Operating Policy and Procedure
HSC OP: 52.08, Social Security Number Policy
PURPOSE: The purpose of this Health Sciences Center Operating Policy and Procedure (HSC OP) is to provide a framework for compliance with federal and state laws regarding the request for, use, disclosure, and maintenance of Social Security Numbers (SSNs). Texas Tech University Health Sciences Center (TTUHSC) is dedicated to maintaining the privacy and security of Social Security Numbers entrusted to it. This policy is intended to raise awareness of the sensitive nature of SSNs, and when feasible, minimize the use of, and access to, SSNs obtained by TTUHSC. This policy provides guidance on requesting, using, and/or disclosing SSNs in compliance with federal and state requirements.
REVIEW: This HSC OP will be reviewed on October 1 of each even-numbered year (ENY) by the Institutional Compliance and Risk Committee, with recommendations for revision forwarded to the Institutional Compliance Officer by December 15.
LEGAL BACKGROUND:
Federal and State Privacy Laws
Federal and state laws impose certain obligations on TTUHSC, a state agency, when
it requests, uses, discloses and/or maintains an individual’s Social Security Number.
Federal Privacy Act of 1974 (5 U.S.C. 552a). Subject to certain exceptions, a federal, state or local government agency is prohibited
from denying any right, benefit, or privilege provided by law to an individual who
refuses to disclose his or her SSN. An individual can be required to provide his or
her SSN if it is necessary to comply with a specific federal law or if it was required
for a federal, state or local agency system of records that was in existence and operating
before January 1, 1975, and disclosure of a SSN was lawfully required for verification
purposes.
See Attachment A, list of federal laws requiring the collection of an individual’s
SSN.
Upon requesting a SSN, the Federal Privacy Act of 1974 requires all government agencies (including state agencies) to provide a disclosure statement with the following information:
• whether disclosure of the SSN is voluntary or mandatory;
• the authority or legal statute requiring mandatory disclosure of the SSN;
• how the SSN will be used; and
• the consequences, if any, for failure to provide the SSN.
Texas State Law. (Texas Government Code §559.003). In addition to the Federal Privacy Act, when a SSN is collected by means of an electronic or printed form completed and filed by an individual, the notice as required by Section 559.003 of the Texas Government Code, must also be provided. The Texas state agency must provide a paper or electronic notice with the following information:
• with few exceptions, the individual is entitled upon request to be informed about
the information that is being collected about the individual;
• under Sections 552.021 and 552.023 of the Government Code, the individual is entitled
to receive and review the information; and
• under Section 559.004 of the Texas Government Code, the individual is entitled to
have the state governmental body correct information about the individual that is
incorrect.
See Attachment A, list of Texas State Laws requiring the collection of an individual’s
SSN.
POLICY/PROCEDURE:
General
When a SSN is required in order to provide services, TTUHSC shall provide written
notice to the individual as required by federal and state disclosure statement requirements
(see above). The notice will include the pertinent law(s) or statute(s) that require
disclosure of the SSN.
1. Request for, Collection, and Maintenance of Social Security Number.
a. TTUHSC shall request SSNs only as reasonably necessary for the proper administration of TTUHSC business.
b. Except where it is legally required in order for TTUHSC to provide services, individuals will not be required to provide their SSNs, verbally or in writing, at any point of service, nor will they be denied access to those services should they refuse to provide their SSNs.
c. In the case of student enrollment, admission and/or financial aid may be delayed or adversely affected due to a student or parent’s refusal to provide a required SSN.
d. As of April 2019, SSNs were removed from all Medicare cards by the Centers for Medicare and Medicaid Services (CMS) and replaced with a new randomly generated Medicare Beneficiary Identifier (MBI).
e. Employees should make sure that their Texas Employee Confidentiality Indicator for SSN is set to “N-Do Not Release Information” on the My Employment Information tab of the WebRaider portal. Click on the “Employee” tab on the WebRaider portal. Under “My Texas Tech Information” click on “Employee Dashboard (Personal, Employment, Pay Information, Earnings Statements)”. Go to “My Profile” under the employee name and then to “More Personal Information”, which is located on the left side of the page. Then click on “My Employment Information”, a tab located at the top of the page. Once the employees click on “Texas Employee Confidentiality Indicators”, they can confirm if all indicators are correctly noted.
