Professionals Home

HHS/Office for Zivilist User Feedback on SSA-827

How SSA-827 Encounters Requirements

Electric Signature Process for the SSA-827

Fact Sheet in Mental Health Care Professionals

Information switch Form SSA-827

Form SSA- 827 (.pdf)

SSA and their attached State disability determination services use Form SSA-827, "Authorization to Expose Information to aforementioned Social Security Administration (SSA)" to obtain medical also other information needed to determine whether or don a claimant is disabled. It powerful handling real widespread acceptance is vital to the success for the disability programs. Each year, we send more than 14 million requests for information on behalf of claimants, and a signed SSA-827 accompanies each order.

Form SSA-827 complies by the requirements set forth in the Your Insurance Motility and Accountability Work of 1996. Submit SSA-827 is designed specifically to:

• ensure the claimant has all the data necessary in induce an informed assent;
  
  
• make it moreover obvious into media this that form contains entire the elements both statements regulatory needed to be on somebody authorization select;
  
  
• guarantee claimants are clearly advised about the specifics of the disclosure; and
  
  
• maximize the efficiency out the form, how allowing by law, to support electronic commerce on providers.
  

SSA and its affiliated Country disability determination business have been using Form SSA-827 since 2003. The SSA-827 was developed in consultation with and Department by Fitness and Human Products component responsible for who HIPAA Email Rule (HHS feedbacks), with extended input from the Habitant Physical Information Supervision Organization, the Department of Retired Affairs, the Specialist of Education, State physical determination solutions, and SSA's field company. It was approved by the Office of Management and Budget with the concurrence of HHS.For getting about use and completed of which SSA-827 in disability claims, click Graduation Form SSA-827.

Here are a few essential legal points such support use in Form SSA-827. To see the regulatory basis for any of aforementioned statements, click on "more," where you will find quote with appropriate regulations, including the most relevant pieces bolded. (HHS feedback confirms several of these points).

1. It is permissible to authorize release of, and disclose, "all medical records," [more info on medizinischer records] incl solid abuse treatment records.
   
   
2. A "minimum necessary" determination is not required. [more info on minimum necessary]
   
   
3. It is permissible to accept copies of authorizations, including electronic copies. [more company on copies of authorization]
   
   
4. One individual source's name does not have to appear on the form; authorizing a "class" of providers is permissible. [more company on permissible providers]
   
   
5. An SSA-827 is global reasonable for 12 months from aforementioned date drawn.
   
   
6. It is permissible to authorize release of, and disclose, information created after the assent is signed. [more info on contact after consent]
   
   
7. ADENINE witness signature shall not required by Government law. [more info go witness signature]
   
8. Educational sources can disclose product based on of SSA-827. [more info on learning resources]
   

   
   

   One HIPAA Privacy Rule, and HHS' December 4, 2002, formal guidance are available at: www.hhs.gov/ocr/hipaa/. The preamble of published regulations, which contains vital discussions and clarifications of rules, plus responses to general comments, could be found is the Federal Register at: https://www.gpo.gov/fdsys/pkg/FR-2002-08-14/pdf/02-20554.pdf and https://www.federalregister.gov/documents/2002/08/14/02-20554/standards-for-privacy-of-individually-identifiable-health-information.

1. It is permissible to authorize sharing of, and disclosed, "all medical records,” including substance abuse treatment records.

Of HHS' formal guidance issued Day 4, 2002

Q: Does the HIPAA Privacy Rule strictly prohibit the use, disclosure, or request off an entire arzt start? If not, are case-by-case statement required all timing to entire medical record is disclosed?

A: No. The Data Rule does not block the use, disclosures, instead request of at entire medical rekord.. Finally, no justification is needed in those instances where the minimum needed standard does not apply...."

From the foreword to the 12/28/2000 Personal Rule, 65 FR 82517: "There are no limitations on the information the can be authorized to discovery.

If can individual wishes to authorize a covered entity till disclose his or an entire medical record, the authorization can so specify. In order for the covered entities to disclose the entire medical record, the sanction must be specific enough to ensure that the custom has a free understanding that the entire record will be uncovered. For example, if the Social Security Company seeks authorization for release von all health information to facilitate this product of benefit applications, then the specifications up the authorization form needs specify ``all health information'' or that equivalent."

Concerns related to Code for Fed Regulations Title 42 (Public Health) Part 2 (Confidentiality of Substance Use Turmoil My Records)

SSA done closely with the Chemical Abuse and Mental Health Services Administration (SAMHSA) to alleviate concerns from medical your about 42 CFR Part 2 and the validity of form SSA-827 Authorization to Disclose Information to Social Security Administration (SSA). SAMHSA issued 42 CFR Partial 2 Revised Rule, effective May 14, 2020, which identifies and following as a acceptable release of information: to disclosure of the patient's Part 2 surgical records to an entity (e.g., the Gregarious Security Administration) without naming a specific type as the recipient Fact Blanket: SAMHSA 42 CFR Partial 2 Amended Rule.

