Effective Dates: 10/08/2024 - Present

Identification Number:
GN 03305 TN 15
Intended Audience:See Transmittal Sheet
Originating Office:Office of the General Counsel
Title:Disclosure With Consent
Type:POMS Full Transmittals
Program:All Programs
Link To Reference:
 

PROGRAM OPERATIONS MANUAL SYSTEM

Part GN – General

Chapter 033 – Disclosure/Confidentiality of Information

Subchapter 05 – Disclosure With Consent

Transmittal No. 15, 10/08/2024

Audience

PSC: BA, CA, CS, DE, DEC, DS, ICDS, IES, ISRA, PETE, RECONR, SCPS, SPIKE, TSA, TST;
OCO-OEIO: BET, BIES, BTE, CR, CTE, EIE, FCR, FDE, LC, PETL, RECONE, RECONR, RECOVR;
OCO-ODO: BET, BTE, CR, CST, CTE, CTE TE, DE, DEC, DES, DS, IS, LCC, PAS, PETE, PETL, RCOVTA, RECONE, RECOVR;
OEO: DOSPA, OSSPA, WBDOCPA;
ODD-DDS: DHU;
FO/TSC: CS, CS TII, CS TXVI, CSR, CTE, FR, OA, OS, RR, TA, TSC-CSR;

Originating Component

OPD

Effective Date

Upon Receipt

Background

The Privacy Act of 1974 (5 USC § 552a) permits an individual to give signed written consent to disclose personal information about themselves from our records to a third party. Our disclosure regulations (20 CFR 401.100) provide the requirements for valid consent documents. These instructions provide guidance concerning disclosure with consent and the requirements for accepting and processing consent documents.

Summary of Changes

GN 03305.002 Limitations on Disclosure with Consent

In the introductory paragraph, we are clarifying existing policy regarding disclosure limitations.

In subsections 1, 2, and 7, we are clarifying existing policies to incorporate gender-inclusive language, in support of Executive Order 13988, Preventing and Combating Discrimination on the Basis of Gender Identity or Sexual Orientation.

In subsection 4, we are clarifying existing policy regarding consent authorizing disclosure on an ongoing basis and incorporating gender-inclusive language.

In subsection 5, we are clarifying existing policy regarding the revocation of the consent and incorporating gender-inclusive language.

In subsection 6, we are clarifying existing policy regarding Health Insurance Portability and Accountability Act (HIPAA) consent forms.

GN 03305.003 Consent Documents

In subsection A, we are clarifying existing policy to incorporate gender-inclusive language, in support of Executive Order 13988, Preventing and Combating Discrimination on the Basis of Gender Identity or Sexual Orientation.

In subsection B, we are clarifying existing consent policy. We are also creating a new subsection B.4. to advise on the agency's use of Form SSA-3288-OP1. Relevant policy regarding informed consent is now reflected as subsection B.5.

In subsection D, we are clarifying existing policy regarding consent requirements for non-tax return information.

In subsection E.1., we are clarifying existing policy regarding consent requirements for tax return information.

In subsection F, we are updating the title of the section and clarifying existing policy regarding signature requirements. We are also incorporating gender-inclusive language.

In subsection G, we are clarifying existing policy regarding time limitations for the receipt of consent documents.

In subsection H, we are updating the title of the section and clarifying existing policy regarding acceptable consent documents for non-tax return information.

In subsection I, we are clarifying existing policy regarding unacceptable consent documents.

In subsection J, we are clarifying existing policy regarding the disclosure of medical records and incorporating gender-inclusive language.

GN 03305.005 Who May Consent

In the introductory paragraph, we are clarifying existing policy regarding who may consent to disclose SSA records.

In subsection A, we are clarifying existing policy regarding consent by competent adults.

In subsection B, we are clarifying existing policy regarding consent by legal guardians for incompetent adults and incorporating gender-inclusive language, in support of Executive Order 13988, Preventing and Combating Discrimination on the Basis of Gender Identity or Sexual Orientation.

In subsection C, we are clarifying existing policy regarding consent by a parent or legal guardian for minor children and incorporating gender-inclusive language.

In subsection D, we are clarifying existing policy regarding consent by a minor child.

In subsection E, we are clarifying existing policy regarding dual relationships.

GN 03305.025 Disclosure to Legal Aid Groups, Private Law Firms, and Appointed Representatives

In subsection A, we are clarifying existing policy regarding disclosures of information to legal aid groups or private law firms and the agency's use of Form SSA-3288-OP1.

In subsection B, we are clarifying existing policy regarding disclosures of information to appointed representatives and designated associates.

In subsection C, we are clarifying existing policy regarding disclosures to the appointed representative and designated associate when the appointment ends. We are also incorporating gender-inclusive language, in support of Executive Order 13988, Preventing and Combating Discrimination on the Basis of Gender Identity or Sexual Orientation.

