Social Security

Service to Epidemiological Researchers to Provide Vital Status Data on Subjects of Health Research

OMB No. 0960-0701

Summary

Section 311 of the Social Security Independence and Program Improvements Act of 1994 directed the Social Security Administration (SSA) to provide support to health researchers involved in epidemiological research. Specifically, when a study is determined to contribute to a national health interest, SSA will furnish information regarding whether a study subject is shown on the SSA administrative records as being alive or deceased (vital status). SSA will recoup all expenses incurred in providing this information.

Contacts

This service is available as of this date by contacting the Office of Research, Evaluation, and Statistics (ORES):

Social Security Administration
Office of Research, Evaluation, and Statistics
4-C-15 Operations Building
6401 Security Boulevard
Baltimore, MD 21235-6401
Fax: 410-966-4071

In addition, further information about this service is available from the ORES Epidemiological Coordinator at the above contact points, by e-mail at ORES.Epidemiological.Requests@ssa.gov, or by telephone at 410-966-4868.

If you mail your request for this service via overnight express mail, please change the building location in the above address to:

Room 4700 Meadows East Building

Supplementary Information

Background

Historically, SSA had made disclosures of vital status data under the provisions of the Freedom of Information Act (FOIA, 5 U.S.C. 552(a)(3)). However, as a result of the Supreme Court decision in United States Department of Justice v. Reporters Committee for Freedom of the Press 489 U.S. 749 (1989), SSA discontinued the process of providing such data. The enactment of section 311 of the Social Security Independence and Program Improvements Act of 1994 restored the legal authority for SSA to release vital status data except for death data obtained from a state under the auspices of section 205(r) of the Social Security Act. A companion change to the Internal Revenue Code (26 U.S.C. § 6103) permits SSA to release "presumption of living" data based on reports of earnings obtained from the IRS. Accordingly, when the research in question has been determined to contribute to a national health interest, SSA will furnish vital status data on study subjects. The researcher must submit the study subject's Social Security number, full name (first, last, and middle name), date of birth (month, day, century, and year), and sex. SSA, in turn, will furnish one of the following vital status determinations for each study subject:

• Death information (the date of death and state where a claim was filed, or the state of residence at the time of death) if available;
• Presumption that the individual is living (there is sufficient information in SSA administrative records to support this determination);
• Status unknown (SSA has no record of death, nor sufficient information within the SSA administrative records to support a determination that the subject is alive);
• Social Security number (SSN) verification failed (the SSN and name furnished to SSA did not match or the date of birth furnished for an SSN/name did not match the information in the SSA administrative records); or
• The SSN was impossible or had never been issued.

Privacy Act Statement for Epidemiological Research Requests

The information requested by this application is authorized by the Privacy Act of 1974 (5 U.S.C. 552a), section 1106 of the Social Security Act (42 U.S.C. 1306), and regulations under title 20 C.F.R. 401.165. SSA will use the information you provide to document your request for vital status data, to evaluate whether you meet the criteria required for receipt of the data, and to bill you for the required payments. Information requested in this format is voluntary. However, if you do not provide the required information, we will be unable to process your request. While the information you furnish in this format would almost never be used for any purpose other than processing your request for epidemiological vital status data, such information may be disclosed by SSA to facilitate statistical research and audit activities necessary to ensure the integrity and improvement of programs administered by SSA.

Paperwork Reduction Act (PRA) Statement and OMB Control Number

This information collection meets the requirements of 44 U.S.C. 3507, as amended by section 2 of the Paperwork Reduction Act of 1995. You do not need to answer these questions unless we display a valid Office of Management and Budget control number. We estimate that it will take about 120 minutes to read the instructions, gather the facts, and answer the questions. You may send comments on our time estimate above to:

SSA
Room 1338 Annex Building
Baltimore, MD 21235-0001

Application Process

For each request for services, you must cover the following specific areas in separately numbered paragraphs:

1. Project or study title.
2. Applicant name, full address, phone number, fax number, and e-mail address.
3. Contact individual name (if different than applicant), full address, phone number, fax number, and e-mail address.
4. Project coordinator name, full address, phone number, fax number, and e-mail address.
5. 1. Name of sponsoring organization or institution supporting the research.
   2. Name (and title, if available) of specific person who will sign the agreement and reimburse SSA for expenses incurred in supplying data.
   3. Employer identification number (Social Security number if not a business).
6. Data custodian's name, full address, phone number, fax number, and e-mail address.
7. Attach a one-page summary of the study protocol of the project activities. Include specific purposes(s) of the research to be undertaken and the outcomes expected.
8. Estimated number of records you will submit. To protect data from theft or modification, SSA recommends that requestors encrypt all input files prior to submission. Submitting unencrypted data to SSA is not recommended and is done at the requestor's own risk.
9. Fully explain how the data provided by SSA will be used. Specify whether the data will be used only to determine the subjects' vital status or whether it will also be used to obtain death certificates to determine the causes of death or to obtain additional information from next-of-kin, physicians, or hospitals.
10. Provide the final disposition of SSA data to include the location of files and full disclosure of who will have access to the identifying data on the "presumed living" and for how long. In addition to the staff of the requesting organization, list any "other party" that will receive (or have contractual or other rights to) any identifying vital status information provided by SSA on the "presumed living." Note that all organizations that will receive identifying information on the "presumed living" must become a party to the agreement. All individuals accessing such data must sign a confidentiality agreement.
11. If applicable, fully explain how the applicant plans to publish or release the research results, including whether any supporting documentation will be made available in identifiable form on the "presumed living."
12. Provide a data protection plan describing how you will ensure the confidentiality of the vital status data supplied by SSA on the "presumed living."
13. Include a statement that the above applicant fully understands that the vital status data obtained from SSA on the "presumed living" will only be used for the purposes described in this request and will not be used for administrative or legal purposes.
14. Include a statement that the applicant hereby agrees to ensure the confidentiality of the vital statistics supplied by SSA on the "presumed living" as described in the data protection plan (item 12).
15. Applicant's signature.

NOTE: If the applicant indicates that other organizations or individuals will receive identifying SSA vital status data on the "presumed living," that organization must also be a party (signatory) to the applicant's memorandum or must submit a separate supporting memorandum. In this supporting documentation, each third party must indicate (1) their role in the study and the activities they will perform, (2) a data protection plan describing how they will store the identifying data on the "presumed living" and maintain the confidentiality of such data, and (3) how and when the identifying data on the "presumed living" will be destroyed.

An evaluation team comprising staff members from SSA's Office of Research, Evaluation, and Statistics and the National Center for Health Statistics (NCHS) will review each application for services. The team will not attempt to determine the scientific merit of the study. It is understood that the merit of the study has been (or will be) determined by the sponsoring agency and/or the organization performing the study. The team's purpose will be to reach a consensus that the results of the study could be expected to advance the public's knowledge in a health area of importance to a segment of the United States population.

If such a determination is made and the Associate Commissioner for Research, Evaluation, and Statistics concurs, the applicant will be notified, in writing, of the methods that may be used to submit data on study subjects, the exact format to be used in submitting this data, and the cost for developing and transmitting the vital status data from SSA records. The applicant will be required to sign a memorandum of understanding that will delineate his or her responsibilities in the use of the requested vital status data. The applicant will also be required to sign a contractual agreement to facilitate payment for the service.

The Social Security Administration will recoup all costs (computer program development costs and ongoing processing costs) associated with this service. The service is currently available (for fiscal year 2008) at a cost of $0.21175 per record (data supplied to identify one study subject) up to 25,000 records. Additional records will be processed at a cost of $0.03905 per record. These rates are subject to change to reflect actual costs in subsequent years. Form SSA-1235-U5 "Agreement Covering Reimbursable Services" will be signed by the applicant and an appropriate SSA representative to formalize the payment process. Nonfederal requesters are required to provide an advance payment of 100 percent of the SSA costs for this service.

Criteria Used to Approve Requests

The SSA/NCHS team will use the following criteria in formulating their recommendations for the Associate Commissioner for Research, Evaluation, and Statistics:

• Use of Data for Statistical Purposes. The request for services should clearly state that the vital status data supplied will be used to support statistical calculations and/or study findings. Furthermore, the request must indicate those situations in which the death data furnished will be used to identify state death records. A request will be disapproved if it proposes to use the vital status data or state death data obtained from the vital status data for administrative, law enforcement, or other nonstatistical purposes. The team can suggest that the applicant be given the opportunity to revise the application to eliminate any nonstatistical uses of the vital status data.

