Protecting the Confidentiality of Social Security Numbers Business Procedures Memorandum 66 Revised November 1, 2006 The University of Texas System.

Slides:



Advertisements
Similar presentations
The Role of the IRB An Institutional Review Board (IRB) is a review committee established to help protect the rights and welfare of human research subjects.
Advertisements

Protect Our Students Protect Ourselves
Overview of the Privacy Act
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
NAU HIPAA Awareness Training
 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-
I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.
1 The University of Texas at Tyler Protecting the Confidentiality of Social Security Numbers UTS165 Information Resources Use and Security Policy.
SIU School of Medicine Identity Protection Act and Associated SIU Policy.
Critical Data Management Indiana University HR Summit April 24, 2014.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
The Privacy Office U.S. Department of Homeland Security Washington, DC t: ; f: Safeguarding.
Conversation on the Chemical Facility Anti-Terrorism Standards (CFATS) and Critical Infrastructure Protection Chemical-Terrorism Vulnerability Information.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.
DEED WorkForce Center Reception and Resource Area Certification Program Module 2 Unit 1b: WorkForce Center System II Learning Objectives III.
HIPAA Basic Training for Privacy and Information Security Vanderbilt University Medical Center VUMC HIPAA Website: HIPAA Basic.
CPS Acceptable Use Policy Day 2 – Technology Session.
2015 ANNUAL TRAINING By: Denise Goff
HIPAA PRIVACY AND SECURITY AWARENESS.
An Educational Computer Based Training Program CBTCBT.
Privacy and Security of Protected Health Information NorthPoint Health & Wellness Center 2011.
1 DEFENSE LOGISTICS AGENCY AMERICA’S COMBAT LOGISTICS SUPPORT AGENCY DEFENSE LOGISTICS AGENCY AMERICA’S COMBAT LOGISTICS SUPPORT AGENCY WARFIGHTER SUPPORT.
Ames Laboratory Privacy and Personally Identifiable Information (PII) Training Welcome to the Ames Laboratory’s training on Personally Identifiable Information.
Training Module 11 – Version 1.1 For Internal Use Only Communication Policy ® Corporate Communications, Disclosure and Insider Trading Policy 
Confidentiality and Security Issues in ART & MTCT Clinical Monitoring Systems Meade Morgan and Xen Santas Informatics Team Surveillance and Infrastructure.
Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Florida Information Protection Act of 2014 (FIPA).
Privacy and Information Management ICT Guidelines.
HIPAA Training Developed for Ridgeview Institute 2012 Hospital Wide Orientation.
Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.
HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.
UMBC POLICY ON ESH MANAGEMENT & ENFORCEMENT UMBC Policy #VI
A Road Map to Research at Jefferson: HIPAA Privacy and Security Rules for Researchers Presented By: Privacy Officer/Office of Legal Counsel October 2015.
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
Welcome….!!! CORPORATE COMPLIANCE PROGRAM Presented by The Office of Corporate Integrity 1.
An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.
Privacy Act United States Army (Managerial Training)
Data protection—training materials [Name and details of speaker]
Final HIPAA Rule Special Training What you need to know to remain compliant with the new regulations.
HIPAA Training. What information is considered PHI (Protected Health Information)  Dates- Birthdays, Dates of Admission and Discharge, Date of Death.
The Medical College of Georgia HIPAA Privacy Rule Orientation.
New Hire HIPAA Orientation. HIPAA Overview HIPAA is an acronym that stands for the Health Insurance Portability and Accountability Act of HIPAA.
POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015.
Somerset ISD Online Acceptable Use Policy. Somerset Independent School District Electronic Resources Acceptable Use Policy The purpose of this training.
Properly Safeguarding Personally Identifiable Information (PII) Ticket Program Manager (TPM) Social Security’s Ticket to Work Program.
HIPAA Privacy Rule Training
Nassau Association of School Technologists
HIPAA Privacy & Security
Florida Information Protection Act of 2014 (FIPA)
Florida Information Protection Act of 2014 (FIPA)
Chapter 3: IRS and FTC Data Security Rules
Move this to online module slides 11-56
Red Flags Rule An Introduction County College of Morris
Spencer County Public Schools Responsible Use Policy for Technology and Related Devices Spencer County Public Schools has access to and use of the Internet.
Employee Privacy and Privacy of Employee Information
HIPAA Privacy & Security
HIPAA Overview.
The Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act
Presentation transcript:

Protecting the Confidentiality of Social Security Numbers Business Procedures Memorandum 66 Revised November 1, 2006 The University of Texas System

Protecting the Confidentiality of SSNs 2 Purpose The purpose of this training is to: Provide general information, as required by BPM 66, about the confidentiality of social security numbers (SSNs) and the provisions of Business Procedures Memorandum 66 (BPM 66), andBusiness Procedures Memorandum 66 (BPM 66) Highlight concerns regarding the use and protection of SSNs in light of recent events.

