TN 15 (10-24)

GN 03305.002 Limitations on Disclosure with Consent

Policy on disclosure limitations

The Privacy Act and other Federal laws do not allow us to disclose or release information unless the request for disclosure first meets certain conditions. When we receive requests to disclose an individual's information, we may require the individual’s written consent, as described in GN 03305.003F. This written consent is our legal authority for disclosing the requested information to a third party. In all instances, the consent document must describe the specific information authorized to be disclosed by us.

1. Consenting individual

The consenting individual must give us enough information about the records they want us to disclose to a third party to help us locate and release the correct records.

EXAMPLE:

A disabled claimant submits a signed Form SSA-3288 requesting us to send a copy of their most recent disability “medical report form” to their new doctor. We have several disability report forms. The claimant does not know the number of the form referenced is the Form SSA-3368 (Disability Report - Adult). Therefore, the claimant must describe the exact information on the form in enough detail to help us determine:

  • which disability form is the correct form, and

  • where the form or information is located in their record.

2. Information about other individuals contained in the requested record

Personal information about other individuals for whom we do not have a written consent document authorizing the release of their information may be contained in the number holder’s (NH) record. The NH may not provide consent authorizing the release of their information from their record. Therefore, we must redact any such information about other individuals before releasing the requested information about the NH.

3. Alcoholism and Drug Abuse Prevention (ADAP) patient records

The Public Health Service (PHS) regulations (42 CFR 2.31) prohibit us from disclosing ADAP records without specific written consent from the individual to whom the records pertain. For more information about ADAP records and the related consent requirements, see GN 03305.030.

4. Consent authorizing disclosure on an ongoing basis

An individual may authorize us to disclose specific information from their record, on an ongoing basis, for a definite or indefinite period. Accordingly, the individual must indicate on their original written consent that they are requesting us to disclose information on an ongoing basis. The individual must also provide the time frame in which we can disclose the information. The written consent is valid during this time frame. We may honor these requests as long as the written consent meets the requirements set forth in GN 03305.003, and the individual or third party provides a copy of the original written consent with each subsequent request.

It is unnecessary to document a record to indicate that an individual has provided written consent to disclose information on an ongoing basis. However, the component responsible for processing the request must store a copy of the original consent and document when the original written consent was received. If a copy of the original written consent does not accompany a subsequent request or cannot be located in our records, do not honor the request. Return the information to the requester with an explanation of why we cannot honor it. Advise the requester to provide a copy of the original written consent that indicates the information may be disclosed on an ongoing basis.

5. Revocation of the consent

An individual may revoke their written consent at any time by providing a written request to revoke the consent. Associate the request with the record file. If the record file is not available, annotate the special message field in the electronic record to indicate the individual has revoked their consent.

6. Health Insurance Portability and Accountability Act (HIPAA) consent forms

Our records are not subject to HIPAA. However, we may accept a HIPAA consent document if it meets our consent requirements for non-tax return information (GN 03305.003D).

7. Consent-based requests for records in an exempt system of records

The Privacy Act permits Federal agencies to exempt certain records from some of its specific requirements. In part, this means that an individual may not receive access to records we maintain in certain exempt systems of records. Typically, these exempt records contain investigatory information related to potential fraud in our programs. Since an individual may not request access to this type of record, they may also not provide consent to disclose it to a third party.

Exempt records, for example, reside in program integrity files maintained by the Office of the Inspector General (OIG). Program integrity records are exempt from access and should be kept separately from the claims folder. Refer all requests for exempt records information located in program integrity files to the Office of Privacy and Disclosure (OPD) at ^OGC OPD Controls. OPD will work with OIG for a decision on disclosure under the guidelines of the FOIA. Also refer requests for exempt records information in other systems of records to OPD.

8. Fees for supplying information

Section 1106 of the Social Security Act and our implementing regulations authorize us to charge the full cost of supplying information to first and third-party requesters where the information requested is for a non-program purpose. For more information about fees for non-program purposes, see GN 03311.005E.


To Link to this section - Use this URL:
http://policy.ssa.gov/poms.nsf/lnx/0203305002
GN 03305.002 - Limitations on Disclosure with Consent - 10/08/2024
Batch run: 10/15/2024
Rev:10/08/2024