Service to Epidemiological Researchers to Provide Vital Status Data on Subjects of Health Research
OMB No. 0960-0701
Section 1106(d) of the Social Security Act directed the Social Security Administration (SSA) to provide support to health researchers involved in epidemiological research. Specifically, SSA will furnish information about whether study subjects are shown on SSA records to be alive or deceased pursuant to Section 1106(d), only when SSA in consultation with the Department of Health and Human Services finds that the research may reasonably be expected to contribute to a national health interest. The requestor must agree to reimburse SSA for expenses incurred providing the information and comply with all privacy safeguards.
This service is available as of this date by contacting the Office of Research, Evaluation, and Statistics (ORES):Social Security Administration
Office of Research, Evaluation, and Statistics
4-C-15 Operations Building
6401 Security Boulevard
Baltimore, MD 21235-6401
In addition, further information about this service is available from the ORES Epidemiological Coordinator at the above contact points, by e-mail at ORES.Epidemiological.Requests@ssa.gov, or by telephone at 410-966-1828.
If you mail your request for this service via overnight express mail, please change the building location in the above address to:Room 4700 Meadows East Building
Historically, SSA had made disclosures of vital status data under the provisions of the Freedom of Information Act (FOIA, 5 U.S.C. § 552(a)(3)). However, as a result of the Supreme Court decision in United States Department of Justice v. Reporters Committee for Freedom of the Press, 489 U.S. 749 (1989), SSA discontinued the process of providing such data. The enactment of Section 1106(d) of the Social Security Act restored the legal authority for SSA to release vital status data except for death data obtained from a state under the auspices of Section 205(r) of the Social Security Act. A companion change to the Internal Revenue Code (26 U.S.C. § 6103(l)(5)(B)) permits SSA to use tax return information to determine the mortality status of individuals for epidemiological research in accordance with Section 1106(d) of the Act. Accordingly, when the research in question has been determined to contribute to a national health interest, SSA will furnish vital status data on study subjects. The researcher must submit the study subject's Social Security number, full name (first, last, and middle name), date of birth (month, day, century, and year), and sex. SSA, in turn, will furnish one of the following vital status determinations for each study subject:
- Death information (the date of death and state where a claim was filed, or the state of residence at the time of death) if available;
- Presumption that the individual is living (there is sufficient information in SSA program records to support this determination); or
- Status unknown (SSA has no record of death, nor sufficient information within the SSA program records to support a determination that the subject is alive);
No additional information is provided for records that could not be verified.
For each request for services, you must cover the following specific areas in separately numbered paragraphs:
- Project or study title.
- Applicant name, full address, phone number, fax number, and e-mail address.
- Contact individual name (if different than applicant), full address, phone number, fax number, and e-mail address.
- Project coordinator name, full address, phone number, fax number, and e-mail address.
- Name of sponsoring organization or institution supporting the research.
- Name (and title, if available) of specific person who will sign the agreement and reimburse SSA for expenses incurred in supplying data.
- Data custodian's name, full address, phone number, fax number, and e-mail address.
- Attach a one-page summary of the study protocol of the project activities. Include specific purpose(s) of the research to be undertaken, the outcomes expected, and how your research will contribute to a national health interest.
- Estimated number of records you will submit. To protect data from theft or modification, SSA recommends that requestors encrypt all input files prior to submission. Submitting unencrypted data to SSA is not recommended and is done at the requestor's own risk.
- Fully explain how the data provided by SSA will be used. Specify whether the data will be used only to determine the subjects' vital status or whether it will also be used to obtain death certificates to determine the causes of death or to obtain additional information from next-of-kin, physicians, or hospitals.
- Provide the final disposition of SSA data to include the location of files and full disclosure of who will have access to the identifying data on the “presumed living” and for how long. In addition to the staff of the requesting organization, list any “other party” that will receive (or have contractual or other rights to) any identifying vital status information provided by SSA on the “presumed living.” Note that all organizations that will receive identifying information on the “presumed living” must become a party to the agreement. All individuals accessing such data must sign a confidentiality agreement.