Protecting the Confidentiality of SSNs 3 Learning Objectives Key requirements of BPM 66 Actions you must take to comply with BPM 66 What this all means to you in your daily work Review provisions of the Security Plan for Safeguarding SSNs Introduce resources to go to for more information

Protecting the Confidentiality of SSNs 4 Key Requirements of BPM 66 Increase awareness of the confidential nature of SSNs. Reduce reliance on SSNs for identification purposes. Establish a consistent approach toward SSNs throughout UT System. Ensure that SSNs are handled in a confidential manner.

Protecting the Confidentiality of SSNs 5 Why all the concern? Numerous federal and state laws govern disclosure and use of SSNs. Key provisions of the laws are summarized on the SSN web site. Increased reliance on the Internet and computers has greatly increased the risk of identity theft involving SSNs. Recent increases in stolen computer equipment, computer hackers, and scams, all involving personal data that include SSNs. Media scrutiny of governmental agencies and public demands for assurance that safeguards are in place.

Protecting the Confidentiality of SSNs 6 Here’s why… Identity Theft Concerns - Data Breaches in 2006 University of Washington Veterans’ Affairs Federal Aviation Administration City of San Diego University of Northern Iowa State of Rhode Island Department of Transportation University of Texas at Austin U.S. Department of Education State of Georgia Georgetown University Ohio University Texas Guaranteed Student LoanUniversity of Minnesota

Protecting the Confidentiality of SSNs 7 Here’s why… “Possession of someone else's Social Security Number is key to laying the groundwork to take over someone's identity and obtain a driver's license, loans, credit cards, cars, and merchandise. It is also key to taking over an individual's existing account and wiring money from the account, charging expenses to an existing credit line, writing checks on the account or simply withdrawing money.” Testimony of Grant D. Ashley, Assistant Director, Criminal Investigation Division, FBI, before the House Ways and Means Committee, Subcommittee on Social Security, September 19, 2002

Protecting the Confidentiality of SSNs 8 What does BPM 66 require? BPM 66 contains procedures to: reduce the use and collection of SSNs, inform individuals when SSNs are collected, reduce the public display of SSNs, control access to SSNs, protect SSNs, and establish accountability.

Protecting the Confidentiality of SSNs 9 What must I do to comply? Except when a UT institution is legally required to collect an SSN, an individual cannot be required to disclose his or her SSN or be denied service for refusing to disclose the SSN. The notice required by the Federal Privacy Act must be given each time a UT institution requests disclosure of an SSN, except when the institution is already in possession of an individual’s SSN and requests it for identification purposes (amendment to BPM 66, Section 3.1.3, approved January 2006).

Protecting the Confidentiality of SSNs 10 What must I do to comply? Samples of approved notices are in Appendix 3 to the BPM.Appendix 3 The SSN Coordinator can also assist you in preparing a notice for your particular needs. In addition to the Federal Privacy Act notice, State law requires an additional notice whenever we collect SSNs or other personal information by means of a paper or an electronic form. Your supervisor or the SSN Coordinator can help with formulating this notice, too.

Protecting the Confidentiality of SSNs 11 What must I do to comply? SSNs are not to be displayed on documents, computer screens, PDAs, etc., that can be seen by the general public (e.g., time cards, rosters, etc.) unless required by law. Mailed materials containing SSNs should be designed so that SSNs do not show in the envelope window. SSNs are not to be sent over the Internet or via unless encrypted or otherwise secured.

Protecting the Confidentiality of SSNs 12 What must I do to comply? Limit access to records containing SSNs to those employees who need access for the performance of job duties. Records with SSNs should not be stored on computers or other electronic devices that are not secured against unauthorized access. SSNs should be shared only with authorized third parties. A written confidentiality agreement should be used that requires the third party to use adequate safeguards to protect records containing SSNs.

