HHS/Office for Civil Rights Feedback on SSA-827
Medical/Professional Relations
How SSA-827 Meets Requirements for Authorization
to Disclose Information
45 Code Federal Regulations (CFR)
164.508(c) (HIPAA Privacy Rule) Implementation specifications:
(1)
Core
elements required:
A valid authorization under this section must contain at least the following
elements:
(i)
Description
of information to be disclosed
A description of the
information to be used or disclosed that identifies the information in
a specific and meaningful fashion.
(Also required by 42 CFR Part 2).
View SSA-827 language that meets requirements
(ii)
Person
or class authorized to disclose
The name or
other specific identification of the person(s), or class of persons, authorized
to make the requested use or disclosure.
View SSA-827 language
that meets requirements
(iii)
The person
or class to whom disclosed
The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.
View SSA-827 language that meets requirements
(iv)
Purpose
of disclosure
A description
of each purpose of the requested use or disclosure. The statement "at
the request of the of the individual" is a sufficient description of the purpose
when an individual initiates the authorization and does not, or elects
not to, provide a statement of the purpose.
View SSA-827 language
that meets requirements
(v)
Expiration
date
An expiration
date or an expiration event that relates to the individual or the purpose
of the use or disclosure. The statement "end of the research study,"
"none," or similar language is sufficient if the authorization is for
a use or disclosure of protected health information for research, including
for the creation and maintenance of a research database or research repository.
View SSA-827 language
that meets requirements
(vi)
Signature
and date
Signature of
the individual and date. If the authorization is signed by a personal
representative of the individual, a description of such representative's
authority to act for the individual must also be provided.
View SSA-827 language
that meets requirements
(2)
Required
statements
In addition to the core elements, the authorization must contain
statements adequate to place the individual on notice of all of the following:
(i) The individual's right to revoke the authorization in writing, by stating either:
(A) The exceptions to the right to revoke; or
View SSA-827 language that meets requirements
(B) A description of how the individual may revoke the authorization.
View SSA-827 language that meets requirements
(ii) The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization, by stating either:
(A) The covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization when the prohibition on conditioning of authorizations in paragraph (b)(4) of this section applies; or
View SSA-827 language that meets requirements
(B) The consequences to the individual of a refusal to sign the authorization when, in accordance with paragraph (b)(4) of this section, the covered entity can condition treatment, enrollment in the health plan, or eligibility for benefits on failure to obtain such authorization.
View SSA-827 language that meets requirements
(iii)
The potential for information
disclosed pursuant to the authorization to be subject to re-disclosure
by the recipient and no longer be protected by this subpart.
View SSA-827
language that meets requirements
Note:
SSA is also aware of the
strict limits on re-disclosure of information covered by 42 CFR Part 2
and specifically addresses this on the SSA-827.
View SSA-827 language
that meets requirements
Conclusion of DHHS
"As these statements
demonstrate, the Privacy Rule affords significant flexibility to covered
entities and others to authorization forms that meet their needs, yet
which permit individuals to understand fully the authorizations they are
asked to sign. The rule specifies the elements of a valid authorization,
but does not mandate any particular form by which individuals may authorize
disclosure of their health information".
(April 25, 2003
DHHS letter)
Other Considerations
-
Witness - A witness signature is not required by the DHHS Privacy Rule, but SSA routinely tries to obtain one as a service to the source of information. Under 45 CFR 164.508(b)(2)(ii), an authorization is not valid if it has not been filled out completely with respect to the core elements. It should be noted that a witness signature is not a core element or requirement. Optional elements (e.g., witness signature) can be left blank or used as needed (e.g., to meet State law).
Details of how SSA-827 meets requirements
The following language is extracted from the
SSA-827.
OF
WHAT
All records and other information regarding my treatment, hospitalization,
and outpatient care
for my impairment(s) including, and not limited to:
--Psychological, psychiatric or other mental impairment(s) (excludes "psychotherapy notes" as defined in 45 CFR 164.501)
--Drug abuse, alcoholism, or other substance abuse
--Sickle cell anemia
--Records which may indicate the presence of a communicable or noncommunicable disease and tests for or records of HIV/AIDS
--Gene-related impairments (including genetic test results)
Information created within 12 months after the date this authorization is signed, as well as past information.
Note: "For example, if the Social Security Administration seeks authorization for release of all health information to facilitate the processing of benefit applications, then the description on the authorization form must specify "all health information" or the equivalent." (65 Federal Register 82517, December 28, 2000) "Disclosures to SSA . made pursuant to an individual's completed SSA-827 authorization form, or any other valid authorization, are exempt from the minimum necessary requirements of the Privacy Rule." (April 25, 2003 DHHS letter).
- All medical sources
(hospitals, clinics, labs, physicians, psychologists, etc.) including
mental health, correctional, addiction treatment, and VA health care
facilities
- All educational sources (schools, teachers, records
administrators, counselors, etc.)
- Social workers/rehabilitation counselors
- Consulting
examiners used by SSA
- Employers, insurance companies, workers' compensation programs
- Others who may know about my condition (family, neighbors, friends, public officials)
Note: "One
authorization form may be used to authorize disclosures by categories
of covered entities, without naming particular covered entities."