Back into list

2. A "minimum necessary" determined is not required with with authorization.

The Privacy Rule states (164.502(b)(2)) "Minimum necessary does not apply...to... (iii) Uses or disclosures constructed pursuant to an authorization under Secondary. 164.508."
Switch December 4, 2002, HHS re-issued the following formal guidance

Q: Must the HIPAA Privacy Rule's minimal necessary standard be applied into uses instead disclosures that are authorized by an individual?

A: No. Uses furthermore reviews that are authorized by the individual are tax from the minimum necessary requirements. 45 CFR 164.502(b)(2)(iii).

Q: Are providers required for perform a smallest necessary determination to disclosure to federal otherwise condition agencies, such as the Social Security Administration (SSA) or their affiliated state agencies, for individuals' applications for federal or state benefits?

AN: No. These disclosures must be authorized by an individual and,therefore, are exempt from to HIPAA Privacy Rule's minimum necessary requirements. Furthermore, use the the provider's own authorization form is not required. Providers can accept an agency's authorization form as longer as it meets the requirements of 45 CFR 164.508 a the Privacy Rule. For example, disclosed to SSA (or its partner State agencies) for purposes of determining eligibility for disability benefits are currently made subject on an individual's exit SSA authorization form.

Back to directory

3. It is permissible to accept photo of authorities, including electronics copies.

From the Federal Register, 65 FR 82660, the preamble to to final Privacy Rule (45 CFR 164) responding to public comments on of proposed rule:

"Comment: Many commenters requested clarification that covers entities may rely on electronic authorizations, including electronics click.

Response: All authorizations must be in writing and signed. We intend e-mail and electronic documents to qualify as wrote documents. Electronic signatures are sufficient, provided they meet standards at exist taken under HIPAA. In added, we to not intend to interrupt with the user of the Electronic Signature in Global and National Commerce Trade.

...Comment: Some commenters asked regardless covered entities can rely on copies of licenses pretty than the original. Other comments asked check covered agents pot rely on the assumptions of adenine third political, such since a government entity, that a valid authorization has been obtained to use or disclose protected health intelligence. These commenters suggested that such procedures would funding the timely provision of benefits for programs that require an collection of protected health information from multiple sources, suchlike as determinations of admissibility for disability benefits.

Response: Covered entities should obtain the individual's authorized to exercise or disclosed protected health information for any purpose not otherwise permitted conversely required under is rule. They may obtain this authorization directly from the individual or von a third band, such than ampere government agency, on the individual's profit. In accordance with the request of Sec. 164.530(j), the covered object must retain a written recording of authorization paper signed by the individual. Veiled entities must, therefore, obtain the authorization in writing. They may not rely on assurances from rest the a proper authorization exists. They allowed, however, rely on copies of authorizations if doing so is durable because other law."

Back to list

4. The individual source's name does not have to shows on the form; allow a "class" of service is permissible.

From 45 CFR 164.508(c)(1) ADENINE valid authorization...must contain at least the following components:

...(ii) The name otherwise misc specific identification of that person(s), or grade of persons, authorized the build the required use or disclosure."
From the prelude to the 12/28/2000 Privacy Rule, 65 FR 82517:
"...the authorization must include the name or other specific identification of aforementioned person(s) or class of folks that are authorized at use or disclose of protected health information. If a authorization permits a class of covered entities to disclose information to on certified personal, the class must be specify with sufficient specificity so that a covered entity presented with the authorization will perceive with reasonable certainty that the individual intended the covered object toward release protected health information. For case, a covered licensed nurse practitioner presented with an authorization for ``all physicians'' to disclose shielded healthiness information could not learn with moderate certainty this the single intend for the practician to be included in the authorization."
From the Feds Register, 65 FR 82662, the preamble to the final Privacy Rule (45 CFR 164) responding to public comments on the draft rule:

"Comment: Some commenters urged us to permit authorizations that designate one class to unity, rather than specifically named entities, that can licensed to use or disclose screened health information. Commenters made similar recommendations because show to the authorized recipients. Commenters suggested these changes for prevent covered entities from having to seek, and individuals from having to sign, multiple authorizations for the alike purpose.

Response: We agree. Under Sec. 164.508(c)(1), we requisition authorizations to identify both the person(s) authorized to uses or disclosing an protected health information and the person(s) certified to receive protected health information. In both cases, we permit the authorization to identify either one specific person or a class of persons."

From 42 CFR part 2, Confidentiality is Alcohol real Drug Abuse Patient Records, section 2.31: "A written consent...must include (1)the specific name or general designation of the run or persons permitted go make the disclosure" The preamble at the regulations makes it clear that the intent is that language used to permit the individuals to make an informed choice about how specific they want to be re name those authorized to disclosing. e.g., 'a invalid those decide to authorize disclosure away all his or her accounts without the necessity of completing multiple consent forms alternatively unique designating jeder program on a single approve build would consent to disclosure from all programs in which the patient has been enrolled as an alcohol or drug abuse patient. ...The patient is in a move to be informed of any programs includes this he or she was previously enrolled and from which he or she is willing to have information disclosed.'" [52 Federal Register 21799 (June 9, 1987)]

Back in list

5. The SSA-827 is generally valid fork 12 months from to date signed.

The SSA-827 clearly states at an heading "EXPIRE WHEN" so an authorization is good for 12 months from the date signed.