HHS/Office for Civil Rights Feedback on SSA-827
How SSA-827 Meets Requirements
Electronic Signature Process for the SSA-827
HHS/Office for Civil Rights Feedback on SSA-827
How SSA-827 Meets Requirements
Electronic Signature Process for the SSA-827
SSA and its affiliated State disability determination services use Form SSA-827,
"Authorization to Disclose Information to the Social Security Administration (SSA)"
to obtain medical and other information needed to determine whether or not a
claimant is disabled. Its efficient handling and widespread acceptance is critical
to the success of the disability programs. Each year, we send more than 14 million
requests for information on behalf of claimants, and a signed SSA-827 accompanies
Form SSA-827 complies with the requirements set forth by the Health Insurance Portability and Accountability Act of 1996. Form SSA-827 is designed specifically to:
SSA and its affiliated State disability determination services have been using Form SSA-827 since 2003. The SSA-827 was developed in consultation with the Department of Health and Human Services component responsible for the HIPAA Privacy Rule (HHS feedback), with extensive input from the American Health Information Management Association, the Department of Veterans Affairs, the Department of Education, State disability determination services, and SSA's field offices. It was approved by the Office of Management and Budget with the concurrence of HHS.For instructions about use and completion of the SSA-827 in disability claims, click here.
Here are a few important legal points that support use of Form SSA-827. To see the legal basis for any of the statements, click on "more," where you will find quotations from appropriate regulations, with the most relevant parts bolded. (HHS feedback confirms several of these points).
The HIPAA Privacy Rule, and HHS' December 4, 2002, formal guidance are available at: www.hhs.gov/ocr/hipaa/. The preamble of published regulations, which contains important discussions and clarifications of rules, plus responses to public comments, can be found in the Federal Register at: https://www.gpo.gov/fdsys/pkg/FR-2002-08-14/pdf/02-20554.pdf and https://www.federalregister.gov/documents/2002/08/14/02-20554/standards-for-privacy-of-individually-identifiable-health-information.
1. It is permissible to authorize release of, and disclose, "all medical records,” including substance abuse treatment records.
From HHS' formal guidance issued December 4, 2002
Q: Does the HIPAA Privacy Rule strictly prohibit
the use, disclosure, or request of an entire medical record? If not,
are case-by-case justifications required each time an entire medical
record is disclosed?
A: No. The Privacy Rule does not prohibit the use, disclosure, or request of an entire medical record.. Finally, no justification is needed in those instances where the minimum necessary standard does not apply...."
From the preamble to the 12/28/2000 Privacy Rule, 65 FR 82517: "There are no limitations on the information that can be authorized for disclosure.
If an individual wishes to authorize a covered entity to disclose his or her entire medical record, the authorization can so specify. In order for the covered entity to disclose the entire medical record, the authorization must be specific enough to ensure that the individual has a clear understanding that the entire record will be disclosed. For example, if the Social Security Administration seeks authorization for release of all health information to facilitate the processing of benefit applications, then the description on the authorization form must specify ``all health information'' or the equivalent."
Concerns related to Code of Federal Regulations Title 42 (Public Health) Part 2 (Confidentiality of Substance Use Disorder Patient Records)
SSA worked closely with the Substance Abuse and Mental Health Services Administration (SAMHSA) to alleviate concerns from medical partners about 42 CFR Part 2 and the validity of form SSA-827 Authorization to Disclose Information to
Social Security Administration (SSA). SAMHSA issued 42 CFR Part 2 Revised Rule, effective August 14, 2020, which identifies the following as an acceptable release of information: the disclosure of the patient's Part 2 treatment records to an entity (e.g., the Social Security Administration) without naming a specific person as the recipient Fact Sheet: SAMHSA 42 CFR Part 2 Revised Rule.
2. A "minimum necessary" determination is not required with an authorization.
The Privacy Rule states (164.502(b)(2)) "Minimum
necessary does not apply...to... (iii) Uses or disclosures made pursuant
to an authorization under Sec. 164.508."
On December 4, 2002, HHS re-issued the following formal guidance
Q: Must the HIPAA Privacy Rule's minimum necessary
standard be applied to uses or disclosures that are authorized by an
A: No. Uses and disclosures that are authorized by the individual are exempt from the minimum necessary requirements. 45 CFR 164.502(b)(2)(iii).
Q: Are providers required to make a minimum necessary determination to disclose to federal or state agencies, such as the Social Security Administration (SSA) or its affiliated state agencies, for individuals' applications for federal or state benefits?
A: No. These disclosures must be authorized by an individual and,therefore, are exempt from the HIPAA Privacy Rule's minimum necessary requirements. Furthermore, use of the provider's own authorization form is not required. Providers can accept an agency's authorization form as long as it meets the requirements of 45 CFR 164.508 of the Privacy Rule. For example, disclosures to SSA (or its affiliated State agencies) for purposes of determining eligibility for disability benefits are currently made subject to an individual's completed SSA authorization form.
3. It is permissible to accept copies of authorizations, including electronic copies.
From the Federal Register, 65 FR 82660, the preamble to the final Privacy Rule (45 CFR 164) responding to public comments on the proposed rule:
"Comment: Many commenters requested clarification
that covered entities may rely on electronic authorizations, including
Response: All authorizations must be in writing and signed. We intend e-mail and electronic documents to qualify as written documents. Electronic signatures are sufficient, provided they meet standards to be adopted under HIPAA. In addition, we do not intend to interfere with the application of the Electronic Signature in Global and National Commerce Act.