• Disease Registries. Requests from individuals and or groups working with disease registries will be accepted. By "disease registry" is meant a roster of persons diagnosed and/or treated for a particular disease and maintained for the purpose of morbidity and/or mortality surveillance without any specific hypotheses to be examined. Registries usually employ a standardized methodology, are subject to informal and sometimes formal controls, and may rely on other methods for follow-up of a majority of the roster. Such registries deserve special considerations. Applicants who propose to submit a roster of names deriving from such a registry should specify the date the registry was founded, the purposes of the registry, the eligibility criteria for including persons in the registry, the provisions for internal and external approval of the registry's quality and methods (including human subject considerations), and the dates of the last documented internal and/or external reviews.

  SSA will generally approve these submissions provided the requests give adequate documentation of the registries' activities.

  Furthermore, registries will not be required to submit separate applications for each study. Multiple uses of SSA vital status data are permitted provided that (1) each study is solely for statistical purposes in medical and health research, (2) adequate assurances are given that the confidentiality of the identifying vital status data on the "presumed living" will be maintained, and (3) vital status data on the "presumed living" will be kept separate from any administrative records.

• Mortality Follow-up on Non-Disease Cohorts. Most applicants are required to submit separate requests for specific studies. However, some organizations conduct mortality surveillance studies on "non-disease" cohorts such as industrial workers, population samples, and members of particular families, and the vital status data on those individuals may be used for multiple epidemiological studies. Such organizations, in essence, are maintaining exposure or other non-disease "registries" that facilitate epidemiological studies of groups with particular experiences. Such organizations will not be required to submit separate applications to SSA for each study, although they will be required to describe expected protocols and give specific, current, or future examples.

  Multiple uses of vital status data obtained from SSA on the "presumed living" are permitted provided that (1) each study is solely for statistical purposes in medical or health research, (2) adequate assurances are given that the confidentiality of the identifying vital status data on the "presumed living" will be maintained, and (3) vital status data on the "presumed living" will be kept separate from any administrative records.

• Use of Data by a Third Party. If the applicant indicates that another organization will receive identifying SSA vital status data on the "presumed living," that organization must be a party to the original submittal or submit a supporting memorandum. In this supporting documentation the third party must indicate (1) their role in the study and the activities they will perform, (2) a data protection plan describing how they will store data and maintain the confidentiality of data on the "presumed living," and (3) how and when data on the "presumed living" will be destroyed.

• Final Disposition of Data. The applicant must indicate if, how, and when identifiable data on the "presumed living" furnished in support of a request will be destroyed. If there is no indication that the identifiable data on the "presumed living" will be destroyed, the individual requesting the vital status data must explain, in some detail, why the data need to be maintained.

Repeated Use of the Service

Once an applicant is approved to obtain vital status data for a specific study or project, the approval is valid for 2 years as long as there are no major changes in the project. Additional records may be submitted under the approved contract for services. If, however, the project specifications change, the applicant must submit a new request for services. The following is a list of possible occurrences that would require the submission of a new request for services:

• The project will be supported by a new organization;
• A new organization will be receiving vital status data;
• Confidentiality provisions on the "presumed living" have changed;
• Provisions for disposing of data on the "presumed living" obtained from this request have changed;
• Vital status data on the "presumed living" will be used for legal, administrative, or other actions that could directly affect particular living individuals or establishments; or
• Changes have been made in the project's research objectives.

Guidance for Preparing an SSA Data Protection Plan

Introduction

As a potential user of SSA sensitive data, you must submit an SSA Data Protection Plan for each facility (site) where SSA sensitive data is maintained to the Office of Research, Evaluation, and Statistics (ORES) for approval. You must specify in your SSA Data Protection Plan(s) how you will keep SSA data secure and confidential on a variety of media, including magnetic tapes, hard disks and other fixed magneto-optical media; compact disks, diskettes, and other removable magneto-optical media; and paper. Use the following Guidance for Preparing an SSA Data Protection Plan to write your SSA Data Protection Plan. Describe in detail each provision listed (use additional paper (8½ x 11) if needed).

The safeguards shall provide a level and scope of security that is not less than the level and scope of security established by the Office of Management and Budget (OMB) in OMB Circular No. A-130, Appendix III—Security of Federal Automated Information Systems which sets forth guidelines for security plans for automated information systems in Federal agencies.

SSA Sensitive Data

SSA sensitive data includes any data from SSA's administrative records that might compromise the anonymity or privacy of individuals. It also includes any variables or fields derived from our administrative records, including linked or matched variables. The major sources of SSA administrative data are, but are not limited to, the following systems of records:

Master Beneficiary Record (MBR)

Payment file from which Social Security checks are paid. The MBR contains information on Title II beneficiaries, such as payment status, type and amount;

Supplemental Security Record (SSR)

Payment file from which Social Security Income (SSI) checks are paid. The SSR contains information on Title XVI beneficiaries, such as payment status, type and amount;

831 Disability File

This file contains medical determinations made by the Disability Determination Services (DDS) for Social Security and SSI claims;

Completed Determination Record (also known as the Disability Control File or DCF)

This file contains information on allowed disability claimants (both Title II and Title XVI) on which a continuing disability review has occurred and a decision of continuance or cessation has been approved;

NUMIDENT

Master file of assigned Social Security Numbers (SSNs). This file contains identifying information given by the applicant for an SSN and most of the vital status data that SSA provides health researchers through its epidemiological service, including state of residence and date of death; and

Master Earnings File (MEF)

This file contains workers' earnings records and information on the individual's entire work experience.

Your SSA Data Protection Plan must include:

1. Security/Physical Safeguards of the Computing Environment.

SSA requires that you use a self-contained Local Area Network (LAN) or a stand-alone computer(s) because of the potential security problems that can occur in timesharing mainframes or LANs. If you do use a timesharing platform, be very specific in describing the security and safeguards that you will use to protect our data.

Provide a detailed description of the security/physical safeguards of the computing environment in which you will be managing and analyzing the data. For each item of the computing equipment you will be using (CPU, tape drives, printers, etc.), describe:

1. Where they are located;
2. Who has physical access to them;
3. The security provisions that restrict access to only authorized users of the data on the system(s) you will be using, such as locked doors, locks on equipment, passwords, encryption, etc.;
4. The routine procedures for making backup copies of data files on tape or disk;
5. The system as a whole as well as your terminal;
6. The access system administrators have to files and passwords [For shared file systems only];
7. The audit trails which you maintain to identify users, authenticate users, and trace users' actions on your system. This enables you to maintain individual accountability of all data users.

2. Restricted Access—Fixed Storage Media

Provide a detailed description of how you will restrict access (e.g., password protection) to hard disk or other electromagnetic, optical or similar fixed storage device files containing the data. Indicate the kind of storage data you will be using and describe:

1. Where the storage devices to be used are physically located;
2. How you will restrict physical access to only authorized persons;
3. How you will restrict access to the contents of hard disk and similar storage device files to only authorized persons, such as through a system of encryption and/or passwords;
4. How you will restrict access to files to which only authorized users have "read" and "write" permission;
5. How you will prevent routine system backups of hard disk and similar storage device files, regardless of type of backup medium;
6. How you will prevent access to files by system administrators [For shared file systems only];
7. Clearly in your Plan that no more than one backup copy will be made of any hard disk or similar storage device file containing the data;
8. When (on or before the date on which your authorized access to the data expires) and how all such copies will be destroyed.

3. Restricted Access—Removable Storage Media

Provide a detailed description of how you will restrict access to compact disks, diskettes, and other removable electromagnetic or optical storage media files. We strongly recommend against the use of removable media for data storage. If used, describe:

1. How you will use removable media data storage;
2. Where the removable media to be used will be physically located;
3. How physical access to them is to be restricted to only authorized persons, including provisions for storage in locked cabinets when not in use;
4. Which mechanisms will be used to ensure that only authorized persons will be able to mount and read removable media; and
5. Which mechanisms (e.g., computing systems that require the use of keywords or labels known only to the owner of the removable medium, to mount the medium) will be used to ensure that only authorized persons will be able to mount and read removable media handled by a central system [For shared file systems only].

4. Printed Output

Provide a detailed description of how you will restrict access to paper printouts containing SSA data. SSA strongly recommends against the creation of any paper printouts of its data. If used, describe:

1. The uses that will be made of such printouts;
2. The reasons why no other media can be used for the same purpose;
3. The means by which you will ensure that such printouts are handled by authorized persons only;
4. How they will be kept in locked storage, accessible only to authorized persons when not in use;
5. How they will be kept from the vision and reach of unauthorized persons when they are in use; and
6. How they will be destroyed (e.g., made unreadable through burning or shredding) after completing any analysis.

5. Derivations of SSA Data

Provide a clear and detailed statement that you will treat all derived SSA data in the same manner as the original SSA data, and that you understand that derived SSA data includes, but is not limited to:

• Subsets of cases or variables from the original data;
• Numerical or other transformations of one or more variables from the original data, including sums, means, logarithms, or products of formulas; or
• Variables linked to another dataset using variables from the original data as linkage variables.

NOTE: Aggregated statistical summaries and analyses of the original data, such as tables and regression formulas, are not "derived variables" and, unless otherwise specified in the MOA, are not subject to the requirements of your plan.

6. Linkages to Other Data

Provide a clear and detailed statement that you will not link any other data to the original data specified in the MOA. Your statement must also include recognition that you will not link the original data or derived dataset(s) to any other SSA dataset(s) without our explicit written permission.

7. Training for Individuals Who Will Have Access to Confidential Data

All individuals who will have access to SSA data in identifiable form must understand the security and safeguard provisions required to assure the confidentiality of SSA data. Explain how you will train these individuals so they are familiar with the safeguarding provisions in your data protection plan. In addition, they will be required to sign a Confidentiality Statement.

Explanatory Notes

Authorized Persons

Authorized persons include the Custodian(s), the Principal Investigator(s), and any other persons or data users designated in the Memorandum of Agreement (MOA) and support documentation.

SSA Sensitive Data

SSA sensitive data contains identifiable personal information and information meant to be kept confidential as covered under SSA Regulation No. 1, the Privacy Act of 1974, the Tax Reform Act of 1976, and Section 1106 of the Social Security Act of 1974.

Title II

Provision of the Social Security Act. Title II is an insurance program. It was enacted in 1935 to provide old age, survivor, and disability benefits to insured individuals irrespective of financial need. [See 42 U.S.C. Sections 403, 423 (1982 ed. and Supp. III).]

Title XVI

Provision of the Social Security Act. Title XVI is a welfare program. It was enacted in 1972 to provide Social Security Income (SSI) benefits to financially needy individuals who are aged, blind, or disabled regardless of their insured status. [See 42 U.S.C. Sections 1382(a) (1982 ed. and Supp. III).]

Encrypted SSA Data

Where encryption is needed, encrypt SSA data using the Digital Encryption Standard, the only data encryption standard approved by the National Institute of Standards and Technology (NIST) for use by Federal agencies at this time.

Faxing Data to SSA

We prefer that you not fax data to SSA. However, if you do fax data to SSA data, documents must be properly labeled, the fax telephone number must be verified, and an authorized person must be at the fax machine prior to sending the document.

E-mailing Data to SSA

We prefer that you not e-mail data to SSA. However, if you do e-mail data to SSA, it must be encrypted as an attachment to the mail message and sent to an authorized person only.

Protected Communications

We prefer that you electronically transmit data to SSA over external networks or dedicated lines that is encrypted and an authorized person must be at the receiving end prior to the transmission.

Acceptable Delivery of Data to SSA

We prefer that you deliver data to SSA only to authorized personnel and by delivery services that provide tracing services such as certified mail, priority mail or Federal Express. We recommend that all packages be properly sealed, labeled and reinforced, and enclosed with a list of the contents being sent.

Destruction of SSA Data

All SSA data not returned must be destroyed by the end of the project date as described in the MOA. SSA data can be destroyed by burning or shredding. If the data are burned, use EPA-approved public incinerators to burn it and examine ash residue and re-burn if any large pieces are not totally destroyed the first time. If the data are shredded, use shredders that reduce residue particle size to 3/16 of an inch or less in width.

Clearing Magnetic Media

Magnetic media (tapes, disks, hard drives) containing SSA data must be destroyed or erased prior to reuse. To erase, overwrite SSA data a minimum of three times with a commercial disk utility program. If you are unable to overwrite, degauss using a commercial degausser.

Proper Labeling

All stored or transferred SSA data, electronic or non-electronic, must be labeled "DISCLOSURE PROHIBITED—THIS CONTAINS SENSITIVE INFORMATION—SSA RESTRICTED DATA."

Where to Send

Send your completed SSA Data Protection Plan to:

Office of Research, Evaluation, and Statistics (ORES)
Social Security Administration
Attn: Division of Earnings Statistics and Analysis
4-C-15 Operations/ c/o 4th Floor Meadows East Building
6401 Security Boulevard
Baltimore, Maryland 21235

AND

For Requesting SSA Program Data for Research
Email the completed SSA Data Protection Plan electronically to ores.research.requests@ssa.gov

For Requesting Vital Status (Epidemiological) Data
Email the completed SSA Data Protection Plan electronically to ores.epidemiological.requests@ssa.gov

Confidentiality Agreement

All individuals who will have access to SSA data on the "presumed living" in identifiable form must sign and date the Confidentiality Agreement.