GN 03305.002 Limitations on Disclosure with Consent

Policy on disclosure limitations

The Privacy Act and other Federal laws do not allow us to disclose or release information unless the request for disclosure first meets certain conditions. When we receive requests to disclose an individual's information, we may require the individual’s written consent, as described in GN 03305.003F. This written consent is our legal authority for disclosing the requested information to a third party. In all instances, the consent document must describe the specific information authorized to be disclosed by us.

1. Consenting individual

The consenting individual must give us enough information about the records they want us to disclose to a third party to help us locate and release the correct records.

EXAMPLE:

A disabled claimant submits a signed Form SSA-3288 requesting us to send a copy of their most recent disability “medical report form” to their new doctor. We have several disability report forms. The claimant does not know the number of the form referenced is the Form SSA-3368 (Disability Report - Adult). Therefore, the claimant must describe the exact information on the form in enough detail to help us determine:

  • which disability form is the correct form, and

  • where the form or information is located in their record.

2. Information about other individuals contained in the requested record

Personal information about other individuals for whom we do not have a written consent document authorizing the release of their information may be contained in the number holder’s (NH) record. The NH may not provide consent authorizing the release of their information from their record. Therefore, we must redact any such information about other individuals before releasing the requested information about the NH.

3. Alcoholism and Drug Abuse Prevention (ADAP) patient records

The Public Health Service (PHS) regulations (42 CFR 2.31) prohibit us from disclosing ADAP records without specific written consent from the individual to whom the records pertain. For more information about ADAP records and the related consent requirements, see GN 03305.030.

4. Consent authorizing disclosure on an ongoing basis

An individual may authorize us to disclose specific information from their record, on an ongoing basis, for a definite or indefinite period. Accordingly, the individual must indicate on their original written consent that they are requesting us to disclose information on an ongoing basis. The individual must also provide the time frame in which we can disclose the information. The written consent is valid during this time frame. We may honor these requests as long as the written consent meets the requirements set forth in GN 03305.003, and the individual or third party provides a copy of the original written consent with each subsequent request.

It is unnecessary to document a record to indicate that an individual has provided written consent to disclose information on an ongoing basis. However, the component responsible for processing the request must store a copy of the original consent and document when the original written consent was received. If a copy of the original written consent does not accompany a subsequent request or cannot be located in our records, do not honor the request. Return the information to the requester with an explanation of why we cannot honor it. Advise the requester to provide a copy of the original written consent that indicates the information may be disclosed on an ongoing basis.

5. Revocation of the consent

An individual may revoke their written consent at any time by providing a written request to revoke the consent. Associate the request with the record file. If the record file is not available, annotate the special message field in the electronic record to indicate the individual has revoked their consent.

6. Health Insurance Portability and Accountability Act (HIPAA) consent forms

Our records are not subject to HIPAA. However, we may accept a HIPAA consent document if it meets our consent requirements for non-tax return information (GN 03305.003D).

7. Consent-based requests for records in an exempt system of records

The Privacy Act permits Federal agencies to exempt certain records from some of its specific requirements. In part, this means that an individual may not receive access to records we maintain in certain exempt systems of records. Typically, these exempt records contain investigatory information related to potential fraud in our programs. Since an individual may not request access to this type of record, they may also not provide consent to disclose it to a third party.

Exempt records, for example, reside in program integrity files maintained by the Office of the Inspector General (OIG). Program integrity records are exempt from access and should be kept separately from the claims folder. Refer all requests for exempt records information located in program integrity files to the Office of Privacy and Disclosure (OPD) at ^OGC OPD Controls. OPD will work with OIG for a decision on disclosure under the guidelines of the FOIA. Also refer requests for exempt records information in other systems of records to OPD.

8. Fees for supplying information

Section 1106 of the Social Security Act and our implementing regulations authorize us to charge the full cost of supplying information to first and third-party requesters where the information requested is for a non-program purpose. For more information about fees for non-program purposes, see GN 03311.005E.

GN 03305.003 Consent Documents

A. Introduction to written consent

The Privacy Act and our disclosure regulations require that we have the written consent of an individual before disclosing information about them to a third party, unless one of the 12 Privacy Act exceptions applies. These exceptions permit disclosure without an individual’s consent when the request meets certain requirements. For a complete list of the Privacy Act exceptions, see GN 03301.099D.

B. Consent policy

We have specific requirements in our disclosure regulations (20 CFR 401.100) and policies (GN 03305.003D in this section) for what represents a valid consent to disclose agency records. We will provide an individual's information to a third party based on the individual’s written, signed consent as long as it meets these requirements. If the consent fails to meet these requirements, we will return it to the requester with an explanation of why we cannot honor it. We can honor a new consent document from the same requester once it meets our requirements.

