On June 1, 2016, the U.S. Commerce Department’s National Technical Information Service (NTIS) issued the final rule on accessing the Limited Access Death Master File.
Prior to 2013, the Social Security Administration permitted broad access to its Death Master File. As a result of some fraudulent activity resulting from such access, in 2013, as part of the Bipartisan Budget Act of 2013, Public Law 113-67 (the “Act”), access to the Social Security Administration’s Death Master File during the three-calendar-year period following an individual's death (referred to as the “Limited Access DMF”) was restricted to authorized users and recipients who were certified under an interim rule. The NTIS has now issued its final rule, “Certification Program for Access to the Death Master File,” which becomes effective November 28, 2016.
Under the final rule, any “Person,” which includes individuals, corporations, companies, private organizations, and state and local government departments and agencies, desiring access to the Limited Access DMF must certify, inter alia, that such Person has a “legitimate fraud prevention interest, or has a legitimate business purpose pursuant to a law, governmental rule, regulation, or fiduciary duty, and shall specify the basis for so certifying”; has “systems, facilities, and procedures in place to safeguard the accessed information, and experience in maintaining the confidentiality, security, and appropriate use of accessed information, pursuant to requirements reasonably similar to the requirements of section 6103(p)(4) of the Internal Revenue Code of 1986” and agrees to satisfy such similar requirements; and will not disclose a deceased individual’s Limited Access DMF, except to specified individuals and for specified reasons as set forth in the rule.
The application package for access to the Limited Access DMF must now include documentation from an “Accredited Conformity Assessment Body” determining that the applicant meets security and safeguarding requirements described in the final rule. An “Accredited Conformity Assessment Body” includes both an independent third party, as well as a related third party who applies for firewalled status under the final rule. In addition, a Person who becomes certified under the rule agrees, as a condition of certification, to be subject to audit by NTIS to determine its compliance with the requirements of the rule.
The final rule also imposes a penalty of $1,000 for each disclosure or use of Limited Access DMF to those not meeting the certification requirements or for non-legitimate purposes, as outlined in the rule. Except in cases of willful or intentional disclosures, the penalty is capped at $250,000 per Person per year. Disclosures from a Certified Person to a non-certified Person are permissible under certain circumstances, but the safe harbor provision that extends to disclosures between Certified Persons does not extend to disclosures between a Certified Person and a non-certified Person.
When the final rule goes into effect in November, it is expected that the certification fee, which is currently $200, will increase to cover the cost of the program. A certification under the interim rule will continue to be valid for one year after the date of issuance, even after the final rule goes into effect on November 28, 2016. If your organization’s certification will expire on or after November 28, 2016, and it wants to continue to access the Limited Access DMF after November 28, 2016, it should be prepared to commence the certification process under the final rule.