- If applicable, fully explain how the applicant plans to publish or release the research results, including whether any supporting documentation will be made available in identifiable form on the “presumed living.”
- Provide a data protection plan describing how you will ensure the confidentiality of the vital status data supplied by SSA on the “presumed living.”
- Include a statement that the above applicant fully understands that the vital status data obtained from SSA on the “presumed living” will only be used for the purposes described in this request and will not be used for administrative or legal purposes.
- Include a statement that the applicant hereby agrees to ensure the confidentiality of the vital statistics supplied by SSA on the “presumed living” as described in the data protection plan (item 12).
- Applicant's signature.
NOTE: If the applicant indicates that other organizations or individuals will receive identifying SSA vital status data on the “presumed living,” that organization must also be a party (signatory) to the applicant's memorandum or must submit a separate supporting memorandum. In this supporting documentation, each third party must indicate (1) their role in the study and the activities they will perform, (2) a data protection plan describing how they will store the identifying data on the “presumed living” and maintain the confidentiality of such data, and (3) how and when the identifying data on the “presumed living” will be destroyed.
An evaluation team comprising staff members from SSA's Office of Research, Evaluation, and Statistics and the National Center for Health Statistics (NCHS) will review each application for services. The team will not attempt to determine the scientific merit of the study. It is understood that the merit of the study has been (or will be) determined by the sponsoring agency and/or the organization performing the study. The team's purpose will be to reach a consensus that the results of the study could be expected to advance the public's knowledge in a health area of importance to a segment of the United States population.
If such a determination is made and the Associate Commissioner for Research, Evaluation, and Statistics concurs, the applicant will be notified, in writing, of the methods that may be used to submit data on study subjects, the exact format to be used in submitting this data, and the cost for developing and transmitting the vital status data from SSA records. The applicant will be required to sign a memorandum of understanding that will delineate his or her responsibilities in the use of the requested vital status data. The applicant will also be required to sign a contractual agreement to facilitate payment for the service.
The Social Security Administration will recoup all costs (computer program development costs and ongoing processing costs) associated with this service. Form SSA-1235 “Agreement Covering Reimbursable Services” will be signed by the applicant and an appropriate SSA representative to establish the financial arrangement between the parties. Nonfederal requesters are required to provide an advance payment of 100 percent of the SSA costs for this service.
Criteria Used to Approve Requests
The SSA/NCHS team will use the following criteria in formulating their recommendations for the Associate Commissioner for Research, Evaluation, and Statistics:
Disease Registries. Requests from individuals and or groups working with disease registries will be accepted. By “disease registry” is meant a roster of persons diagnosed and/or treated for a particular disease and maintained for the purpose of morbidity and/or mortality surveillance without any specific hypotheses to be examined. Registries usually employ a standardized methodology, are subject to informal and sometimes formal controls, and may rely on other methods for follow-up of a majority of the roster. Such registries deserve special considerations. Applicants who propose to submit a roster of names deriving from such a registry should specify the date the registry was founded, the purposes of the registry, the eligibility criteria for including persons in the registry, the provisions for internal and external approval of the registry's quality and methods (including human subject considerations), and the dates of the last documented internal and/or external reviews.
SSA will generally approve these submissions provided the requests give adequate documentation of the registries' activities.
Furthermore, registries will not be required to submit separate applications for each study. Multiple uses of SSA vital status data are permitted provided that (1) each study is solely for statistical purposes in medical and health research, (2) adequate assurances are given that the confidentiality of the identifying vital status data on the “presumed living” will be maintained, and (3) vital status data on the “presumed living” will be kept separate from any program records.
Mortality Follow-up on Non-Disease Cohorts. Most applicants are required to submit separate requests for specific studies. However, some organizations conduct mortality surveillance studies on “non-disease” cohorts such as industrial workers, population samples, and members of particular families, and the vital status data on those individuals may be used for multiple epidemiological studies. Such organizations, in essence, are maintaining exposure or other non-disease “registries” that facilitate epidemiological studies of groups with particular experiences. Such organizations will not be required to submit separate applications to SSA for each study, although they will be required to describe expected protocols and give specific, current, or future examples.
