Medical/Professional Relations

How SSA-827 Meets Requirements for Authorization to Disclose Information

45 Code Federal Regulations (CFR) 164.508(c) (HIPAA Privacy Rule) Implementation specifications: 

(1)  Core elements required: 

A valid authorization under this section must contain at least the following elements:

(i)               Description of information to be disclosed
A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
(Also required by
42 CFR Part 2).

View SSA-827 language that meets requirements

(ii)             Person or class authorized to disclose
The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure. 

View SSA-827 language that meets requirements

(iii)            The person or class to whom disclosed
The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.

View SSA-827 language that meets requirements

(iv)           Purpose of disclosure
A description of each purpose of the requested use or disclosure. The statement "at the request of the of the individual" is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.  

View SSA-827 language that meets requirements

(v)             Expiration date
An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure.  The statement "end of the research study," "none," or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository.  

View SSA-827 language that meets requirements

(vi)           Signature and date
Signature of the individual and date.  If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided.  

View SSA-827 language that meets requirements

(2)  Required statements

In addition to the core elements, the authorization must contain
statements adequate to place the individual on notice of all of the following:

(i)              The individual's right to revoke the authorization in writing, by stating either:   

(A) The exceptions to the right to revoke; or

View SSA-827 language that meets requirements

(B) A description of how the individual may revoke the authorization.

View SSA-827 language that meets requirements

(ii)              The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization, by stating either: 

(A) The covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization when the prohibition on conditioning of authorizations in paragraph (b)(4) of this section applies; or

View SSA-827 language that meets requirements

(B) The consequences to the individual of a refusal to sign the authorization when, in accordance with paragraph (b)(4) of this section, the covered entity can condition treatment, enrollment in the health plan, or eligibility for benefits on failure to obtain such authorization.

View SSA-827 language that meets requirements

(iii)            The potential for information disclosed pursuant to the authorization to be subject to re-disclosure by the recipient and no longer be protected by this subpart.

View SSA-827 language that meets requirements

Note:      SSA is also aware of the strict limits on re-disclosure of information covered by 42 CFR Part 2 and specifically addresses this on the SSA-827.

View SSA-827 language that meets requirements

Conclusion of DHHS

As these statements demonstrate, the Privacy Rule affords significant flexibility to covered entities and others to authorization forms that meet their needs, yet which permit individuals to understand fully the authorizations they are asked to sign. The rule specifies the elements of a valid authorization, but does not mandate any particular form by which individuals may authorize disclosure of their health information".
(April 25, 2003 DHHS letter)

Other Considerations

  • Witness - A witness signature is not required by the DHHS Privacy Rule, but SSA routinely tries to obtain one as a service to the source of information. Under 45 CFR 164.508(b)(2)(ii), an authorization is not valid if it has not been filled out completely with respect to the core elements. It should be noted that a witness signature is not a core element or requirement. Optional elements (e.g., witness signature) can be left blank or used as needed (e.g., to meet State law).


Details of how SSA-827 meets requirements

The following language is extracted from the SSA-827.


All records and other information regarding my treatment, hospitalization, and outpatient care
for my impairment(s) including, and not limited to: 

--Psychological, psychiatric or other mental impairment(s) (excludes "psychotherapy notes" as defined in 45 CFR 164.501) 

--Drug abuse, alcoholism, or other substance abuse 

--Sickle cell anemia 

--Records which may indicate the presence of a communicable or noncommunicable disease and tests for or records of HIV/AIDS

--Gene-related impairments (including genetic test results)  

Information created within 12 months after the date this authorization is signed, as well as past information.

Note: "For example, if the Social Security Administration seeks authorization for release of all health information to facilitate the processing of benefit applications, then the description on the authorization form must specify "all health information" or the equivalent."  (65 Federal Register 82517, December 28, 2000)  "Disclosures to SSA . made pursuant to an individual's completed SSA-827 authorization form, or any other valid authorization, are exempt from the minimum necessary requirements of the Privacy Rule." (April 25, 2003  DHHS letter).

Back to Top


  • All medical sources (hospitals, clinics, labs, physicians, psychologists, etc.) including mental health, correctional, addiction treatment, and VA health care facilities
  • All educational sources (schools, teachers, records administrators, counselors, etc.)
  • Social workers/rehabilitation counselors
  • Consulting examiners used by SSA
  • Employers, insurance companies, workers' compensation programs
  • Others who may know about my condition (family, neighbors, friends, public officials)

Note: "One authorization form may be used to authorize disclosures by categories of covered entities, without naming particular covered entities." 
(April 25, 2003 DHHS letter).

