HIPAA and Disability Determination: What Medical Records Can Be Shared for SSA or Insurance Claims
HIPAA Privacy Rule Protections
When you pursue disability benefits or an insurance claim, the HIPAA Privacy Rule governs how your Protected Health Information (PHI) can be used and disclosed. Understanding these guardrails helps you share the right evidence while safeguarding your privacy.
What counts as PHI and when can it be shared?
PHI includes any identifiable information about your health status, care, or payment for care—such as clinic notes, hospital summaries, imaging, labs, and functional assessments. Covered Entities (healthcare providers, health plans, and clearinghouses) may disclose PHI for treatment, payment, and healthcare operations, or when you sign a valid Patient Authorization for another purpose, such as the Disability Determination Process.
Minimum necessary and practical scope
For disclosures not based on your authorization, the “minimum necessary” standard applies. If you sign an authorization, a provider may disclose what the authorization permits. In practice, it’s still wise to send only records that are relevant to the claimed impairments, time periods, and functional limitations to streamline Medical Record Disclosure.
- Commonly shared: progress notes, diagnostic test results, operative reports, therapy notes, medication lists, hospital discharge summaries, and functional capacity evaluations.
- Special sensitivity: Substance Abuse Records and certain mental health information may have added protections and are addressed below.
HIPAA Security Rule Requirements
The HIPAA Security Rule protects electronic PHI (ePHI) through administrative, physical, and technical safeguards. Whether you submit records to SSA or an insurer, you must ensure HIPAA-Compliant Transmission and storage.
Administrative safeguards
- Perform a risk analysis and implement written policies and workforce training for record submissions.
- Use Business Associate Agreements when vendors (for example, e-fax or release-of-information services) handle ePHI.
- Maintain disclosure logs and proof-of-submission receipts.
Technical safeguards
- Restrict system access with unique user IDs, strong authentication, and role-based permissions.
- Enable audit controls to track who accessed or sent records and when.
- Protect integrity and transmission security—encrypt data in transit (for example, secure portal upload) and at rest where reasonable and appropriate.
Physical safeguards
- Secure workstations, devices, and media that store or transmit ePHI.
- Position fax machines and printers in controlled areas and promptly retrieve output.
SSA's Role in Disability Determinations
The Social Security Administration (SSA) oversees disability benefits, while state Disability Determination Services (DDS) gather evidence and make initial decisions. Their goal is to evaluate how your medically determinable impairments limit your ability to perform work.
How the evidence flows in the Disability Determination Process
- You apply for benefits and sign the SSA-827 Patient Authorization.
- DDS requests records from your healthcare sources and other relevant holders.
- Providers submit records—ideally those that document diagnosis, severity, longitudinal treatment, and functional impact—via secure channels.
- If evidence is insufficient, SSA/DDS may order a consultative examination.
Most useful are longitudinal records tied to onset and progression, objective testing, treatment response, and clear statements about functional abilities and limitations.
SSA-827 Authorization Form Details
The SSA-827 is a HIPAA-compliant Patient Authorization designed to speed record collection for disability reviews. It lets providers and other record holders disclose information to SSA, DDS, and their contractors specifically for benefit evaluation.
Key elements you will see
- Who may disclose and who may receive: healthcare providers, hospitals, clinics, labs, and other sources to SSA/DDS.
- What may be disclosed: medical records relevant to disability, including mental health treatment information; Substance Abuse Records and other sensitive data when the form’s language permits; psychotherapy notes are excluded (addressed below).
- Purpose: to evaluate eligibility for disability benefits.
- Expiration and revocation: the form lists an expiration date or event; you may revoke in writing at any time, though it won’t affect disclosures already made.
- Redisclosure notice: once disclosed, information could be redisclosed by recipients not covered by HIPAA, except where other laws impose stricter limits.
Submitting a complete, legible, and correctly signed SSA-827 reduces delays and unnecessary follow-up requests.
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.
