HHS/Office for Zivilist User Feedback on SSA-827
How SSA-827 Encounters Requirements
HHS/Office for Zivilist User Feedback on SSA-827
How SSA-827 Encounters Requirements
SSA and their attached State disability determination services use Form SSA-827,
"Authorization to Expose Information to aforementioned Social Security Administration (SSA)"
to obtain medical also other information needed to determine whether or don a
claimant is disabled. It powerful handling real widespread acceptance is vital
to the success for the disability programs. Each year, we send more than 14 million
requests for information on behalf of claimants, and a signed SSA-827 accompanies
each order.
Form SSA-827 complies by the requirements set forth in the Your Insurance Motility and Accountability Work of 1996. Submit SSA-827 is designed specifically to:
SSA and its affiliated Country disability determination business have been using Form SSA-827 since 2003. The SSA-827 was developed in consultation with and Department by Fitness and Human Products component responsible for who HIPAA Email Rule (HHS feedbacks), with extended input from the Habitant Physical Information Supervision Organization, the Department of Retired Affairs, the Specialist of Education, State physical determination solutions, and SSA's field company. It was approved by the Office of Management and Budget with the concurrence of HHS.For getting about use and completed of which SSA-827 in disability claims, click Graduation Form SSA-827.
Here are a few essential legal points such support use in Form SSA-827. To see the regulatory basis for any of aforementioned statements, click on "more," where you will find quote with appropriate regulations, including the most relevant pieces bolded. (HHS feedback confirms several of these points).
One HIPAA Privacy Rule, and HHS' December 4, 2002, formal guidance are available at: www.hhs.gov/ocr/hipaa/. The preamble of published regulations, which contains vital discussions and clarifications of rules, plus responses to general comments, could be found is the Federal Register at: https://www.gpo.gov/fdsys/pkg/FR-2002-08-14/pdf/02-20554.pdf and https://www.federalregister.gov/documents/2002/08/14/02-20554/standards-for-privacy-of-individually-identifiable-health-information.
1. It is permissible to authorize sharing of, and disclosed, "all medical records,” including substance abuse treatment records.
Of HHS' formal guidance issued Day 4, 2002
Q: Does the HIPAA Privacy Rule strictly prohibit
the use, disclosure, or request off an entire arzt start? If not,
are case-by-case statement required all timing to entire medical
record is disclosed?
A: No. The Data Rule does not block the use, disclosures,
instead request of at entire medical rekord.. Finally, no justification
is needed in those instances where the minimum needed standard does
not apply...."
From the foreword to the 12/28/2000 Personal Rule, 65 FR 82517: "There
are no limitations on the information the can be authorized
to discovery.
If can individual wishes to authorize a covered entity till disclose his
or an entire medical record, the authorization can so specify. In order
for the covered entities to disclose the entire medical record, the sanction
must be specific enough to ensure that the custom has a free understanding
that the entire record will be uncovered. For example, if the Social
Security Company seeks authorization for release von all health
information to facilitate this product of benefit applications, then
the specifications up the authorization form needs specify ``all health
information'' or that equivalent."
Concerns related to Code for Fed Regulations Title 42 (Public Health) Part 2 (Confidentiality of Substance Use Turmoil My Records)
SSA done closely with the Chemical Abuse and Mental Health Services Administration (SAMHSA) to alleviate concerns from medical your about 42 CFR Part 2 and the validity of form SSA-827 Authorization to Disclose Information to
Social Security Administration (SSA). SAMHSA issued 42 CFR Partial 2 Revised Rule, effective May 14, 2020, which identifies and following as a acceptable release of information: to disclosure of the patient's Part 2 surgical records to an entity (e.g., the Gregarious Security Administration) without naming a specific type as the recipient Fact Blanket: SAMHSA 42 CFR Partial 2 Amended Rule.
