| Skip to content
Social Security Online
SSA Introduces Revised Form to Authorize
Disclosure of Information
The HIPAA Privacy Rule, and HHS' December 4, 2002, formal guidance are available at: www.hhs.gov/ocr/hipaa/. The preamble of published regulations, which contains important discussions and clarifications of rules, plus responses to public comments, can be found by searching the Federal Register at: www.gpoaccess.gov/fr/index.html. To find other specific regulations (e.g., 42 CFR part 2) use: http://www.gpoaccess.gov/cfr/index.html
1. It is permissible to authorize release of, and disclose, "all medical records".
From HHS' formal guidance issued December 4, 2002
Q: Does the HIPAA Privacy Rule strictly prohibit the use, disclosure, or request of an entire medical record? If not, are case-by-case justifications required each time an entire medical record is disclosed?
A: No. The Privacy Rule does not prohibit the use, disclosure, or request of an entire medical record.. Finally, no justification is needed in those instances where the minimum necessary standard does not apply...."
From the preamble to the 12/28/200 Privacy Rule, 65 FR 82517: "There are no limitations on the information that can be authorized for disclosure.
If an individual wishes to authorize a covered entity to disclose his or her entire medical record, the authorization can so specify. In order for the covered entity to disclose the entire medical record, the authorization must be specific enough to ensure that the individual has a clear understanding that the entire record will be disclosed. For example, if the Social Security Administration seeks authorization for release of all health information to facilitate the processing of benefit applications, then the description on the authorization form must specify ``all health information'' or the equivalent."
Back to list
2. A "minimum necessary" determination is not required with an authorization.
The Privacy Rule states (164.502(b)(2)) "Minimum necessary does not apply...to... (iii) Uses or disclosures made pursuant to an authorization under Sec. 164.508."
On December 4, 2002, HHS re-issued the following formal guidance
"Q: Must the HIPAA Privacy Rule's minimum necessary standard be applied to uses or disclosures that are authorized by an individual?
A: No. Uses and disclosures that are authorized by the individual are exempt from the minimum necessary requirements. 45 CFR 164.502(b)(2)(iii).
Q: Are providers required to make a minimum necessary determination to disclose to federal or state agencies, such as the Social Security Administration (SSA) or its affiliated state agencies, for individuals' applications for federal or state benefits?
A: No. These disclosures must be authorized by an individual and,therefore, are exempt from the HIPAA Privacy Rule's minimum necessary requirements. Furthermore, use of the provider's own authorization form is not required. Providers can accept an agency's authorization form as long as it meets the requirements of 45 CFR 164.508 of the Privacy Rule. For example, disclosures to SSA (or its affiliated State agencies) for purposes of determining eligibility for disability benefits are currently made subject to an individual's completed SSA authorization form." [SSA has since revised its authorization form as required]
Back to list
3. It is permissible to accept copies of authorizations, including electronic copies.
From the Federal Register, 65 FR 82660, the preamble to the final Privacy Rule (45 CFR 164) responding to public comments on the proposed rule:
"Comment: Many commenters requested clarification that covered entities may rely on electronic authorizations, including electronic signatures.
Response: All authorizations must be in writing and signed. We intend e-mail and electronic documents to qualify as written documents. Electronic signatures are sufficient, provided they meet standards to be adopted under HIPAA. In addition, we do not intend to interfere with the application of the Electronic Signature in Global and National Commerce Act.
...Comment: Some commenters asked whether covered entities can rely on copies of authorizations rather than the original. Other comments asked whether covered entities can rely on the assurances of a third party, such as a government entity, that a valid authorization has been obtained to use or disclose protected health information. These commenters suggested that such procedures would promote the timely provision of benefits for programs that require the collection of protected health information from multiple sources, such as determinations of eligibility for disability benefits.
Response: Covered entities must obtain the individual's authorization to use or disclose protected health information for any purpose not otherwise permitted or required under this rule. They may obtain this authorization directly from the individual or from a third party, such as a government agency, on the individual's behalf. In accordance with the requirements of Sec. 164.530(j), the covered entity must retain a written record of authorization forms signed by the individual. Covered entities must, therefore, obtain the authorization in writing. They may not rely on assurances from others that a proper authorization exists. They may, however, rely on copies of authorizations if doing so is consistent with other law."
Back to list
4. An individual source's name does not have to appear on the form; authorizing a "class" of providers is permissible.
From 45 CFR 164.508(c)(1) A valid authorization...must contain at least the following elements:
...(ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure."
From the preamble to the 12/28/200 Privacy Rule, 65 FR 82517:
"...the authorization must include the name or other specific identification of the person(s) or class of persons that are authorized to use or disclose the protected health information. If an authorization permits a class of covered entities to disclose information to an authorized person, the class must be stated with sufficient specificity so that a covered entity presented with the authorization will know with reasonable certainty that the individual intended the covered entity to release protected health information. For example, a covered licensed nurse practitioner presented with an authorization for ``all physicians'' to disclose protected health information could not know with reasonable certainty that the individual intended for the practitioner to be included in the authorization."
From the Federal Register, 65 FR 82662, the preamble to the final Privacy Rule (45 CFR 164) responding to public comments on the proposed rule:
"Comment: Some commenters urged us to permit authorizations that designate a class of entities, rather than specifically named entities, that are authorized to use or disclose protected health information. Commenters made similar recommendations with respect to the authorized recipients. Commenters suggested these changes to prevent covered entities from having to seek, and individuals from having to sign, multiple authorizations for the same purpose.