(April 25, 2003
DHHS letter).
TO
WHOM
The Social
Security Administration and to the State agency authorized to process
my case (usually
called "disability determination services"), including contract
copy services, and doctors or other professionals consulted during the
process. [Also, for international claims, to the U.S. Department
of State Foreign Service Post.]
Note: "[A]n authorization could be completed by an individual and given to a government agency, authorizing the agency to receive medical information from any health care provider that has treated the individual within a defined period of time. Such an authorization is permissible if it sufficiently identifies the government entity that is authorized to receive the disclosed protected health information." (65 FR 82518, December 28, 2000).
Determining my eligibility for benefits, including looking at the combined effect of any impairments that by themselves would not meet SSA's definition of disability; and whether I can manage such benefits.
Note: "[O]ne authorization form may
be used when disclosure of the same protected health information is being
sought for multiple purposes, as long as an authorization for the disclosure
of psychotherapy notes is not combined with an authorization for the disclosure
of any other protected health information."
(April 25, 2003
DHHS letter).
EXPIRES WHEN
This authorization is good for 12 months from the date signed (below my
signature).
Note: "A covered entity may disclose
the protected health information specified in the authorization, even
if that information was created after the authorization is signed, as
long as the authorization has not expired or been revoked in writing."
(April 25, 2003
DHHS letter).
INDIVIDUAL authorizing disclosure
- The individual must
sign and date this authorization, and provide his or her street address,
city, state and zip code and telephone number with area code.
- IF not signed by subject of disclosure, specify basis for the authority to sign. Check the appropriate box on the English SSA-827 to indicate whether the person signing is the parent of a minor, guardian, or other personal representative (explain). Sign the English SSA-827 in the space provided if a second signature is required by law.
Witness: In this section of the English SSA-827, one who knows the person signing the form should sign as a witness and provide his or her phone number or address. There is space for a second witness if needed.
Note: "All authorizations must be in writing and signed. We intend e-mail and electronic documents to qualify as formal written documents." (65 FR 82660, December 28, 2000) "We do not require verification of the individual's identity or authentication of the individual's signature." (65 FR 82518, December 28, 2000) "A copy, facsimile, or electronically transmitted version of a signed authorization is also a valid authorization under the Privacy Rule." (April 25, 2003 DHHS letter).
-
I may write to SSA and my sources to revoke this authorization at any time.
-
You have the right to revoke this authorization at any time, except to the extent a source of information has already relied on it to take an action. To revoke, send a written statement to any Social Security Office. If you do, also send a copy directly to any of your sources that you no longer wish to disclose information about you; SSA can tell you if we identified any sources you didn't tell us about. SSA may use information disclosed prior to revocation to decide your claim.
A covered entity (that is, a source of medical information about you) may not condition treatment, payment, enrollment, or eligibility for benefits on whether you sign this authorization form.
Signing
this form is voluntary, but failing to sign it, or revoking it before
we receive necessary information, could prevent an accurate or timely
decision on your claim, and could result in denial or loss of benefits.
Although the information we obtain with this form is almost never used
for any purpose other than those stated above, the information may be
disclosed by SSA without your consent if authorized by Federal laws such
as the Privacy Act and the Social Security Act.
For example, SSA may disclose information:
1. To enable a third party (e.g., consulting physicians) or other government agency to assist SSA to establish rights to Social Security benefits and/or coverage;
2. Pursuant to law authorizing the release of information from Social Security records (e.g., to the Inspector General, to Federal or State benefit agencies or auditors, or to the Department of Veterans Affairs (VA);
3. For statistical research and audit activities necessary to ensure the integrity and improvement of the Social Security programs (e.g., to the Bureau of the Census and private concerns under contract with SSA).
DISCLOSURE OF PERSONAL INFORMATION
All personal information SSA collects is protected by the Privacy Act of 1974. Once medical information is disclosed to SSA, it is no longer protected by the health information privacy provisions of 45 CFR part 164 (mandated by the Health Insurance Portability and Accountability Act (HIPAA). SSA retains personal information in strict adherence to the retention schedules established and maintained in conjunction with the National Archives and Records Administration. At the end of a record's useful life cycle, it is destroyed in accordance with the privacy provisions, as specified in 36 CFR part 1228.
CONFIDENTIALITY OF ALCOHOL AND DRUG ABUSE
SSA will not redisclose without proper prior written consent information:
(1) relating to alcohol and/or drug abuse as covered in 42 CFR part 2.
Note: 42
CFR part 2 provides at section 2.31 that "[a] written consent . must
include (1) the specific name or general designation of the program or
persons permitted to make the disclosure.." The preamble to these
regulations explains "a patient who chooses to authorize disclosure
of all his or her records without the necessity of completing multiple
consent forms or individually designating each program on a single consent
form would consent to disclosure from all programs in which the patient
has been enrolled .."
(52 FR 21799, June 9, 1987).
Social Security Administration
February 2012