1. Preferred Consent Forms

The Form SSA-3288 (Social Security Administration Consent for Release of Information) or the SSA-3288-OP1 (Consent for Disclosure of Records Protected Under the Privacy Act) are our preferred consent forms for program records requests even though we cannot require individuals to use them. The SSA-3288 is available in both paper and electronic fillable formats but must be wet signed; while the SSA-3288-OP1 is signed and submitted electronically on our website, www.ssa.gov/privacy . These forms meet our regulatory requirements for consent (20 CFR 401.100) and our disclosure policy requirements for disclosing non-tax return information (GN 03305.003D in this section).

Form SSA-7050-F4 (Request for Social Security Earnings Information) should be used to obtain consent for the disclosure of tax return information. Other tax information consent forms must be approved by the Office of the General Counsel.

2. Fillable version of Form SSA-3288 (07-2013)

The fillable SSA-3288 (07-2013) requires the consenting individual to provide a wet signature. If an individual’s signature is by mark “X”, two witnesses to the signing of the individual’s mark “X” must also provide wet signatures. Individuals may complete all of the fillable boxes electronically but must download, print, and wet sign the form before sending the form to us for processing.

Individuals may present a written consent document, including the SSA-3288, in person or send it to us by postal mail, facsimile, or approved electronic means, as long as the consent meets our requirements and bears a legible signature. Processing offices must use their own judgment to determine whether to accept and process a consent document. Otherwise, the processing office must return the consent document to the requester if it is unclear, bears an unreadable signature, or appears to have been altered.

3. Earlier versions of the SSA-3288

Do not refuse to accept or process an earlier version of the SSA-3288. If there is no reason to question or return an earlier version of the form (the earlier version meets all of our consent document requirements), accept and process it. If you receive an earlier version of the SSA-3288 that does not meet our consent document requirements, return the form to the requester with an explanation of why we cannot honor it and provide a copy of the latest version of the form as a courtesy.

4. Form SSA-3288-OP1

We will also accept Form SSA-3288-OP1 (Consent for Disclosure of Records Protected Under the Privacy Act) as an individual’s written electronic consent. Form SSA-3288-OP1 must be completed and signed electronically on SSA’s website. See GN 03305.003D in this section for more information on electronic signatures.

5. Informed consent

When we disclose information based on written consent, we must fully understand the specific information an individual is authorizing us to disclose to a third-party recipient. The consenting individual must also fully understand the specific information they are requesting us to disclose. To ensure that the consenting individual has made a decision with informed consent, they must specify in the consent document the information, documents, form number, records or category of records, computer data elements or segments, or pieces of information they want us to disclose.

C. Policy for disclosing queries

We use queries for internal, administrative use. We do not routinely disclose these queries to third parties based on an individual’s consent. For further information concerning the disclosure of queries, see GN 03305.004.

D. Consent requirements for non-tax return information

All consent documents must meet each of the eight requirements listed below. If the consent does not meet these requirements, return the consent document to the requester with an explanation of why we cannot honor it. All consent documents, including the Form SSA-3288 and Form SSA-3288-OP1, must:

  1. 1. 

    Specify the first and last name, Social Security number, and date of birth of the individual who is the subject of the requested record(s);

  2. 2. 

    Include a legible signature or mark “X” for paper consent documents. A legible signature is one that is clearly visible. If an individual signs a paper consent document by marking “X,” two witnesses who do not stand to gain anything from the disclosure must wet sign the consent and provide their full mailing addresses. Electronic consents (i.e., Form SSA-3288-OP1) require a valid electronic signature. See GN 03305.001C;

    NOTE: 

    If there is suspicion that the signature is not the record subject's (due to misspellings, illegibility, apparent post-signature changes, or other factors), the field office (FO) may contact the record subject to verify the consent or may request a new consent. Offices must use their own judgement in these instances.

  3. 3. 

    The signature must be below the requested information on the consent document and be dated by the individual who is the subject of the requested record(s) or someone who can consent on behalf of that individual (GN 03305.005);

  4. 4. 

    Specifically state that the Social Security Administration (SSA) may disclose the requested information. A consent document that also authorizes other entities to disclose information is acceptable as long as it identifies SSA as one of the entities;

  5. 5. 

    Specify the first and last name and address of the person or organization to whom we should send the requested information;

  6. 6. 

    Describe the requested record(s) in enough detail for us to locate the record(s);

  7. 7. 

    Specify the purpose for which the requester will use the information. This helps us ensure that the individual has informed consent and determine if we must charge a fee for providing the information if it is a non-program related request; and

  8. 8. 

    Specify a time frame during which we may disclose the information. We will process the request as a one-time-only disclosure if the requester does not specify a time frame during which the consent is valid. If an individual wants us to disclose information on an ongoing basis (e.g., each month for 6 months, or quarterly, or annually) using the same consent document, they must submit a copy of the original consent document with each subsequent request for disclosure of that same information. For additional information, see GN 03305.002, Item 4. The Form SSA-3288-OP1 can only be used for a one-time consent to disclose.

