I'm trying to find the standards for passing SSN through an online form to be emailed. What are the rules?
The rule is "don't do it", there's no reason to send a social security number through e-mail.
If a client has asked you to do it, convince them to let you build a secure system to view the form results on the web instead.
I agree with Dan.
I am not familiar with US legislation, could it be that HIPAA standard applies to SSNs as well?
Paul you need to do a search for "Social Security Number Protection Law" and figure out if the US state where your business is located has enacted specific legislation. There has been a lot of activity lately surrounding identity theft, and imposing harsh penalties against companies who fail to protect customer data such as SSN. It is never a good idea to capture SSN and send it via email. All of that is clear text and is basically the same as asking your customers to write everything on a postcard and mail it for everyone to see.
Consider using encryption along all the pathways between the customer and your business if using the SSN is a requirement. For example: data storage should be encrypted (the database itself and multi-protocol for SQL); connecting to your website should be encrypted (SSL certificates); public/private key pairs to encrypt local network connections; etc. Implement a logging system to track who is trying to access SSN data, no matter if they are authenticated or unauthenticated users.
Curious to know why you need SSN and how you are using it? Another point is to make sure you do not use it as an identification number for customer records. Thanks. Let us know what you've discovered from your research about the legal usage for SSN.