TN 5 (11-15)

GN 03305.002 Limitations on Disclosure with Consent

Policy on disclosure limitations

The Privacy Act and other Federal laws do not allow us to disclose or release information unless the request for disclosure first meets certain conditions. When we receive a request, we require an individual’s written signature on a document that meets our consent requirements. This consent document is our legal authority for disclosing or releasing the requested information to a third party. The consenting individual determines the scope of the records to be released and the time frames in which we can disclose them. In all instances, the consent document must describe the specific information for disclosure.

1. Consenting individual

The consenting individual must give us enough information about the records he or she wants us to disclose to a third party to help us locate and release the correct records.

EXAMPLE:

A disabled claimant submits a signed Form SSA-3288 requesting us to send a copy of his most recent disability “medical report form” to his new doctor. We have several disability report forms. The claimant does not know that the number of the form to which he is referring is the Form SSA-3368 (Disability Report - Adult). Therefore, the claimant must describe the exact information on the form in enough detail to help us determine:

  • which disability form is the correct form, and

  • where it is located in his or her record.

2. Information about other individuals contained in the requested record

Personal information about other individuals for whom we do not have a written consent document authorizing the release of information about them may be contained in the Number Holder’s (NH) record. The NH may not provide consent authorizing the release of their information from his or her record. Therefore, we must redact any such information about other individuals before releasing the requested information about the NH.

3. Alcoholism and Drug Abuse Prevention (ADAP) patient records

The Public Health Service (PHS) regulations (42 CFR 2.31) prohibit us from disclosing ADAP records without specific written consent from the individual to whom the records pertain. For more information about ADAP records and the related consent requirements, see GN 03305.030.

4. Consent authorizing disclosure on an ongoing basis

An individual may authorize us to disclose specific information from his or her record, on an ongoing basis, for a definite or indefinite period. Accordingly, the individual must indicate on the original consent document that he or she is requesting us to disclose information on an ongoing basis. The individual must also provide the time frame in which we can disclose the information. The consent is valid during this time frame. We may honor these requests as long as the consent document meets the requirements for a valid consent document and the individual or third party provides a copy of the original consent document with each subsequent request.

It is unnecessary to document a record to indicate that an individual has provided consent to disclose information on an ongoing basis. In these instances, the individual or third party must provide a copy of the original consent document along with each subsequent request for the same information originally requested. If a copy of the original consent does not accompany a subsequent request, do not honor the request. Return the information to the requester with an explanation of why we cannot honor it. Advise the requester to provide a copy of the original consent that indicates the information may be disclosed on an ongoing basis.

5. Revocation of the consent

An individual may revoke his or her consent at any time by providing a written request to revoke the consent. Associate the request with the record file. If the record file is not available, annotate the special message field in the electronic record to indicate the individual has revoked his consent.

6. Health Insurance Portability and Accountability Act (HIPAA) consent forms

Under the HIPAA Privacy Rule, the term “covered entity” refers to the following three specific organizational group types:

  • Health care providers,

  • Health plans, and

  • Health care clearinghouses.

Although SSA is not a covered entity under the HIPAA Privacy Rule, we may accept a HIPAA consent document if it meets our consent requirements for non-tax return information (GN 03305.003D) or the