Guidelines and best practices for transmitting personally identifiable information (PII) and consequences for PII violations.

Transmitting Personally Identifiable Information (PII)

Definition of PII

PII is any information that can be used to distinguish or trace a person's identity either alone or when combined with other personal or identifying information. PII includes but is not limited to:

  • Person's name or initials (e.g., John Doe, John D, JD)
  • Date of birth
  • Social Security Number (SSN)
  • Bank account information
  • Home address
  • Phone number
  • Health records
  • Social Security benefit payment data

Sending PII to Social Security or the Ticket Program Manager (TPM)

ENs are prohibited from sending PII by email to Social Security and TPM, even if it is encrypted. The only exception is when ENs submit documentation to the Center for Suitability and Personnel Security (CSPS) as part of the Suitability process.

ENs must use any of the methods noted below to submit PII to Social Security or TPM:

  • Email: work case (WC) number to ENPaymentsHelp@yourtickettowork.ssa.gov
  • Fax: 1-703-893-4020
  • Mail: P.O. Box 1433, Alexandria, VA 22313
  • Call the Payments Help Desk: 1-866-949-9687 (Monday through Friday, 9 a.m. – 5 p.m. EST)
  • Government-to-Government Services Online (GSO): for Services and Supports Reviews ONLY

TPM will route all faxes and mail to the correct department. Please allow extra time for processing.

Best practices for faxing or mailing PII to TPM

  • Always use a cover sheet.
  • Include your EN name and DUNS number on the cover sheet.
  • Include the subject and department, for example: "Program Integrity – Services and Supports Review".
  • Organize your documents so that all documents pertaining to one SSN are grouped together.
  • If faxing, always print a confirmation sheet in case there are faxing issues.

Please contact ENservice@ssa.gov with any questions concerning the use of electronic systems for transmitting PII.

Sending PII to other (non SSA/TPM) email addresses

If EN employees are using the EN's own or any other non-SSA email system (e.g., Yahoo!, Gmail), they may send email messages transmitting PII only if the PII is entirely contained in an encrypted attachment. PII may NOT be in the body of the email itself or in an unencrypted attachment. This procedure applies when emailing PII from a non-SSA system to any email address. Unless specifically noted otherwise, the EN and its employees are expected to conduct business operations using the EN's own email system, i.e., in accordance with the foregoing rules for transmitting PII.

ENs text messaging with beneficiaries

ENs are not permitted to send PII to beneficiaries/Ticketholders via text message. SSA does not govern what beneficiaries send to ENs via text message.

Consequences for PII Violations

The following are consequences for ENs who commit violations involving transmission of PII through email to Social Security or TPM.

First Violation

  • Social Security will remove the EN from ePay for 3 months.
  • The EN must send a statement to Social Security describing how the PII security issue has been mitigated.
  • Social Security will require the EN to complete the training, "Properly Safeguarding Personally Identifiable Information (PII)."

Second Violation

  • Social Security will send the EN a cure notice requiring the EN to report how the issue has been mitigated and submit a plan to ensure no further violations (i.e., internal QA process).
  • Social Security will place the EN on hold until the mitigation plan has been received and approved by Social Security.
  • Social Security will require that the EN participate in a call involving the EN leadership and Social Security to discuss the mitigation plan and consequences of a further violation (possible termination).
  • Social Security will remove the EN from ePay for 1 year.

Third Violation

Social Security may terminate the EN due to noncompliance with the requirement to protect PII.