Procedures]
*[http://info.unmc.edu/wiki/index.php/Faculty_Handbook Faculty Handbook]
*[https://catalog.unmc.edu/ Student Handbook]


This page maintained by [mailto:dpanowic@unmc.edu dkp].
This page maintained by [mailto:dpanowic@unmc.edu dkp].

Latest revision as of 09:35, August 16, 2023

Human Resources   Safety/Security   Research Compliance   Compliance   Privacy/Information Security   Business Operations   Intellectual Property   Faculty


Identification Card | Secure Area Card Access | Privacy/Confidentiality | Computer Use/Electronic Information | Retention and Destruction/Disposal of Private and Confidential Information | Use and Disclosure of Protected Health Information | Notice of Privacy Practices | Access to Designated Record Set | Accounting of PHI Disclosures | Patient/Consumer Complaints | Vendors | Fax Transmissions | Psychotherapy Notes | Facility Security | Conditions of Treatment Form | Informed Consent for UNMC Media | Transporting Protected Health Information | Honest Broker | Social Security Number | Third Party Registry | Information Security Awareness and Training

Policy No.: 6085
Effective Date: 09/22/15
Revised Date: 03/30/18
Revised Date: 03/30/18

Use of Social Security Number Policy

Basis for Policy

UNMC has a responsibility to protect the identity of its faculty, staff and students, as well as all individuals with whom it has an association including alumni, donors, research subjects, potential students, and affiliates. Since an individual's Social Security Number (SSN) is one of the most critical data items used to establish an identity, UNMC needs to take extra precautions to safeguard SSNs from unauthorized use.

Scope of Policy

This policy governs the use of SSN within the UNMC campus. Use of SSN within information systems provided by University of Nebraska Central Administration shall follow the policies applicable to those systems.

Policy

UNMC shall not use Social Security Numbers to identify students, employees, research subjects, alumni, donors, potential students and affiliates outside of those uses specifically required by law, such as financial aid, payroll and benefit functions.

Social Security Numbers (SSNs) - including any portion of the full nine digits, shall not be electronically collected, transmitted, or stored by members of the workforce unless specifically authorized in writing by authorized individuals as outlined in this policy. Individuals or departments that collect, transmit or store SSNs will take steps necessary to secure this data using best practices identified by the Information Security Office.

The following individuals are authorized to approve use of Social Security Numbers.

  • Employees - Assistant Vice Chancellor for Human Resources
  • Students - Assistant Vice Chancellor for Academic Affairs/Student Affairs
  • Research Subjects - Institutional Review Board
  • Other - Assistant Vice Chancellor for Business and Finance
  • Other - Chief Information Security Officer

General

  • UNMC is responsible for safeguarding and protecting Social Security Numbers against loss, tampering and disclosure. The safeguarding of confidential information in any form includes when the information is stored and/or being transferred outside the facility (see UNMC Policy No. 6073, Transporting Protected Health Information).
  • UNMC shall reasonably mitigate or reduce any harmful effects that may result from privacy breaches involving Social Security Numbers.
  • Workforce members who suspect a Social Security Number violation must report it immediately to their respective manager, the Privacy Office, or the Information Security Office. A full investigation of the suspected violation shall be conducted. Staff who wish to remain anonymous may report the suspected violation to the Compliance Hotline at 1-844-348-9584. Sanctions shall be imposed for substantiated breaches or failure to report suspected violations.
  • Sanctions for violations of privacy or information security policies may include scholastic or employee corrective action up to and including student dismissal or termination of employment. (See UNMC Policy No. 1098, Corrective and Disciplinary Action Policy).

Student Education Record Information

  • The Social Security Number of a student is considered confidential information and must not be used to identify a student.
  • Information Technology Services (ITS) shall be available to assist in identifying alternatives to use of Social Security Number. Alternatives which should be considered, include but are not limited to:
  • UNMC Student Number
  • In the event that the Social Security Number of a student must be maintained, a form, Request to Use Social Security Number, must be completed and submitted to the Information Security Office which will facilitate approval from the Assistant Vice Chancellor for Academic Affairs/Student Affairs. If Social Security Number must be used and stored in a database, the use of the student’s Social Security Number must comply with ITS Database Security Procedures.

Employee Information

  • The Social Security Number of an employee is considered confidential information and should not be used to identify an employee unless legally mandated.
  • The Information Security team shall be available to assist in identifying alternatives to the use of the Social Security Number. Alternatives which should be considered, include but are not limited to:
  • Personnel (SAP) Number
  • In the event that the Social Security Number of an employee must be maintained, a form, Request to Use Social Security Number, must be completed and submitted to the Information Security Office who will facilitate approval of the Assistant Vice Chancellor for Human Resources for approval. In cases where the employee Social Security Number must be stored in a database, the database must comply with ITS Database Security Procedures.

Research Information

  • The Social Security Number of a research subject is considered confidential information and should not be used to identify a research subject unless legally mandated.
  • ITS shall be available to assist in identifying alternatives to use of Social Security Number.
  • In the event that the Social Security Number of a research subject must be maintained, a form, Request to Use Social Security Number, must be completed and submitted the Information Security Office which will facilitate approval from the Institutional Review Board. In cases where the research subject Social Security Number must be stored in a database, the database use must comply with ITS Database Security Procedures.

Other

  • The Social Security Number of someone in a category not previously defined is considered confidential information and should not be used to identify an individual unless legally mandated.
  • The information Security team shall be available to assist in identifying alternatives to use of Social Security Number.
  • In the event that the Social Security Number must be maintained, a form, Request to Use Social Security Number, must be completed and submitted to the Information Security Office which will facilitate approval from the Senior Associate Vice Chancellor for Business and Finance for approval. In cases where the Social Security Number must be stored in a database, the database use must comply with ITS Database Security Procedures.

Approval/Disapproval Process

The Information Security Office will notify unit management and the requestor of the decision to approve/disapprove the request.

If the request to use the Social Security Number is approved, the Information Security Office will send the approval document to the unit management and requestor.

If the request to use the Social Security Number is disapproved and the requestor wishes to appeal the decision, the Vice Chancellor for Business and Finance will be asked to review the request and render a final decision.

Review of Electronic Data storage

Periodically the Information Security Office will generate reports which will identify the storage locations of Social Security Numbers. These reports will be distributed to unit management for review. The intent of the report is to help unit management know where Social Security Numbers are used within their unit.

Record Retention

The Information Security Office will maintain the exception forms. The forms will be reviewed periodically to verify that the exception is still valid.

Definitions

Information Security

Policies and practices designed to control access and protect information from unauthorized access, alteration, destruction, loss or disclosure.

Workforce

Employees, medical staff, volunteers, trainees and other persons whose conduct, in the performance of work for Nebraska Medicine/UNMC, is under the direct control of Nebraska Medicine/UNMC, whether or not they are paid by Nebraska Medicine/UNMC.

Additional Information

This page maintained by dkp.