Protecting the Confidentiality of Social Security Numbers

​​​​​​​The University of Texas System has implemented UT System Policy UTS165, “Inf​​ormation Resources Use and Security Policy”​ to protect the confidential nature of social security numbers. Below are links to UT Health San Antonio’s Handbook of Operating Policies (HOP) and other state and federal informational references. Also, below are links to “Notices” that must be provided to individuals that are required to provide their social security number to the institution.​​​​

• Handbook of Operating Procedures, Section 2.2.7, “Use of Social Security Numbers”
• Federal Statues and Regulations that Mandate or Authorize the Use of Social Security Numbers
• Texas Statues and Regulations that Mandate or Authorize the Use of Social Security Numbers

Additional Guidance

• Department Responsibilities for Protecting the Confidentiality of Social Security Numbers

Reporting Inappropriate Disclosure or Theft of Social Security Numbers

UT Health San Antonio requires all employees to report promptly inappropriate disclosure or theft of social security numbers (SSN) to their supervisor, who shall report the disclosure to the Chief Compliance and Privacy Officer.

Reporting by the employee may be anonymous, in accordance with the Institution’s compliance program, if the employee chooses. Retaliation against an employee who in good faith reports an inappropriate disclosure of SSN is prohibited. If the supervisor and Chief Compliance Officer determine that the SSN was inappropriately disclosed or stolen, and individuals have been put at risk of identity theft or other harm as a result of the disclosure, UT Health San Antonio shall take all reasonable steps to promptly notify the individuals affected.

Required Notices for Disclosure of Social Security Numbers

Except in those instances in which UT Health San Antonio is legally required to collect a Social Security Number (SSN), an individual shall not be required to provide his or her SSN, nor shall the individual be denied access to the services at issue if the individual refuses to disclose his or her SSN. An individual, however, may volunteer his or her SSN as an alternate means of locating a record or accessing services.

Questions about whether a particular use is required by law should be directed to the Institutional Compliance & Privacy Office, Jessica Saldivar, Chief Compliance and Privacy Officer, at 210-567-2014 or compliance@uthsca.edu​.

Each time UT Health San Antonio requests an individual disclose his or her SSN, UT Health San Antonio shall provide one of the notices below to the individual whether the disclosure is mandatory or voluntary. Future forms and reprints of existing stock of forms shall include the notice printed on the form.

• Notice for Request of Disclosure of Social Security Number
• Notice for Request of Social Security Number for Employment Purposes
• Notice for Request of Social Security Number for Student Application Process
• Notice for Voluntary Disclosure of Social Security Number

Approved Notices for Disclosure of Social Security Numbers

The following Notices for Disclosures that have been approved by the Institutional Compliance & Privacy Office and are to be used when disclosing social security numbers to third parties:

• Access to Institutional Review Board Electronic System
• Access to Items of Concern
• Access to Secure Location & Classified Information
• Accreditation Council for Graduate Medical Education (ACGME)
• American Association of Oral and Maxillofacial Surgeons (AAOMS)
• American Board of Internal Medicine
• American College of Radiology (ACR)
• American Dental Association
• BATF Explosive Material Authorization
• Behavioral Adherence of Emerging Adults with Type 2 Diabetes Study
• Clinical Rotations
• Credit Application-CareCredit
• Credentialing and Re-credentialing
• Office of Diversion Control with Drug Enforcement Administration (DEA)
• Department of Energy Operating Sites or Facilities
• Department of Justice Clearance
• Diabetes Prevention Program Outcomes Study (DPPOS)
• Faculty Temporary Permit
• Federal Background Checks
• International Services
• LookAhead.Action for Health in Diabetes Study
• National Commission on Certification of Physician Assistants (NCCPA)
• National Registry of Emergency Medical Technician (NREMT)
• Obstetrics & Gynecology Residency Reporting
• Orthopaedics-External Medical Databases
• Patient Billing and Collections
• Patient Billing and Collections – Spanish
• Radiation Exposure & Medical Events
• School of Medicine Residents
• School of Medicine Resident Rotators
• South Texas Family Aids Network
• Student Loan Payments
• Student Services-AAMC
• Texas Higher Education Coordinating Board
• Texas Medical Association
• University Health System – Issuance of Badge, Keys and or Parking Permits
• VAGES – Diabetes Study

Contractual Language for Agreements with Third Parties

Safeguarding of Social Security Numbers.

Contractor agrees that it may (1) create, (2) receive from or on behalf of University, or (3) have access to, records or record systems containing social security numbers (collectively, the “Records”). Contractor represents, warrants, and agrees that it will: (1) hold the Records in strict confidence and will not use or disclose the Records except as (a) permitted or required by this Agreement, (b) required by law, or (c) otherwise authorized by University in writing; (2) safeguard the Records according to commercially reasonable administrative, physical and technical standards that are no less rigorous than the standards by which Contractor protects its own confidential information; and (3) continually monitor its operations and take any action necessary to assure that the Records are safeguarded in accordance with the terms of this Agreement. At the request of University, Contractor agrees to provide University with a written summary of the procedures Contractor uses to safeguard the Records.

If an impermissible use or disclosure of any of the Records occurs, Contractor will provide written notice to University within one (1) business day after Contractor’s discovery of that use or disclosure. Contractor will promptly provide University with all information requested by University regarding the impermissible use or disclosure.

In addition to any other termination rights set forth in this Agreement and any other rights at law or equity, if University reasonably determines that Contractor has breached any of the restrictions or obligations set forth in this Section, University may immediately terminate this Agreement without notice or opportunity to cure. [Consider whether there should be additional remedial options.]

[OPTION: In the event of a breach or threatened breach of the restrictions and obligations set forth in this Section, Contractor agrees that University cannot be reasonably or adequately compensated in damages. Accordingly, Contractor acknowledges and agrees that a breach by Contractor of the provisions of this Section will cause University irreparable injury and damage. Contractor, therefore, expressly agrees that University will be entitled to injunctive and other equitable relief in any court of competent jurisdiction to prevent or otherwise restrain a breach of this Section.]

Contractor agrees that within thirty (30) days after the expiration or termination of this Agreement, for any reason, all Records created or received from or on behalf of University shall be (1) returned to University, with no copies retained by Contractor; or (2) if return is not feasible, destroyed. Thirty (30) days before destruction of any of the Records, Contractor will provide University with written notice of Contractor’s intent to destroy the Records. Contractor will confirm to University in writing the destruction of the Records.

If Contractor discloses any of the Records to a subcontractor or agent, Contractor will require the subcontractor or agent to comply with the same restrictions and obligations as are imposed on Contractor by this Section.

The restrictions and obligations under this Section will survive expiration or termination of this Agreement for any reason.

Provision Prepared by the UT System Office of General Counsel
September 30, 2004​

Contractual Language for New Computer Systems and Software Purchases

The following language should be placed in all Request for Proposals (RFP), contracts and purchase orders, for the acquisition and development of new computer systems or software in regards to social security numbers. The vendor of choice must adhere to these guidelines.

• The system must use the social security number only as a data element or alternate key to a database and not as a primary key to a database;
• The system must not display social security numbers visually (such as on monitors, printed forms, system outputs) unless required by law or permitted by this policy;
• Name and directory systems must be capable of being indexed or keyed on the unique identifier, once it is assigned, and not on the social security number; and
• For those databases that require social security numbers, the databases may automatically cross-reference between the social security number and other information through the use of conversion tables within a system or other technical mechanisms.

If you have any questions, please contact the Purchasing Office at 210-567-6030.