Response: We agree. Under Sec. 164.508(c)(1), we require authorizations to identify both the person(s) authorized to use or disclose the protected health information and the person(s) authorized to receive protected health information. In both cases, we permit the authorization to identify either a specific person or a class of persons."
From 42 CFR part 2, Confidentiality of Alcohol and Drug Abuse Patient Records, section 2.31: "A written consent...must include (1)the specific name or general designation of the program or persons permitted to make the disclosure" The preamble to the regulations makes it clear that the intent of that language was to permit the individual to make an informed choice about how specific they want to be re designating those authorized to disclose. e.g., 'a patient who chooses to authorize disclosure of all his or her records without the necessity of completing multiple consent forms or individually designating each program on a single consent form would consent to disclosure from all programs in which the patient has been enrolled as an alcohol or drug abuse patient. ...The patient is in a position to be informed of any programs in which he or she was previously enrolled and from which he or she is willing to have information disclosed.'" [52 Federal Register 21799 (June 9, 1987)]
Back to list
The SSA-827 is generally valid for 12 months from the date signed with
The SSA-827 clearly states at the heading "EXPIRE WHEN" that the authorization is good for 12 months from the date signed.
Two states Indiana, Nebraska, and the Commonwealth of Puerto Rico have laws (see below) that limit the life of an authorization form to less than 12 months. In addition, Ohio law requires that the requester "shall submit to the health care provider a written request signed by the patient dated not more than sixty days before the date on which it is submitted" (Ohio Revised Code, section 3701.74(B)). The SSA-827 is then valid for the remainder of the 12 months once it is timely submitted to the health provider.
Indiana law provides that a patient may authorize the release of copies of the patient's health records (excluding mental health records) and that these authorizations are valid for 60 days after the date the authorization is made. Ind. Code Ann. § 16-39-1-1(e) (West 2003). The patient may also authorize the release of copies of mental health records, and such a release must contain a date, event, or condition upon which the consent will expire, if not previously revoked. Ind. Code Ann. § 16-39-2-5(c)(8), (9) (West 2003). If the mental health record authorization does not otherwise specify, it will be valid for only 180 days after the date the authorization is made. Ind. Code Ann. § 16-39-2-5(d) (West 2003).
Nebraska statutes address expiration of authorization forms for the release of medical and other information. Neb. Rev. St. § 71.8403 provides that an authorization "shall be in writing and shall be valid for one hundred eighty days after the date of execution by the patient."
consent for the release of information related to mental health services
is valid for only six months. The Puerto Rico legislature's Office of
Legislative Services provided us with the following translation of the
relevant provision of section 2.10 of Act No. 408 of October 2, 2000,
known as the "Puerto Rico Mental Health Act".
"The express authorization shall be stated in a written document, which shall expire six (6) months after the date it was signed, without impairing the right of the authorizing person to revoke it at any time."
6. It is permissible to authorize release of, and disclose, information created after the consent is signed.
From the U.S. Federal Register, 65 FR 82662, the preamble to the final Privacy Rule (45 CFR 164) responding to public comments on the proposed rule:
"Comment: Some commenters requested clarification that covered entities are permitted to seek authorization at the time of enrollment or when individuals otherwise first interact with covered entities. Similarly, commenters requested clarification that covered entities may disclose protected health information created after the date the authorization was signed but prior to the expiration date of the authorization. These commenters were concerned that otherwise multiple authorizations would be required to accomplish a single purpose. Other comments suggested that we prohibit prospective authorizations (i.e., authorizations requested prior to the creation of the protected health information to be disclosed under the authorization) because it is not possible for individuals to make informed decisions about these authorizations.
Response: We confirm that covered entities may act on authorizations signed in advance of the creation of the protected health information to be released. We note, however, that all of the required elements must be completed, including a description of the protected health information to be used or disclosed pursuant to the authorization. This description must identify the information in a specific and meaningful fashion so that the individual can make an informed decision as to whether to sign the authorization."
7. A witness signature is not required by Federal law, but SSA routinely tries to obtain one as a service to the source of information.
From the U.S. Federal Register, 65 FR 82518, the preamble to the final Privacy Rule (45 CFR 164) responding to public comments on the proposed rule: "We do not require verification of the individual's identity or authentication of the individual's signature."
From 65 FR 82660: "Comment: We requested comments on reasonable steps that a covered entity could take to be assured that the individual who requests the disclosure is whom she or he purports to be. Some commenters stated that it would be extremely difficult to verify the identity of the person signing the authorization, particularly when the authorization is not obtained in person. Other comments recommended requiring authorizations to be notarized.
Response: To reduce burden on covered entities, we are not requiring verification of the identities of individuals signing authorization forms or notarization of the forms.
8. Educational sources can disclose information based on the SSA-827.
SSA worked closely with the Department of Education to ensure the language of the SSA-827 meets the legal requirements for disclosure of educational information contained in the Family Educational Rights and Privacy Act (FERPA, 34 CFR part 99)) and the Individuals with Disabilities Education Act (IDEA, 34 CFR part 300). The form specifies:
Social Security Administration
Office of Disability Programs
Policies & Other Important Information | Site
Last reviewed or modified Tuesday Jun 17, 2008