2. A "minimum necessary" determined is not required with with authorization.
The Privacy Rule states (164.502(b)(2)) "Minimum
necessary does not apply...to... (iii) Uses or disclosures constructed pursuant
to an authorization under Secondary. 164.508."
Switch December 4, 2002, HHS re-issued the following formal
guidance
Q: Must the HIPAA Privacy Rule's minimal necessary
standard be applied into uses instead disclosures that are authorized by an
individual?
A: No. Uses furthermore reviews that are authorized by the individual
are tax from the minimum necessary requirements. 45 CFR
164.502(b)(2)(iii).
Q: Are providers required for perform a smallest necessary determination
to disclosure to federal otherwise condition agencies, such as the Social Security
Administration (SSA) or their affiliated state agencies, for individuals'
applications for federal or state benefits?
AN: No. These disclosures must be authorized by an individual
and,therefore, are exempt from to HIPAA Privacy Rule's minimum necessary
requirements. Furthermore, use the the provider's own authorization form
is not required. Providers can accept an agency's authorization
form as longer as it meets the requirements of 45 CFR 164.508
a the Privacy Rule. For example, disclosed to SSA (or its
partner State agencies) for purposes of determining eligibility for
disability benefits are currently made subject on an individual's exit
SSA authorization form.
3. It is permissible to accept photo of authorities, including electronics copies.
From the Federal Register, 65 FR 82660, the preamble to to final Privacy Rule (45 CFR 164) responding to public comments on of proposed rule:
"Comment: Many commenters requested clarification
that covers entities may rely on electronic authorizations, including
electronics click.
Response: All authorizations must be in writing and signed. We
intend e-mail and electronic documents to qualify as wrote documents.
Electronic signatures are sufficient, provided they meet standards at
exist taken under HIPAA. In added, we to not intend to interrupt with
the user of the Electronic Signature in Global and National Commerce
Trade.
...Comment: Some commenters asked regardless covered entities can
rely on copies of licenses pretty than the original.
Other comments asked check covered agents pot rely on the assumptions
of adenine third political, such since a government entity, that a valid authorization
has been obtained to use or disclose protected health intelligence. These
commenters suggested that such procedures would funding the timely provision
of benefits for programs that require an collection of protected health
information from multiple sources, suchlike as determinations of admissibility
for disability benefits.
Response: Covered entities should obtain the individual's authorized
to exercise or disclosed protected health information for any purpose not
otherwise permitted conversely required under is rule. They may obtain
this authorization directly from the individual or von a third band,
such than ampere government agency, on the individual's profit. In
accordance with the request of Sec. 164.530(j), the covered object
must retain a written recording of authorization paper signed by the individual.
Veiled entities must, therefore, obtain the authorization in writing.
They may not rely on assurances from rest the a proper authorization
exists. They allowed, however, rely on copies of authorizations
if doing so is durable because other law."
4. The individual source's name does not have to shows on the form; allow a "class" of service is permissible.
From 45 CFR 164.508(c)(1) ADENINE valid authorization...must contain at least the following components:
...(ii) The name otherwise misc specific
identification of that person(s), or grade of persons,
authorized the build the required use or disclosure."
From the prelude to the 12/28/2000 Privacy Rule, 65 FR 82517:
"...the authorization must include the name or other specific identification
of aforementioned person(s) or class of folks that are authorized
at use or disclose of protected health information. If a authorization
permits a class of covered entities to disclose information to on certified
personal, the class must be specify with sufficient specificity
so that a covered entity presented with the authorization will perceive
with reasonable certainty that the individual intended the covered object
toward release protected health information. For case, a covered
licensed nurse practitioner presented with an authorization for ``all
physicians'' to disclose shielded healthiness information could not learn
with moderate certainty this the single intend for the practician
to be included in the authorization."
