In April 2012, the Social Security Administration began allowing
recipients of social security to begin filing requests for medical
records electronically (Form SSA-827). These requests are now
making their way through to providers, who (rightfully so) are
scratching their heads when a request for medical records arrives
from "John Doe" signed "John Doe - signed
electronically" without a traditional written signature.
In a letter, copying the Secretary of the
Department of Health and Human Services, the Social Security
Administration explained that it has considered the HIPAA
requirements, and that it is abiding by them.
The Social Security Administration's analysis is as follows (internal citations
"Under HHS' Health Insurance Portability and
Accountability Act (HIPAA) Privacy Rule, covered entities (such as
the doctors and hospitals from whom SSA gets records in order to
decide benefit claims) must have a signed and dated authorization
before releasing information to SSA. Many states have similar
medical privacy laws. HHS has stated that a covered entity
such as a doctor or hospital does not need to verify the identity
of the purported signer of a document. ("We do not require
verification of the individual's identity or authentication of
the individual's signature."). HHS has a statutory
duty to issue standards with respect to electronic signatures, but
thus far has not completed issuance of a final rule with such
standards. In the absence of such detailed standards, the
broad E-SIGN Act provides a general framework as to what
constitutes a valid electronic signature. The definition of an
electronic signature found in the E-SIGN Act (and in the model
Uniform Electronic Transactions Act adopted by almost all states)
reads: 'The term 'electronic signature' means an
electronic sound, symbol, or process, attached to or logically
associated with a contract or other record and executed or adopted
by a person with the intent to sign the
Additionally, and although not binding, the HHS website states "Further, the
Privacy Rule allows HIPAA authorizations to be obtained
electronically from individuals, provided any electronic signature
is valid under applicable law."
Many providers are wondering whether they may accept
electronically signed medical releases being submitted to them from
the Social Security Administration. So long as providers
verify that they have received the proper form, verify that it came
from the Social Security Administration and only release records to
the Social Security Administration, the analysis done by the Social
Security Administration and the Department of Health and Human
Services' acquiescence to the process provides a great deal of
support for releasing the records.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The 2010 theft of an unencrypted laptop containing confidential health care information made front-page news in 2013, not because a huge number of patients were affected, but for the exact opposite reason.
Any company that collects personal data from consumers should take proactive steps to have appropriate legal counsel review its data security practices, as well as its terms of service or privacy practices, to identify any potential problem areas.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published on its website a series of factsheets designed to educate consumers unfamiliar with their rights under the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules.