Consultative Examination Guidelines
Medical/Professional Relations
HIPAA and the Social Security Disability
Programs
Information for Consultative Examination Providers
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191) affects an extensive range of health care issues. The major intent of HIPAA is to provide better access to health insurance, reduce administrative costs, limit fraud and abuse, and protect the privacy of health information. As required by HIPAA, the Department of Health and Human Services' (HHS) adopted uniform standards for the privacy of individually identifiable health information (the "Privacy Rule") in 2002. The Privacy Rule, as revised in 2013, regulates most health care providers, health care clearinghouses, and health plans, and their formal business associates.
This fact sheet provides answers to frequently asked questions about the impact of the Privacy Rule on the Consultative Examinations (CE) you perform for the State Disability Determinations Services (DDS). The information here does not constitute formal legal advice, and health care providers need to assess their own legal obligations.
Q. Who is a covered entity under HIPAA?
A. All health plans and health care clearinghouses are covered
by HIPAA, as are health care providers who conduct certain financial and
administrative transactions electronically. It is each provider's responsibility
to determine his or her covered status (45 CFR 160.102).
Need to find out about covered status? A useful decision tool is available
by the Centers for Medicare & Medicaid Services (CMS) at https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/AreYouaCoveredEntity.html.
SSA and the DDSs are not covered entities when handling Social Security
workloads. As an agent of the State DDS and SSA, CE providers still have
obligations under the Privacy Act of 1974, as revised.
Q. Is a purely diagnostic CE a covered health
care function?
A. It is SSA's assessment that the nature of the work performed
by a health care professional who conducts a CE for SSA does fall within
the range of functions included in the definitions of "health care
provider" (45 CFR part 160.103) and "treatment" (45 CFR
164.501). It is the responsibility of each CE provider to determine if
he or she is a "covered entity" based on the other requirements
of the rules.
Q. If I perform CEs for the DDS, what must I do to comply with HIPAA?
A. If you determine that you are covered, the Privacy Rule
has requirements, among others, for you to provide the individual with
a notice of the patient's rights and your privacy practices (45
CFR 164.520), and for you to receive a written acknowledgment of
the receipt of the notice, or documentation of your good faith effort
to obtain such an acknowledgment. (The August 2002 revision to the Privacy
Rule removed the requirement for a signed consent from the patient/claimant
to provide health care, but replaced it with an acknowledgment of notice.)
Covered entities also have an obligation to release only information as permitted by the Privacy Rule. One permitted way is pursuant to an authorization form filled out by the individual whose records are to be released. The DDS will provide you with a signed, HIPAA-compliant authorization form--SSA-827, "Authorization to Disclose Information to the Social Security Administration (SSA)"-- to disclose protected health information to SSA (45 CFR 164.508). The form has been recently revised to satisfy a range of requirements related to the Privacy Rule and other federal authorities. We hope you choose to rely on this SSA form, signed by the claimant, as sufficient authorization to disclose your report to SSA/DDS.
NOTE: The Privacy Rule permits providers to accept a copy (photocopy,
scan, fax) of a signed authorization. It does not require an original
form. The Privacy Rule also does not require that an individual source's
name appear on the authorization. The Privacy Rule permits a consent form
to describe a "class of persons" authorized to disclose; hence,
the new revised SSA-827 specifies "consulting examiners used by SSA."
The rule also permits an individual to authorize the release of information
created after the authorization is signed, as long as the authorization
has not expired. The form SSA-827 contains language for such prospective
authorization and states that the consent is good until its expiration
one year from the date of signing.
If you choose to have the individual sign your own authorization form
rather than relying on the signed SSA-827, provisions at 45 CFR 164.508(b)(3)
and (b)(4) address "compound authorizations" and the "prohibition
on conditioning of authorizations." Also, covered entities that seek
an authorization from the individual are required to provide the individual
with a copy of the signed authorization form (45 CFR 164.508(c)(4).
Q. Am I obligated to maintain a copy of the CE report?
A. SSA does not require you to maintain a copy of the report. You
may be required to keep a copy of the report in your arrangement with
the State DDS.
Q. If I keep a copy of the CE report, how do I respond to requests
for it?
A. You should direct all requests for CE reports to the DDS. Even
though you may be covered by the HIPAA Privacy Rule, you still must also
comply with all of SSA's rules regarding disclosure of information and
access to information that you gather and maintain while performing work
for SSA. The Privacy Act of 1974, as amended, Section 1106 of the Social
Security Act, and our regulations at 20 CFR part 401 concern disclosure
of information and access to information. If you receive a request for
information, forward the request to the DDS for processing.
Q. What happens if the patient wants to change something in the CE
report that we provided to the DDS?
A. Refer all requests for amendment of CE reports to the DDS because
SSA has rules regarding correcting records that need to be followed. Although
you may also have obligations under 45 CFR 164.526 with respect to amending
information generally, it is important that SSA's rules are followed with
respect to information used in SSA's programs.
Q. Do special provisions need to be made if I use transcription and/or
interpreter services provided by the DDS?
A. No, the businesses that provide such services are functioning
as agents of SSA/DDS and, therefore, the disclosure of information to
them is authorized by the SSA-827. However, if you are a covered entity
under the Privacy Rule, such services employed at your expense may be
considered "business associates" under the rule, requiring a
contract or agreement (45 CFR 164.504).
Q. Where can I obtain additional information
about HIPAA?
A. The official HHS information source for the HIPAA Privacy Rule
is www.hhs.gov/ocr/hipaa/ provides links to other HIPAA information, including
HHS' December 2003 guidance -- an easy-to-read discussion of some of the
key issues.
The American Medical Association (AMA) also provides useful HIPAA information
at https://www.ama-assn.org/practice-management/hipaa-compliance.