Exclusions for Psychotherapy Notes
Psychotherapy notes are a distinct category under HIPAA: they document or analyze the substance of counseling sessions and are kept separate from the general medical record. They are not the same as mental health treatment notes, diagnoses, medications, or summaries.
For disability determinations, psychotherapy notes are not shared unless you give a separate, explicit authorization that specifically references “psychotherapy notes.” Typically, SSA needs mental health treatment summaries, evaluations, and functional information—not raw psychotherapy notes.
- May be shared with authorization: psychiatric evaluations, diagnoses, medication management notes, psychological testing results, and hospital discharge summaries.
- Require separate, specific authorization: psychotherapy notes kept apart from the main record.
Electronic Records Express Platform
Electronic Records Express (ERE) is SSA’s secure platform for submitting evidence. It supports HIPAA-Compliant Transmission so providers can send records efficiently and with appropriate safeguards.
Ways to submit through ERE
- Secure web upload: transmit files through a protected portal with confirmation receipts.
- Barcode fax: use SSA-provided coversheets so your documents route directly to the correct claim.
Best practices for accurate, secure submissions
- Assemble records that match the claimed impairments and relevant timeframes; avoid extraneous pages.
- Verify identifiers (name, date of birth, claim or reference numbers) on each document.
- Exclude psychotherapy notes and honor special handling for Substance Abuse Records.
- Ensure legibility, correct page order, and clear labeling by document type.
- Retain transmission confirmations and keep an internal disclosure log.
Insurance Claims and HIPAA Compliance
What you can share for insurance depends on the requester and purpose. The rules differ for health plan payment versus non-health insurance (for example, private disability or life insurance).
Health plan payment versus other insurance requests
- Health plan payment and operations: a provider may disclose PHI to a health plan without an authorization, applying the minimum necessary standard.
- Non-health insurance (such as private disability or life): these requests typically require a signed Patient Authorization because they are not for treatment, payment, or healthcare operations.
- Tailor the disclosure: even with an authorization, share records relevant to the claimed conditions and period to avoid unnecessary exposure.
Provider checklist before releasing records to an insurer
- Confirm the requester’s identity and connection to the claim.
- Validate the authorization’s scope, expiration, and signatures; ensure it permits the specific Medical Record Disclosure requested.
- Apply the minimum necessary standard when required; otherwise, right-size the dataset to the claim.
- Handle Substance Abuse Records with required consent language and redisclosure limits, as applicable.
- Use secure portals or properly configured fax for HIPAA-Compliant Transmission; maintain an auditable record of what was sent.
Conclusion
In short, HIPAA and disability determination work together to allow the right records to flow while protecting your privacy. Use the SSA-827 to authorize SSA’s access, exclude psychotherapy notes unless specifically authorized, give special care to sensitive categories like Substance Abuse Records, and always transmit through secure, documented channels.
FAQs.
What types of medical records can be shared for SSA disability claims?
With a signed SSA-827, providers may share PHI relevant to your claim: office visits, hospital records, imaging, labs, therapy and rehabilitation notes, medication histories, functional capacity evaluations, and mental health treatment summaries. Psychotherapy notes are excluded unless you separately authorize them, and some sensitive categories may require particular consent language.
How does the SSA-827 form protect patient privacy?
The SSA-827 is a HIPAA-compliant Patient Authorization that defines who may disclose information, who may receive it (SSA/DDS), the purpose (benefit evaluation), what information is covered, and when it expires. You may revoke it in writing, and the form includes notices about potential redisclosure and special protections for sensitive data.
Are psychotherapy notes ever disclosed in disability determinations?
Rarely. Psychotherapy notes are specially protected and require a separate, explicit authorization that specifically references “psychotherapy notes.” SSA typically needs treatment summaries, evaluations, and functional information rather than the notes themselves.
What safeguards ensure HIPAA compliance during medical record submission?
Use secure portals like ERE or properly configured fax with barcoded coversheets; encrypt transmissions where appropriate; restrict and authenticate access; maintain audit trails and disclosure logs; validate authorizations; and limit disclosures to what the claim requires to uphold the minimum necessary principle when it applies.
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.