    NOTE: 

    The time frame for the receipt of a consent is not the same as the time frame for the duration of a consent. For information concerning the time frame for the receipt of consents, see GN 03305.003G in this section.

E. Consent requirements for tax return information

The Internal Revenue Code (IRC) governs the disclosure of all tax return information. For examples of our record information that are also considered tax return information, see GN 03320.001D.1. In addition to the SSA consent requirements listed in GN 03305.003D in this section, Internal Revenue Service (IRS) regulations require individuals to meet two additional requirements before we disclose tax return information:

  1. 1. 

    An individual may not combine a request for tax return information with a request for non-tax return information on the consent document, or the consent document is invalid.

    Individuals must submit a separate consent document to authorize the disclosure of tax return information, such as earnings records. For example, we receive one consent document authorizing the disclosure of detailed earnings information and medical records. We cannot accept this consent document. Individuals must submit a separate consent document for the disclosure of the detailed earnings information. Therefore, the preferred consent documents in this instance would be Form SSA-3288 or Form SSA-3288-OP1 authorizing the release of medical records and Form SSA-7050-F4 authorizing the disclosure of the earnings information. The SSA-7050-F4 meets the IRC’s required consent authority for disclosing tax return information. (It is permissible to disclose the medical information based on the original consent if it meets our requirements.)

  2. 2. 

    The consent document must include:

    • The taxpayer's identity;

    • Identity of the person to whom disclosure is to be made;

    • Type of return information;

    • Taxable period; and

    • Signature of taxpayer and the date the authorization was signed.

  3. 3. 

    We must receive the consent document authorizing the disclosure of tax return information within 120 days from the date the individual signs the consent document to meet the IRS time limitation for receipt. Use the fee schedule shown on the SSA-7050-F4 to determine the fee for processing requests for detailed earnings information for non-program purposes. The SSA-7050-F4 advises requesters to send the form, together with the appropriate fee, to the address printed on the form. Do not send an SSA-7050-F4 or other request for detailed earnings information for processing without the appropriate fee, unless the request clearly indicates that the requested earnings information is for a program purpose.

Direct individual requests for summary yearly earnings totals to our online application "my Social Security ". For additional information about requests for earnings and disclosing tax return information, see GN 03320.005A and GN 03320.010B.

F. Signature requirements for Privacy Consents

For the purpose of this policy, "Privacy Consents" means consents to disclose SSA records protected under the Privacy Act of 1974 and consents to disclose Federal tax return information.

  1. 1. 

    A "wet" signature (sometimes also referred to as a "pen and ink" signature) is an individual's handwritten signature that has been physically (not electronically) signed. A wet signature is the only signature that we will accept on a paper consent document. See GN 03305.003H for additional guidance.

    We will accept a wet signature, in the form of a wet printed name (versus a cursive signed name) with additional verification. In addition, we will accept a wet “X” marked signature when made in the presence of two witnesses who do not stand to gain anything by the disclosure. Each witness must wet sign the consent document and provide their full mailing address. FOs should use current office procedures for acknowledging receipt of and verifying documents.

    NOTE: 

    If there is suspicion that the signature is not the record subject’s (due to misspellings, illegibility, apparent post-signature changes, or other factors), the FO may contact the record subject to verify the consent or may request a new consent. Offices must use their own judgement in these instances.

    For further information concerning who may provide consent, see GN 03305.005.

  2. 2. 

    We will only accept electronic signatures on the Form SSA-3288-OP1, Consent for Disclosure of Records Protected Under the Privacy Act. Other means of electronic signature on privacy consents must be approved by OGC for acceptance. In determining the requirements for electronic signature on tax return information consents, we follow the policies or requirements of the Internal Revenue Service.

G. Time limitations for the receipt of consent documents

The following time-frame limitations apply to the receipt of a consent document:

NOTE: 

The Form SSA-3288-OP1 includes these same time-frame limitations; however, the agency receives the Form SSA-3288-OP1 at the same time that the electronic signature is applied.

1. General records information - 1 year

We will honor a valid consent document authorizing the disclosure of agency records that are non-medical and non-tax information (such as claim file information), if we receive the consent document within 1 year from the date of the consenting individual’s signature. Use the earliest date stamped by any SSA component as the date we received the consent document.

If more than 1 year has lapsed from the date of the signature and the date we received the request, do not process the request. Follow these steps:

  1. a. 

    Return the consent document to the requester with a letter explaining that the time frame within which we must receive the requested information has expired; and

  2. b. 

    Ask the requester to send us a new consent document if the consenting individual still wants us to release the requested information to the third party.

2. Medical records information - 90 days

We will honor a valid consent document authorizing the disclosure of medical records information from agency records if we receive the consent document within 90 days from the date of the consenting individual’s signature. Use the earliest date stamped by any SSA component as the date we received the consent document.