Back to Top


The Social Security Administration and to the State agency authorized to process my case (usually called "disability determination services"), including contract copy services, and doctors or other professionals consulted during the process.  [Also, for international claims, to the U.S. Department of State Foreign Service Post.]

Note: "[A]n authorization could be completed by an individual and given to a government agency, authorizing the agency to receive medical information from any health care provider that has treated the individual within a defined period of time.  Such an authorization is permissible if it sufficiently identifies the government entity that is authorized to receive the disclosed protected health information."  (65 FR 82518, December 28, 2000).

Back to Top


Determining my eligibility for benefits, including looking at the combined effect of any impairments that by themselves would not meet SSA's definition of disability; and whether I can manage such benefits.

Note: "[O]ne authorization form may be used when disclosure of the same protected health information is being sought for multiple purposes, as long as an authorization for the disclosure of psychotherapy notes is not combined with an authorization for the disclosure of any other protected health information."
(April 25, 2003 DHHS letter).

Back to Top


This authorization is good for 12 months from the date signed (below my signature).

Note: "A covered entity may disclose the protected health information specified in the authorization, even if that information was created after the authorization is signed, as long as the authorization has not expired or been revoked in writing." (April 25, 2003 DHHS letter).

Back to Top

INDIVIDUAL authorizing disclosure

  • The individual must sign and date this authorization, and provide his or her street address, city, state and zip code and telephone number with area code.
  • IF not signed by subject of disclosure, specify basis for the authority to sign. Check the appropriate box on the English SSA-827 to indicate whether the person signing is the parent of a minor, guardian, or other personal representative (explain). Sign the English SSA-827 in the space provided if a second signature is required by law. 

Witness: In this section of the English SSA-827, one who knows the person signing the form should sign as a witness and provide his or her phone number or address. There is space for a second witness if needed.

Note: "All authorizations must be in writing and signed. We intend e-mail and electronic documents to qualify as formal written documents." (65 FR 82660, December 28, 2000) "We do not require verification of the individual's identity or authentication of the individual's signature." (65 FR 82518, December 28, 2000) "A copy, facsimile, or electronically transmitted version of a signed authorization is also a valid authorization under the Privacy Rule." (April 25, 2003 DHHS letter).

Back to Top


  • I may write to SSA and my sources to revoke this authorization at any time.

  • You have the right to revoke this authorization at any time, except to the extent a source of information has already relied on it to take an action.  To revoke, send a written statement to any Social Security Office.  If you do, also send a copy directly to any of your sources that you no longer wish to disclose information about you; SSA can tell you if we identified any sources you didn't tell us about.  SSA may use information disclosed prior to revocation to decide your claim.


  • A covered entity (that is, a source of medical information about you) may not condition treatment, payment, enrollment, or eligibility for benefits on whether you sign this authorization form.

Back to Top


Signing this form is voluntary, but failing to sign it, or revoking it before we receive necessary information, could prevent an accurate or timely decision on your claim, and could result in denial or loss of benefits.  Although the information we obtain with this form is almost never used for any purpose other than those stated above, the information may be disclosed by SSA without your consent if authorized by Federal laws such as the Privacy Act and the Social Security Act. 

For example, SSA may disclose information: 

1. To enable a third party (e.g., consulting physicians) or other government agency to assist SSA to establish rights to Social Security benefits and/or coverage;

2. Pursuant to law authorizing the release of information from Social Security records (e.g., to the Inspector General, to Federal or State benefit agencies or auditors, or to the Department of Veterans Affairs (VA);

3. For statistical research and audit activities necessary to ensure the integrity and improvement of the Social Security programs (e.g., to the Bureau of the Census and private concerns under contract with SSA).

Back to Top


All personal information SSA collects is protected by the Privacy Act of 1974.  Once medical information is disclosed to SSA, it is no longer protected by the health information privacy provisions of 45 CFR part 164 (mandated by the Health Insurance Portability and Accountability Act (HIPAA).  SSA retains personal information in strict adherence to the retention schedules established and maintained in conjunction with the National Archives and Records Administration.  At the end of a record's useful life cycle, it is destroyed in accordance with the privacy provisions, as specified in 36 CFR part 1228.

Back to Top


SSA will not redisclose without proper prior written consent information: (1) relating to alcohol and/or drug abuse as covered in 42 CFR part 2.

Note:  42 CFR part 2 provides at section 2.31 that "[a] written consent . must include (1) the specific name or general designation of the program or persons permitted to make the disclosure.." The preamble to these regulations explains "a patient who chooses to authorize disclosure of all his or her records without the necessity of completing multiple consent forms or individually designating each program on a single consent form would consent to disclosure from all programs in which the patient has been enrolled .."
(52 FR 21799, June 9, 1987).


Social Security Administration
February 2012

Back to Top