Protecting the Confidentiality of SSNs 13 What must I do to comply? Records and media (disks, hard drives, etc.) containing SSNs must be discarded in a way that protects the confidentiality of the SSN. For example, paper records should be shredded and hard drives should be reformatted. All new systems must comply with the standards contained in § of BPM 66 (SSNs may not be primary key to a database, SSNs not to be displayed). Before acquiring or developing new systems, contact your Information Technology Department and the SSN Coordinator.

Protecting the Confidentiality of SSNs 14 What must I do to comply? Each employee must comply with the Rules of Conduct that implement BPM 66. Failure to do so may result in disciplinary action, including discharge or dismissal. Each employee must promptly report inappropriate or suspected disclosures of SSNs to his or her supervisor, who is to report such disclosures to the SSN Coordinator. If you have any questions about whether a specific use of SSNs is necessary or appropriate, ask the SSN Coordinator.

Protecting the Confidentiality of SSNs 15 Beginning on September 1, 2007 The use of the SSN as a primary identifier must be discontinued unless required or permitted by law. A unique identifier must be assigned to each individual.

Protecting the Confidentiality of SSNs 16 What does all of this mean to you in your daily work? If you need access to SSNs to do your job, you will have that access. If you use SSNs in your work, ask yourself: “Why do I need the SSN?”

Protecting the Confidentiality of SSNs 17 What does all of this mean to you in your daily work? If you request that an individual disclose his or her SSN, remember that you must provide the Federal Privacy Act notice. You must give that notice regardless of whether you are assisting someone in person or over the phone or whether the person is completing a paper or electronic form. NOTE: A subsequent request for production of a social security number for identification purposes does not require the provision of another notice.

Protecting the Confidentiality of SSNs 18 What does all of this mean to you in your daily work? If an individual refuses to give you his or her SSN, remember that you cannot refuse to provide the requested services unless the SSN is required by law. Protect SSNs on paper documents and computer systems. Take care to be sure that such records are properly secured and/or discarded. Be sure to report non-compliance to your supervisor or the SSN Coordinator immediately.

Protecting the Confidentiality of SSNs 19 What does all of this mean to you in your daily work? Follow these rules: Do not request an SSN unless it is necessary and relevant to your job duties. Do not disclose SSNs to unauthorized persons or entities. Do not use another person’s SSN to your own personal advantage. Observe all administrative, physical, and technical safeguards.

Protecting the Confidentiality of SSNs 20 Security Plan for Safeguarding SSNs The Institutional Security Plan for Safeguarding Social Security Numbers was established and implemented pursuant to § of BPM 66. The Security Plan was intended to provide guidance to all employees to protect against reasonably anticipated threats to the security and integrity of SSNs and anticipated uses or disclosures that are not required or permitted by law.

Protecting the Confidentiality of SSNs 21 Security Plan for Safeguarding SSNs The safeguards in the Security Plan refer to the UT institution’s policies and procedures currently in place to comply with federal and state regulations governing the protection of sensitive and confidential information in electronic form.

Protecting the Confidentiality of SSNs 22 Security Plan Provisions Each institutional office shall control its employees’ access to SSNs by: Limiting access to records containing SSNs to those employees who need access to such information for the performance of their job responsibilities; and Working with the Human Resources Department and the Information Technology Department to make sure access to records containing SSNs is terminated when employment ends or when an employee’s responsibilities no longer require access to SSNs.

Protecting the Confidentiality of SSNs 23 Security Plan Provisions Safeguards for any SSNs stored in a business information system include: Restrictions on access to workstations and portable devices containing SSNs to authorized employees; and SSNs displayed on computer monitors or other forms of output shall not be visible or accessible to individuals who are not authorized to view SSNs.

Protecting the Confidentiality of SSNs 24 Security Plan Provisions For any SSNs contained in paper documents, the following requirements must be met: Printers and fax machines shall be located in secured locations so unauthorized individuals can not readily access or read the SSNs; and Paper records containing SSNs shall not be discarded in trash bins or recycle bins, but shall be shredded or placed in a secure bin for disposal.

Protecting the Confidentiality of SSNs 25 Relevant Laws A summary of the key provisions of some of the relevant laws appears on the SSN web site. More detailed information about these laws and other privacy laws will be provided at the departmental level as needed for the employee’s job duties.

Protecting the Confidentiality of SSNs 26 How can you find out more? Review BPM 66 Read the related Rules of Conduct Read the Security Plan for Safeguarding Social Security Numbers Review the relevant laws governing SSN confidentiality Ask your supervisor Contact the SSN Coordinator

Thank you for completing this training. The University of Texas System