If more than 90 days has lapsed from the date of the signature and the date we received the request, do not process the request. Return the consent document to the requester with a letter explaining that the time frame within which we must receive the requested information has expired. In your letter, ask the requester to send us a new consent document if the consenting individual still wants us to release the requested information only.

NOTE: 

If a consent includes a request for medical and non-medical records and is received more than 90 days (but less than 1 year) after execution but no medical records exist, honor the document as a valid request and disclose the non-medical record information only.

For additional requirements regarding access to and disclosure of medical records information, see GN 03340.035.

3. Tax return information - 120 days

We will honor a valid SSA-7050-F4 (or equivalent) consent document authorizing the disclosure of tax return information if we receive the consent document within 120 days from the date of the consenting individual’s signature. Use the earliest date stamped by any SSA component as the date we received the consent document.

If more than 120 days has lapsed from the date of the signature and the date we received the request, do not process the request. Return the consent document to the requester with a letter explaining that the time frame within which we must receive the requested information has expired. In the letter, ask the requester to send us a new consent document if the consenting individual still wants us to release the requested information.

For the specific IRS and SSA requirements for disclosing tax return information, see GN 03305.003E in this section.

H. Acceptable consent documents for non-tax return information

While we prefer the consent forms described in B.1. above, we will accept equivalent consent documents if they meet all of the consent requirements described in GN 03305.003D, GN 03305.003F, and GN 03305.003G in this section, as applicable. We will accept the following types of consent documents that meet the agency’s requirements:

  1. 1. 

    All versions of the SSA-3288 are acceptable if they meet all of the consent requirements for disclosure, as applicable. Return any other consent document that does not meet our requirements to the requester with an explanation of why we cannot honor it. If you return an earlier version of the SSA-3288 to the requester because it is not completed correctly, also provide the most current version of the form.

    NOTE: 

    The address and telephone number of the consenting individual are not mandatory on Form SSA-3288 or other consent forms for the consent to be acceptable. This information assists SSA in contacting the consenting individual if there are questions about the form, but if it is missing from the SSA-3288 or other acceptable consent forms, accept the form anyway.

  2. 2. 

    Fill-in forms are acceptable only if they meet all of the consent requirements, as applicable;

  3. 3. 

    We will accept copies (e.g., photocopies, PDFs or JPEGs) of wet signed consent documents, including the SSA-3288, sent via facsimile, postal mail, or approved electronic means if the copies we receive bear the consenting individual’s wet signature. If there is suspicion that the signature is not the record subject’s (due to misspellings, illegibility, apparent post-signature changes, or other factors), the FO may contact the record subject to verify the consent or may request a new consent. Offices must use their own judgment in these instances. See GN 03305.003F.2. in this section for circumstances in which electronically signed consents are accepted;

    NOTE: 

    We strongly discourage the public from sending consent documents, or any other documents that contain personally identifiable information, to SSA via unsecure email. Secure email is email sent by a secure partner, encrypted email, or email where the document is password protected.

  4. 4. 

    A consent document patterned after the SSA-3288 or an imitation copy of the SSA-3288 is acceptable if it contains all of the consent requirements, as applicable, and is validly signed (see GN 03305.003F for signature requirements);

  5. 5. 

    A power of attorney document for the disclosure of non-tax return information is generally not acceptable, as these documents do not usually contain all of the consent requirements; only when the power of attorney document contains all of the consent requirements and is validly signed, may it be accepted;

  6. 6. 

    A consent document received within one year from the date of the consenting individual’s signature for non-tax return and non-medical records information is acceptable as described in subsection GN 03305.003G in this section;

  7. 7. 

    A consent document that specifies the time frame for which we may disclose information is acceptable. If using the SSA-3288, the consenting individual may indicate specific time frames in the space allotted for the purpose; and

  8. 8. 

    A consent document that adequately describes the information authorized to be released above the consenting individual’s signature is acceptable.

I. Unacceptable consent documents

Consent documents that are unacceptable and cannot be relied on to disclose records include the following:

  1. 1. 

    A consent document is unacceptable if it appears altered or suspicious (offices must use their own judgment in these instances), or it does not meet the consent or valid signature requirements. For instance, if the list of SSA records requested on the form appears to be altered, replaced, or deleted;

  2. 2. 

    A consent document is unacceptable if the requested information does not appear above the written signature or mark (X) of the consenting individual. However, we may provide any part of the requested records appearing above the consenting individual’s signature if the consent documents satisfies the rest of the requirements in GN 03305.003D, GN 03305.003E, GN 03305.003F, and/or GN 03305.003G in this section;

  3. 3. 

    A consent document is unacceptable if the consenting individual’s (or witnesses’) signature and date of signature, or both are missing, unrecognizable, unclear, illegible, appears traced or otherwise suspicious (offices must use their own judgment in these instances);

  4. 4. 