...Comment: Some commenters asked whether covered entities can rely on copies of authorizations rather than the original. Other comments asked whether covered entities can rely on the assurances of a third party, such as a government entity, that a valid authorization has been obtained to use or disclose protected health information. These commenters suggested that such procedures would promote the timely provision of benefits for programs that require the collection of protected health information from multiple sources, such as determinations of eligibility for disability benefits.
Response: Covered entities must obtain the individual's authorization to use or disclose protected health information for any purpose not otherwise permitted or required under this rule. They may obtain this authorization directly from the individual or from a third party, such as a government agency, on the individual's behalf. In accordance with the requirements of Sec. 164.530(j), the covered entity must retain a written record of authorization forms signed by the individual. Covered entities must, therefore, obtain the authorization in writing. They may not rely on assurances from others that a proper authorization exists. They may, however, rely on copies of authorizations if doing so is consistent with other law."
4. An individual source's name does not have to appear on the form; authorizing a "class" of providers is permissible.
From 45 CFR 164.508(c)(1) A valid authorization...must contain at least the following elements:
...(ii) The name or other specific
identification of the person(s), or class of persons,
authorized to make the requested use or disclosure."
From the preamble to the 12/28/2000 Privacy Rule, 65 FR 82517:
"...the authorization must include the name or other specific identification of the person(s) or class of persons that are authorized to use or disclose the protected health information. If an authorization permits a class of covered entities to disclose information to an authorized person, the class must be stated with sufficient specificity so that a covered entity presented with the authorization will know with reasonable certainty that the individual intended the covered entity to release protected health information. For example, a covered licensed nurse practitioner presented with an authorization for ``all physicians'' to disclose protected health information could not know with reasonable certainty that the individual intended for the practitioner to be included in the authorization."
From the Federal Register, 65 FR 82662, the preamble to the final Privacy Rule (45 CFR 164) responding to public comments on the proposed rule:
"Comment: Some commenters urged us to permit authorizations that designate a class of entities, rather than specifically named entities, that are authorized to use or disclose protected health information. Commenters made similar recommendations with respect to the authorized recipients. Commenters suggested these changes to prevent covered entities from having to seek, and individuals from having to sign, multiple authorizations for the same purpose.
Response: We agree. Under Sec. 164.508(c)(1), we require authorizations to identify both the person(s) authorized to use or disclose the protected health information and the person(s) authorized to receive protected health information. In both cases, we permit the authorization to identify either a specific person or a class of persons."
From 42 CFR part 2, Confidentiality of Alcohol and Drug Abuse Patient Records, section 2.31: "A written consent...must include (1)the specific name or general designation of the program or persons permitted to make the disclosure" The preamble to the regulations makes it clear that the intent of that language was to permit the individual to make an informed choice about how specific they want to be re designating those authorized to disclose. e.g., 'a patient who chooses to authorize disclosure of all his or her records without the necessity of completing multiple consent forms or individually designating each program on a single consent form would consent to disclosure from all programs in which the patient has been enrolled as an alcohol or drug abuse patient. ...The patient is in a position to be informed of any programs in which he or she was previously enrolled and from which he or she is willing to have information disclosed.'" [52 Federal Register 21799 (June 9, 1987)]
The SSA-827 is generally valid for 12 months from the date signed.
The SSA-827 clearly states at the heading "EXPIRE WHEN" that the authorization is good for 12 months from the date signed.
6. It is permissible to authorize release of, and disclose, information created after the consent is signed.
From the U.S. Federal Register, 65 FR 82662, the preamble to the final Privacy Rule (45 CFR 164) responding to public comments on the proposed rule:
"Comment: Some commenters requested
clarification that covered entities are permitted to seek authorization
at the time of enrollment or when individuals otherwise first interact
with covered entities. Similarly, commenters requested clarification
that covered entities may disclose protected health information created
after the date the authorization was signed but prior to the expiration
date of the authorization. These commenters were concerned
that otherwise multiple authorizations would be required to accomplish
a single purpose. Other comments suggested that we prohibit prospective
authorizations (i.e., authorizations requested prior to the creation
of the protected health information to be disclosed under the authorization)
because it is not possible for individuals to make informed decisions
about these authorizations.
Response: We confirm that covered entities may act on authorizations signed in advance of the creation of the protected health information to be released. We note, however, that all of the required elements must be completed, including a description of the protected health information to be used or disclosed pursuant to the authorization. This description must identify the information in a specific and meaningful fashion so that the individual can make an informed decision as to whether to sign the authorization."
7. A witness signature is not required by Federal law.
From the U.S. Federal Register, 65 FR 82518,
the preamble to the final Privacy Rule (45 CFR 164) responding to public
comments on the proposed rule: "We do not require verification of the
individual's identity or authentication of the individual's signature."
From 65 FR 82660: "Comment: We requested comments on reasonable steps that a covered entity could take to be assured that the individual who requests the disclosure is whom she or he purports to be. Some commenters stated that it would be extremely difficult to verify the identity of the person signing the authorization, particularly when the authorization is not obtained in person. Other comments recommended requiring authorizations to be notarized.
Response: To reduce burden on covered entities, we are not requiring verification of the identities of individuals signing authorization forms or notarization of the forms.
8. Educational sources can disclose information based on the SSA-827.
SSA worked closely with the Department of Education to ensure the language of the SSA-827 meets the legal requirements for disclosure of educational information contained in the Family Educational Rights and Privacy Act (FERPA, 34 CFR part 99) and the Individuals with Disabilities Education Act (IDEA, 34 CFR part 300). The form specifies:
Social Security Administration
Office of Disability Policy