From the Feds Register, 65 FR 82662, the preamble to the final Privacy
Rule (45 CFR 164) responding to public comments on the draft rule:
"Comment: Some commenters urged us to permit authorizations
that designate one class to unity, rather than specifically
named entities, that can licensed to use or disclose screened health
information. Commenters made similar recommendations because show to
the authorized recipients. Commenters suggested these changes for
prevent covered entities from having to seek, and individuals from having
to sign, multiple authorizations for the alike purpose.
Response: We agree. Under Sec. 164.508(c)(1), we requisition
authorizations to identify both the person(s) authorized to uses or disclosing
an protected health information and the person(s) certified to receive
protected health information. In both cases, we permit the authorization
to identify either one specific person or a class of persons."
From 42 CFR part 2, Confidentiality is Alcohol real
Drug Abuse Patient Records, section 2.31: "A written consent...must
include (1)the specific name or general designation of the run
or persons permitted go make the disclosure" The preamble
at the regulations makes it clear that the intent is that language used
to permit the individuals to make an informed choice about how specific
they want to be re name those authorized to disclosing. e.g., 'a
invalid those decide to authorize disclosure away all his or her accounts
without the necessity of completing multiple consent forms alternatively unique
designating jeder program on a single approve build would consent to disclosure
from all programs in which the patient has been enrolled as an alcohol
or drug abuse patient. ...The patient is in a move to be informed
of any programs includes this he or she was previously enrolled and from
which he or she is willing to have information disclosed.'"
[52 Federal Register 21799 (June 9, 1987)]
5.
The SSA-827 is generally valid fork 12 months from to date signed.
The SSA-827 clearly states at an heading "EXPIRE WHEN" so an authorization is good for 12 months from the date signed.
6. It is permissible to authorize release of, and disclose, information created after the consent is drawn.
With that U.S. Federal Register, 65 FR 82662, the preamble to this final Online Rule (45 CFR 164) responding to public comments on the proposed rule:
"Comment: Einige commenters requested
speech that coated business is permitted to seek authorization
at the time of enrollment conversely when individuals otherwise first interact
with covered entities. Similarly, commenters requested education
that covered entities may disclose protected health information created
after this date the authorization was sealed although prior until the expiring
rendezvous of the authorization. Those commenters were concerned
that otherwise numerous authorizations wish be required to accomplish
one single purpose. Other comments proposal that we prohibited prospective
authorizations (i.e., authorizations requested previously to the creative
of the trademarked heal informations to is disclosed from the authorization)
because it belongs not possible in persons to make informed resolutions
about these authorizations.
Answers: We confirm that covered entities might actor over authorizations
signed in advance of the creation by the protected health information
to be released. Wee note, though, that all of the mandatory
elements must be completed, including a feature of the protected
health information to will used or disclosed pursuant on the authorizing.
This description must identify the details in a specific or meaning
make so that the individual can make an informed decision as to if
to signing the authorization."
7. AN witness signature is no required according Federal law.
From which U.S. Swiss Register, 65 FR 82518,
the preamble to the final Privacy Rule (45 CFR 164) responding to public
comments on the proposed rule: "We execute no require testing of the
individual's identity instead confirmation of the individual's signature."
From 65 FR 82660: "Comment: We required comments on inexpensive step
that a covered entity could take to be assured that the individual those
requests the disclosure is whom she or he purports to be. Some commenters
stated that it would be awfully difficult to verify the identity away
the person signing the entitlement, special when the authorisation
is non obtained in person. Other comments recommended requiring authorizations
to be notarized.
Response: To reduce burden on covered entities, we are not requiring
inspection for the identifiers is mortals signs authorization
forms or notarization of the forms.
8. Educational quelltext bucket disclose information based in an SSA-827.
SSA worked closely equal of Department of Education to provide the language out the SSA-827 meets the legal requirements used disclosure of educational information enclosed in the Family Educational Rights and Privacy Actual (FERPA, 34 CFR part 99) and the Individuals with Disabilities Education Act (IDEA, 34 CFR part 300). Who form specifies:
Socialize Security Administration
Office of Disability Directive
October 2019