HIPAA and the Social Security Disability
Information for Consultative Examination Providers
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191) affects an extensive range of health care issues. The major intent of HIPAA is to provide better access to health insurance, reduce administrative costs, limit fraud and abuse, and protect the privacy of health information. As required by HIPAA, the Department of Health and Human Services' (HHS) adopted uniform standards for the privacy of individually identifiable health information (the "Privacy Rule") in 2002. The Privacy Rule, as revised in 2013, regulates most health care providers, health care clearinghouses, and health plans, and their formal business associates.
This fact sheet provides answers to frequently asked questions about the impact of the Privacy Rule on the Consultative Examinations (CE) you perform for the State Disability Determinations Services (DDS). The information here does not constitute formal legal advice, and health care providers need to assess their own legal obligations.
Q. Who is a covered entity under HIPAA?
A. All health plans and health care clearinghouses are covered by HIPAA, as are health care providers who conduct certain financial and administrative transactions electronically. It is each provider's responsibility to determine his or her covered status (45 CFR 160.102).
Need to find out about covered status? A useful decision tool is available by the Centers for Medicare & Medicaid Services (CMS) at https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/AreYouaCoveredEntity.html.
SSA and the DDSs are not covered entities when handling Social Security workloads. As an agent of the State DDS and SSA, CE providers still have obligations under the Privacy Act of 1974, as revised.
Q. Is a purely diagnostic CE a covered health
A. It is SSA's assessment that the nature of the work performed by a health care professional who conducts a CE for SSA does fall within the range of functions included in the definitions of "health care provider" (45 CFR part 160.103) and "treatment" (45 CFR 164.501). It is the responsibility of each CE provider to determine if he or she is a "covered entity" based on the other requirements of the rules.
Q. If I perform CEs for the DDS, what must I do to comply with HIPAA?
A. If you determine that you are covered, the Privacy Rule has requirements, among others, for you to provide the individual with a notice of the patient's rights and your privacy practices (45 CFR 164.520), and for you to receive a written acknowledgment of the receipt of the notice, or documentation of your good faith effort to obtain such an acknowledgment. (The August 2002 revision to the Privacy Rule removed the requirement for a signed consent from the patient/claimant to provide health care, but replaced it with an acknowledgment of notice.)
Covered entities also have an obligation to release only information as permitted by the Privacy Rule. One permitted way is pursuant to an authorization form filled out by the individual whose records are to be released. The DDS will provide you with a signed, HIPAA-compliant authorization form--SSA-827, "Authorization to Disclose Information to the Social Security Administration (SSA)"-- to disclose protected health information to SSA (45 CFR 164.508). The form has been recently revised to satisfy a range of requirements related to the Privacy Rule and other federal authorities. We hope you choose to rely on this SSA form, signed by the claimant, as sufficient authorization to disclose your report to SSA/DDS.
NOTE: The Privacy Rule permits providers to accept a copy (photocopy, scan, fax) of a signed authorization. It does not require an original form. The Privacy Rule also does not require that an individual source's name appear on the authorization. The Privacy Rule permits a consent form to describe a "class of persons" authorized to disclose; hence, the new revised SSA-827 specifies "consulting examiners used by SSA." The rule also permits an individual to authorize the release of information created after the authorization is signed, as long as the authorization has not expired. The form SSA-827 contains language for such prospective authorization and states that the consent is good until its expiration one year from the date of signing.
If you choose to have the individual sign your own authorization form rather than relying on the signed SSA-827, provisions at 45 CFR 164.508(b)(3) and (b)(4) address "compound authorizations" and the "prohibition on conditioning of authorizations." Also, covered entities that seek an authorization from the individual are required to provide the individual with a copy of the signed authorization form (45 CFR 164.508(c)(4).
Q. Am I obligated to maintain a copy of the CE report?
A. SSA does not require you to maintain a copy of the report. You may be required to keep a copy of the report in your arrangement with the State DDS.
Q. If I keep a copy of the CE report, how do I respond to requests for it?
A. You should direct all requests for CE reports to the DDS. Even though you may be covered by the HIPAA Privacy Rule, you still must also comply with all of SSA's rules regarding disclosure of information and access to information that you gather and maintain while performing work for SSA. The Privacy Act of 1974, as amended, Section 1106 of the Social Security Act, and our regulations at 20 CFR part 401 concern disclosure of information and access to information. If you receive a request for information, forward the request to the DDS for processing.
Q. What happens if the patient wants to change something in the CE report that we provided to the DDS?
A. Refer all requests for amendment of CE reports to the DDS because SSA has rules regarding correcting records that need to be followed. Although you may also have obligations under 45 CFR 164.526 with respect to amending information generally, it is important that SSA's rules are followed with respect to information used in SSA's programs.
Q. Do special provisions need to be made if I use transcription and/or interpreter services provided by the DDS?
A. No, the businesses that provide such services are functioning as agents of SSA/DDS and, therefore, the disclosure of information to them is authorized by the SSA-827. However, if you are a covered entity under the Privacy Rule, such services employed at your expense may be considered "business associates" under the rule, requiring a contract or agreement (45 CFR 164.504).
Q. Where can I obtain additional information
A. The official HHS information source for the HIPAA Privacy Rule is www.hhs.gov/ocr/hipaa/ provides links to other HIPAA information, including HHS' December 2003 guidance -- an easy-to-read discussion of some of the key issues.
The American Medical Association (AMA) also provides useful HIPAA information at https://www.ama-assn.org/practice-management/hipaa-compliance.