Information about the applicability of the HIPAA Privacy regulations to the Social Security Administration.
The medical record and health information privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) went into effect on April 14, 2003. In order to comply with HIPAA, hospital, clinics, and other health care facilities have tightened their procedures for releasing medical information, and in many cases are insisting that advocates use the facility's authorization form. SSA has revised the authorization form it (and the Disability Determination Services) uses to collect medical information on claimants so that it is HIPAA compliant. This form, the SSA-827(2-2003), is available on SSA's website at https://www.ssa.gov/forms/ssa-827.pdf.
However, the new HIPAA/Privacy Rule regulations do not change SSA/DDS policy with respect to the disclosure of medical information by SSA or the DDS. SSA and the DDSs themselves are not covered by HIPAA or the Privacy Rule when processing Social Security cases. The Privacy Act of 1974, as amended, still controls. Once health information protected by the HIPAA Privacy Rule is released to a non-covered entity such as SSA, the HIPPA Privacy Rule ceases to apply to the released information. The bottom line is that the release forms currently being used by advocates in dealing with SSA and DDS do not need to be modified because of HIPAA.
An SSA fact sheet on HIPAA is attached. See page 2 of the fact sheet addressing the noncovered entity status of SSA and DDS. Page 5 addresses the issue of re-disclosure of medical information received by SSA/DDS. For more information about the HIPAA privacy rules, go to https://www.hhs.gov/hipaa/index.html.