    A consent document is unacceptable if the individual indicates “any and all records,” “my entire file,” “all my records” or similarly worded phrases. All requesters must specifically indicate the form number or title of the specific record or information for disclosure or describe the requested information in enough detail to enable us to locate the requested information. If the consent document specifies certain records or information for disclosure and also indicates “my entire record” or similar wording, disclose only the specific information that was requested;

  5. 5. 

    A consent document is unacceptable if the overall general appearance of the document appears suspicious (offices must use their own judgment in these instances);

  6. 6. 

    Except for the SSA-3288-OP1 or other electronic consents approved by Office of the General Counsel (OGC), any consent document containing an electronic signature is unacceptable; and

  7. 7. 

    A consent document is unacceptable if the time frame for disclosing the particular type of information has expired. For the time limitations that apply to the receipt of consent documents, see GN 03305.003G in this section.

If any of these conditions exist, return the consent document to the requester with a written explanation of why we cannot honor it. Do not disclose any records until we receive a written consent that meets our consent requirements in GN 03305.003D or GN 03305.003E, as applicable. For subpoenas and court orders, with or without consent, see GN 03330.015.

J. Disclosing medical records

An individual may submit an SSA-3288 (or equivalent) to request the release of their medical records to a third party. However, we have developed special procedures for the disclosure of medical records, including psychological records, pertaining to an individual.

1. Minor’s medical records

A parent or legal guardian, even when acting on behalf of the minor child, may not consent to disclose the minor child's medical records to a third party (20 CFR 401.100(d)). For more information, see subsection GN 03305.005C.4.

2. ADAP records

Medical records relating to alcoholism and drug abuse patients (ADAP) are subject to the Public Health Service regulations that require different handling. For processing consent-based requests for ADAP records, see GN 03305.030.

3. HIPAA records

The Health Insurance Portability and Accountability Act (HIPAA) does not apply to release of SSA records. However, we can accept a HIPAA-compliant authorization if it also meets the requirements listed in GN 03305.003D, GN 03305.003E, GN 03305.003F, and/or GN 03305.003G in this section. If a HIPAA authorization does not meet our consent requirements, return it to the requester with an explanation of why we cannot honor it. If you return a HIPAA authorization request, enclose a current SSA-3288 as a sample of a consent form that would meet our requirements.

GN 03305.005 Who May Consent

The access provisions of the Privacy Act (5 USC § 552a) provide the legal authority for disclosing the personal information in our records with consent. Only the following persons may consent to disclose Social Security Administration (SSA) records information.

NOTE: 

The agency will not process consents in any of the situations below if the information sought was compiled in reasonable anticipation of a civil action or proceeding, or if the information originates from a system of records that is exempt from access under 5 U.S.C. § 552a(d). See 20 C.F.R. § 401.85 for list of exempt systems of records; see also GN 03305.002. In addition, the agency will not process consents when the information sought is not about the individual who has consented (or for whom a parent or legal guardian has consented on behalf of).

A. Consent by competent adults

Generally, the individual who is the subject of the record and a competent adult may give us written consent to disclose information about themselves to a third party.

Written consent can be provided on paper, so long as it contains the individual’s valid signature and meets the consent requirements listed in GN 03305.003. See GN 03305.001C for more information. We will only accept electronic signatures for the purpose of Privacy Act consents on the Form SSA-3288-OP1 submitted through our website, www.ssa.gov/privacy .

B. Consent by legal guardians for incompetent adults

We only accept written paper consents signed by legal guardians on behalf of an adult who is declared to be legally incompetent, with acceptable proof of legal guardianship. Paper consents require a “pen and ink” or “wet” signature, and must meet the consent requirements listed in GN 03305.003. Currently, we do not accept electronic consents to disclose records submitted on behalf of incompetent adults.

1. Legal guardian

a. Proof of legal guardianship

If a document showing a court finding of incompetence exists for the individual who is the subject of a record, the legal guardian may sign a written paper consent document for disclosure only when acting on behalf of the individual and not in the legal guardian’s own interest. Proof of the guardianship appointment (a copy of the court order appointing the guardian) must already exist in our records or accompany the paper consent document. For more information about guardianship, see GN 00502.139 and GN 00502.300.

NOTE: 

Guardian ad litems are not legal guardians and cannot consent except in rare circumstances.

b. Determining the “on behalf of” standard

Consider the intended use of the requested information when determining whether the guardian is acting on behalf of the individual. Use these examples only as guidance for determining if a guardian is acting on behalf of the individual:

  1. 1. 

    A legal guardian for an adult with a developmental disability signs the SSA-3288 on that individual's behalf. The paper consent authorizes SSA to disclose medical information in the individual’s record to his residential director to assist in providing additional services. We determined that the purpose of the disclosure is on behalf of this individual and the agency should honor it; or

  2. 2. 

    An adult child, who is legal guardian for their parent, signs the SSA-3288 on their parent's behalf. Documentation indicates the adult child is only legal guardian “of the person” and not of their parent’s estate or financial affairs. The consent authorizes SSA to disclose information about the parent’s benefits to the adult child’s bank. We determined that the purpose of the disclosure is not on behalf of their parent and the agency should not honor it.

2. Incompetent adult

An adult who is declared to be legally incompetent may be able to consent to the disclosure of their own records. We will honor the written paper consent of an adult who is declared to be legally incompetent when both of the following conditions exist:

  1. a. 

    The legal guardian refuses to consent; and

  2. b. 

    The interviewing SSA representative is reasonably certain that the individual is capable of making a rational decision concerning the particular disclosure.

The interviewing SSA representative must be able to establish that the person or entity to whom we would disclose records, based on the individual’s consent, will use the information on behalf of the individual. If it appears that the disclosure will be harmful to the individual, the field office (FO) manager (or other official) may want to question the individual's capability of providing “informed consent.” If the adult who is declared to be legally incompetent does not seem capable of making a rational decision concerning the disclosure, send the request to Office of Privacy Disclosure (OPD) for processing under the guidelines of the Freedom of Information Act (FOIA). For additional FOIA processing instructions, see GN 03350.005J. For more information about legal incompetency, see GN 00502.023.

EXAMPLE: An adult claimant who is declared to be legally incompetent secures an attorney to challenge the determination that they are incompetent and provides a written paper consent for us to disclose relevant claim file information to the claimant's attorney. The claimant’s legal guardian refuses to consent to disclose any information to the attorney. The FO manager interacts with the claimant frequently, believing the disclosure would be on behalf of the claimant and would help to protect the claimant’s right to conduct their own affairs. In this example, the FO manager makes the decision to honor the claimant’s written consent and disclose relevant and necessary information to the claimant's attorney, without the legal guardian’s consent.

C. Consent by parent or legal guardian for minor children

The word “parent” used throughout this section refers only to the birth or adoptive parent of a minor child.

A parent or legal guardian, acting on behalf of a minor child, may consent to disclose only the minor child’s non-medical records if the conditions listed in GN 03305.005C.1.a. and GN 03305.005C.1.b. in this section are met. A parent or legal guardian cannot consent to disclose a minor child’s medical records, even if acting on behalf of the minor child. We only accept written paper consent on behalf of a minor child. Consent documents must meet the consent requirements listed in GN 03305.003. We currently do not accept electronic consent to disclose records on behalf of a minor child.

1. Proof of relationship and on behalf of the minor child standards

Before we can release a minor child’s non-medical records, two conditions must be met:

  • we must have a document showing the parent's or legal guardian’s relationship to the minor child (e.g., a birth record showing the parent’s first and last name, a legal court document indicating an adoption, or the court order appointing a legal guardian); and

  • we must determine that the parent or legal guardian is acting on behalf of the minor child.

    If the parent's or legal guardian’s request to provide consent meets both conditions, we may release non-medical information on behalf of a minor child.

  1. a. 

    Proof of relationship. Usually, proof of relationship such as a birth record showing the parent’s first and last name, a legal court document indicating an adoption, or the court order appointing a legal guardian already exists in our records (on the NUMI, MBR, SSR, MCS, MSSICS) or is presented with the request to disclose the minor child’s records.

    NOTE: 

    Stepparents cannot consent to disclose a minor child’s non-medical records unless they are also the child’s legal guardian; and

  2. b. 

    On behalf of the minor child. The parent or legal guardian must be acting on behalf of the minor child. This means the purpose of the parent or legal guardian providing consent for disclosure is in the minor child’s best interest and not their own. A parent or legal guardian who is neither living with, nor has custody of the minor child, may be an indication that the parent or legal guardian is not acting on behalf of the minor child.

    EXAMPLE 1:

    A parent (requester) submits an SSA-3288 requesting us to disclose to their subsidized rental company, the benefit amount that their 11-year-old child receives from the child’s other parent's Social Security disability claim. The child’s Numident record shows the requester as the birth parent. However, the requester is the non-custodial parent. The requester informs us that providing the child’s benefit amount to the rental company qualifies the requester for a reduced rent. Since the requester does not have custody and the child does not reside with the requester, releasing information to the rental company is likely not on behalf of the child. Therefore, we cannot honor the SSA-3288.

    EXAMPLE 2:

    An adoptive parent presents us with a proper written paper consent document requesting release of their adopted child’s benefit information to the Maple County School District where the adoptive parent lives so that the child, who receives a Social Security benefit, may qualify for free lunch and bus tickets. A copy of the legal adoption papers for the child is already in our records. Since the free lunch and bus tickets are for the use and benefit of the child, we can honor the written consent document and release the benefit information to the school.

2. Proof of relationship not in our records or on behalf of the minor child standard not met

If proof of relationship does not already exist in our records, or the parent or legal guardian cannot provide that documentation and the request does not appear to be on behalf of the child, do not release any information. Send the request and accompanying documentation to the OPD FOIA control mailbox or fax it to (410) 966-0869.

