In April 2012, the Social Security Administration began allowing recipients of social security to begin filing requests for medical records electronically (Form SSA-827).  These requests are now making their way through to providers, who (rightfully so) are scratching their heads when a request for medical records arrives from "John Doe" signed "John Doe - signed electronically" without a traditional written signature.

In a letter, copying the Secretary of the Department of Health and Human Services, the Social Security Administration explained that it has considered the HIPAA requirements, and that it is abiding by them.

The Social Security Administration's analysis is as follows (internal citations omitted): 

"Under HHS' Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, covered entities (such as the doctors and hospitals from whom SSA gets records in order to decide benefit claims) must have a signed and dated authorization before releasing information to SSA. Many states have similar medical privacy laws.  HHS has stated that a covered entity such as a doctor or hospital does not need to verify the identity of the purported signer of a document. ("We do not require verification of the individual's identity or authentication of the individual's signature.").  HHS has a statutory duty to issue standards with respect to electronic signatures, but thus far has not completed issuance of a final rule with such standards.  In the absence of such detailed standards, the broad E-SIGN Act provides a general framework as to what constitutes a valid electronic signature. The definition of an electronic signature found in the E-SIGN Act (and in the model Uniform Electronic Transactions Act adopted by almost all states) reads:  'The term 'electronic signature' means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record."  

Additionally, and although not binding, the HHS website states  "Further, the Privacy Rule allows HIPAA authorizations to be obtained electronically from individuals, provided any electronic signature is valid under applicable law." 

Many providers are wondering whether they may accept electronically signed medical releases being submitted to them from the Social Security Administration.  So long as providers verify that they have received the proper form, verify that it came from the Social Security Administration and only release records to the Social Security Administration, the analysis done by the Social Security Administration and the Department of Health and Human Services' acquiescence to the process provides a great deal of support for releasing the records.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.