Multiple uses of vital status data obtained from SSA on the “presumed living” are permitted provided that (1) each study is solely for statistical purposes in medical or health research, (2) adequate assurances are given that the confidentiality of the identifying vital status data on the “presumed living” will be maintained, and (3) vital status data on the “presumed living” will be kept separate from any program records.
- Final Disposition of Data. The applicant must indicate if, how, and when identifiable data on the “presumed living” furnished in support of a request will be destroyed. If there is no indication that the identifiable data on the “presumed living” will be destroyed, the individual requesting the vital status data must explain, in some detail, why the data need to be maintained.
Repeated Use of the Service
Once an applicant is approved to obtain vital status data for a specific study or project, the approval is valid for 2 years as long as there are no major changes in the project. Additional records may be submitted under the approved contract for services. If, however, the project specifications change, the applicant must submit a new request for services. The following is a list of possible, but not exclusive, occurrences that would require the submission of a new request for services:
- The project will be supported by a new organization;
- A new organization will be receiving vital status data;
- Confidentiality provisions on the “presumed living” have changed;
- Provisions for disposing of data on the “presumed living” obtained from this request have changed;
- Vital status data on the “presumed living” will be used for legal, administrative, or other actions that could directly affect particular living individuals or establishments; or
- Changes have been made in the project's research objectives.
NOTE: The requesting party is required to sign a new Form SSA-1235 for new submissions.
Guidance for Preparing an SSA Data Protection Plan
As a potential user of SSA sensitive data, you must submit an SSA Data Protection Plan for each facility (site) where SSA sensitive data is maintained to the Office of Research, Evaluation, and Statistics (ORES) for approval. You must specify in your SSA Data Protection Plan(s) how you will keep SSA data secure and confidential on a variety of media, including magnetic tapes, hard disks and other fixed magneto-optical media; compact disks, diskettes, and other removable magneto-optical media; and paper. Use the following Guidance for Preparing an SSA Data Protection Plan to write your SSA Data Protection Plan. Describe in detail each provision listed (use additional paper (8½ × 11) if needed).
The safeguards shall provide a level and scope of security that is not less than the level and scope of security established by the Office of Management and Budget (OMB) in OMB Circular No. A-130, Appendix III—Security of Federal Automated Information Systems which sets forth guidelines for security plans for automated information systems in Federal agencies.
SSA Sensitive Data
SSA sensitive data includes any data from SSA's program records that might compromise the anonymity or privacy of individuals. It also includes any variables or fields derived from our program records, including linked or matched variables. The major sources of SSA program data are, but are not limited to, the following systems of records:
- Master Beneficiary Record (MBR)
- Payment file from which Social Security checks are paid. The MBR contains information on Title II beneficiaries, such as payment status, type and amount;
- Supplemental Security Record (SSR)
- Payment file from which Social Security Income (SSI) checks are paid. The SSR contains information on Title XVI beneficiaries, such as payment status, type and amount;
- Master file of assigned Social Security Numbers (SSNs). This file contains identifying information given by the applicant for an SSN and most of the vital status data that SSA provides health researchers through its epidemiological service, including state of residence and date of death; and
- Master Earnings File (MEF)
- This file contains workers' earnings records and information on the individual's entire work experience.
Your SSA Data Protection Plan must include:
1. Security/Physical Safeguards of the Computing Environment.
SSA requires that you use a self-contained Local Area Network (LAN) or a stand-alone computer(s) because of the potential security problems that can occur in timesharing mainframes or LANs. If you do use a timesharing platform, be very specific in describing the security and safeguards that you will use to protect our data.
Provide a detailed description of the security/physical safeguards of the computing environment in which you will be managing and analyzing the data. For each item of the computing equipment you will be using (CPU, tape drives, printers, etc.), describe:
- Where they are located;
- Who has physical access to them;
- The security provisions that restrict access to only authorized users of the data on the system(s) you will be using, such as locked doors, locks on equipment, passwords, encryption, etc.;
- The routine procedures for making backup copies of data files on tape or disk;
- The system as a whole as well as your terminal;
- The access system administrators have to files and passwords [For shared file systems only];
- The audit trails which you maintain to identify users, authenticate users, and trace users' actions on your system. This enables you to maintain individual accountability of all data users.
2. Restricted Access—Fixed Storage Media
Provide a detailed description of how you will restrict access (e.g., password protection) to hard disk or other electromagnetic, optical or similar fixed storage device files containing the data. Indicate the kind of storage data you will be using and describe:
- Where the storage devices to be used are physically located;
- How you will restrict physical access to only authorized persons;
- How you will restrict access to the contents of hard disk and similar storage device files to only authorized persons, such as through a system of encryption and/or passwords;
- How you will restrict access to files to which only authorized users have “read” and “write” permission;
- How you will prevent routine system backups of hard disk and similar storage device files, regardless of type of backup medium;
- How you will prevent access to files by system administrators [For shared file systems only];
- Clearly in your Plan that no more than one backup copy will be made of any hard disk or similar storage device file containing the data;
- When (on or before the date on which your authorized access to the data expires) and how all such copies will be destroyed.
3. Restricted Access—Removable Storage Media
Provide a detailed description of how you will restrict access to compact disks, diskettes, and other removable electromagnetic or optical storage media files. We strongly recommend against the use of removable media for data storage. If used, describe:
- How you will use removable media data storage;
- Where the removable media to be used will be physically located;
- How physical access to them is to be restricted to only authorized persons, including provisions for storage in locked cabinets when not in use;
- Which mechanisms will be used to ensure that only authorized persons will be able to mount and read removable media; and
- Which mechanisms (e.g., computing systems that require the use of keywords or labels known only to the owner of the removable medium, to mount the medium) will be used to ensure that only authorized persons will be able to mount and read removable media handled by a central system [For shared file systems only].
4. Printed Output
Provide a detailed description of how you will restrict access to paper printouts containing SSA data. SSA strongly recommends against the creation of any paper printouts of its data. If used, describe:
- The uses that will be made of such printouts;
- The reasons why no other media can be used for the same purpose;
- The means by which you will ensure that such printouts are handled by authorized persons only;
- How they will be kept in locked storage, accessible only to authorized persons when not in use;
- How they will be kept from the vision and reach of unauthorized persons when they are in use; and
- How they will be destroyed (e.g., made unreadable through burning or shredding) after completing any analysis.
5. Derivations of SSA Data
Provide a clear and detailed statement that you will treat all derived SSA data in the same manner as the original SSA data, and that you understand that derived SSA data includes, but is not limited to:
- Subsets of cases or variables from the original data;
- Numerical or other transformations of one or more variables from the original data, including sums, means, logarithms, or products of formulas; or
- Variables linked to another dataset using variables from the original data as linkage variables.
6. Linkages to Other Data
Provide a clear and detailed statement that you will not link any other data to the original data specified in the reimbursable agreement. Your statement must also include recognition that you will not link the original data or derived dataset(s) to any other SSA dataset(s) without our explicit written permission.
7. Training for Individuals Who Will Have Access to Confidential Data
All individuals who will have access to SSA data in identifiable form must understand the security and safeguard provisions required to assure the confidentiality of SSA data. Explain how you will train these individuals so they are familiar with the safeguarding provisions in your data protection plan. In addition, they will be required to sign a Confidentiality Statement.
Where to Send
Send your completed SSA Data Protection Plan to:Office of Research, Evaluation, and Statistics (ORES)
Social Security Administration
Attn: Office of Data Development
4-C-15 Operations/ c/o 4th Floor Meadows East Building
6401 Security Boulevard
Baltimore, Maryland 21235
For Requesting Vital Status (Epidemiological) Data
Email the completed SSA Data Protection Plan electronically to firstname.lastname@example.org
All individuals who will have access to SSA data on the “presumed living” in identifiable form must sign and date the Confidentiality Agreement.