For information about parental rights, see GN 03340.025A. If the legal guardian is a guardian ad litem, see GN 03305.006B.

3. Non-medical records

A birth or adoptive parent or legal guardian may provide written paper consent to disclose only the non-medical records of a minor child to a third party when they are acting on behalf of the child. If it is clear that the parent or legal guardian is acting on behalf of the child, honor the request and release the information. In all instances, proof of relationship must:

  • already exist in our records;

  • accompany the request; or

  • we must obtain a copy of the proof of relationship before we can disclose any information (GN 03305.005C.1. in this section).

A stepparent may not consent to disclose a minor child’s non-medical records unless they are also the child’s legal guardian (note: we must have proof of relationship) and acting on behalf of the child. For general information about who may not consent to disclose records, see GN 03305.006.

4. Medical records

A parent or legal guardian, even when acting on behalf of the minor child, may not provide consent to disclose the child's medical records to a third party (20 CFR 401.100(d)). The Privacy Act permits us to develop special procedures for disclosing medical records.

To protect a minor's medical records, we will not disclose those records to third parties. However, the parent or legal guardian may seek access to the minor child’s medical records by designating a physician or other health professional to receive the medical records. Once the parent or legal guardian receives the medical records from the designated health professional, they may disclose them to another party. For more information about obtaining access to a minor child’s medical records, see GN 03340.035D.

D. Consent by a minor child

A minor child may provide written paper consent to disclose their own medical and non-medical records, at any time and for any reason, if the reviewing SSA employee is reasonably certain that the child is capable of making a rational decision to consent to the disclosure. It may be necessary for the servicing FO to interview the child or the child’s parent(s) or legal guardian to arrive at this conclusion. The reviewing SSA employee should make the decision to accept a child’s consent based on their own judgment that the child is capable of providing informed consent. This means the child fully understands what they are requesting us to disclose.

Use age 12 as a baseline for determining when a child is old enough to make such a decision. Consider these types of disclosures on a case-by-case basis to protect the rights of the child. A child under 12 years old may be mature enough to provide consent while a child over 12 may not be able to provide consent. If it appears the child cannot provide informed consent, process the request under the guidelines of the FOIA. For FOIA processing instructions, see GN 03350.005J.

E. Dual relationships

A third party may have more than one type of relationship with an individual that would permit disclosure when acting on behalf of the individual. For example, an appointed representative may also be an individual’s legal guardian, or a stepparent may also be a legal guardian of a minor. However, only in the situations in GN 03305.005B and GN 03305.005C in this section may a third party sign a consent.

GN 03305.025 Disclosure to Legal Aid Groups, Private Law Firms, and Appointed Representatives

A. Policy for disclosing information

An individual may consent to disclose their records to a legal aid group or private law firm using the SSA-3288, SSA-3288-OP1, or other consent form that meets our requirements. The public can access the SSA-3288-OP-1 web-form application at SSA's Privacy Program website. These entities may elect to become the individual’s appointed representative during the claims process. Prior to that appointment, disclosures from the individual’s record require written consent.

NOTE: 

Do not disclose the requested information to a copying service or other company performing administrative services unless that entity is named separately on the written consent form. “In care of” notations on the written consent form are not acceptable for purposes of disclosure to a copying service or similar entity.

B. Appointed representatives and designated associates

The SSA-1696-U4 permits individuals to appoint a representative, who may receive records in the performance of their appointed representative duties. The SSA-1696-U4 also allows individuals to consent to the release of their records to their appointed representatives’ designated associates, who perform administrative duties (e.g. clerks, partners, and/or parties under contractual arrangements (e.g., copying services) by selecting the appropriate box on the SSA-1696-U4. If we receive a notice of appointment (SSA-1696-U4 or equivalent writing) authorizing us to release records to a designated associate, a separate SSA-3288 (or other consent form meeting our requirements) is not required as long as the appointed representative is representing the individual in a matter currently pending with us.

The appointed representative must request records or other information from the appropriate Social Security office (field office or Hearing Office) that services the mailing address ZIP code of their client (See GN 03305.020).

C. Disclosure to the appointed representative and designated associate when the appointment ends

We will honor an individual’s request to disclose records to the appointed representative and their designated associates, as long as the appointed representative’s appointment has not ended. The appointed representative’s appointment ends when:

  1. 1. 

    The individual cancels the appointment;

  2. 2. 

    The representative withdraws his or her own appointment; or

  3. 3. 

    The appointment expires (See GN 03910.060).

If one of these conditions exists, the individual must provide written consent for any subsequent disclosure of his or her records to the representative.

D. Fees for providing records

Charge the full cost or the appropriate standard fee for providing records or other information to third party requesters where the request is for a non-program purpose. For detailed information about charging fees for non-program purposes, see GN 03311.005E.


GN 03305 TN 15 - Disclosure With Consent - 10/08/2024