2. Required Notice.
All TTUHSC generated forms and documents, whether printed or electronic, that request or collect SSNs will include the following language:
a. Student Enrollment Applications and Financial Aid Documents. Furnishing SSNs is voluntary and not required for enrollment at TTUHSC. However, TTUHSC is required by federal law to report to the Internal Revenue Service the names, addresses, and SSNs of persons from whom tuition and related expenses are received. Dependent students may be required to disclose a parent’s or guardian’s SSN for financial aid purposes. Failure to provide SSN information may delay or even prevent enrollment or financial aid. An applicant to TTUHSC may request the use of a placeholder identification number until enrollment. TTUHSC will not disclose an SSN for any purpose not required by law without the consent of the individual. The use and disclosure of SSNs by TTUHSC is regulated by the Family Educational Rights and Privacy Act (FERPA).
b. Employment Applications. TTUHSC is required by federal law to report income and SSNs for all employees who receive compensation from TTUHSC. Employee SSNs are maintained and used by TTUHSC for payroll, reporting, and benefit purposes and are reported to federal and state agencies as required by law. TTUHSC will not disclose an SSN for any purpose not required by law without the consent of the employee. TTUHSC will not use or disclose an SSN for any purpose not required by law without the consent of the individual. TTUHSC is an E-Verify employer.
c. Research Subjects Who Receive Payment – Informed Consent Document. Payment for participation in this research is considered taxable income. In order for research subjects to receive payment for research participation, TTUHSC must collect their names, addresses, and SSNs. If a research subject does not provide a taxpayer identification (i.e. SSN or ITIN), 30% of the amount being paid for research study participation will be automatically deducted from the payment and sent to the Internal Revenue Service (IRS). Payments to research subjects from TTUHSC totaling $600 or more in any calendar year will be reported to the IRS. For research subjects who are Medicare beneficiaries, information regarding research study participation, medical treatments received, Medicare claims, and other personal information will be provided to the Centers of Medicare and Medicaid Services, its agents and/or contractors.
d. Patients – Consent to Treatment. An SSN may be required for billing and health care coordination purposes when a third-party payer uses it as an identification number for coverage purposes. The use and disclosure of a patient’s SSN is regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). A patient’s SSN will not be used or disclosed without the patient’s consent, except as allowed by law for treatment, payment and health care operations. Patients may be required to pay for health care services before receiving the services if they fail or refuse to provide their SSNs or third-party payer identification/policy numbers when such information is necessary to bill a third-party payor.
e. Provider Credentialing Forms. A provider’s SSN is required to verify information, including license status, background checks, and for other purposes related to the credentialing process. Providers who refuse to provide their SSNs will not be credentialed to provide professional services.
Any other area within TTUHSC that requests an SSN from an individual (for example, the Purchasing Department), shall give notice of the law requiring disclosure of a SSN.
3. TTUHSC Use of Social Security Number (SSN) Information.
A person’s SSN shall only be used or disclosed when required or authorized by federal or state law. Each student and employee will be assigned a unique, random number to use in place of their SSN as the primary means of identification within the TTUHSC system. This identifying number may be linked to an individual’s SSN as long as the SSN remains in a protected and nondisclosed state. Grades will not be posted or displayed by SSN. Class lists, rosters, student identification cards, and other reports will not display an individual’s SSN or Texas Tech University System (TTUS) ID number.
TTUHSC patients shall be given a unique medical record number, which shall be used unless a SSN is necessary for treatment, payment or health care operations. Researchers seeking access to a TTUHSC patient’s SSN must have either a written HIPAA Authorization or obtain a Waiver of Written HIPAA Authorization from the TTUHSC Institutional Review Board/Privacy Board.
a. Disclosure.
An individual’s SSN will only be released by TTUHSC to outside entities under the following circumstances:
• as required or allowable by federal or state law or regulation;
• when written permission is given by the individual;
• when the entity is acting as TTUHSC’s contractor or agent and security measures are
in place to prevent unauthorized disclosure to third parties; or
• after consultation with the TTUS Office of General Counsel.
b. Maintenance.
TTUHSC is responsible for protecting the confidentiality of data and information that may relate to students, patients, employees, and others served by TTUHSC. SSNs will be stored securely as a confidential attribute of an individual, both on paper and electronically. Access to this information by TTUHSC employees will be required by job function and business necessity. Employees with access to SSNs will be required to sign a confidentiality statement which will be maintained by Human Resources in the employee’s file. SSNs will be electronically transmitted outside the University only through secure electronic mechanisms. Logical and physical security controls shall be implemented to maintain the confidentiality of SSNs stored by TTUHSC in either paper or electronic format.
4. Right to Change. TTUHSC reserves the right to interpret, change, modify, amend or rescind this policy in whole or in part at any time.
Attachment A - List of State and Federal laws requiring collection of SSN