The consenting individual must give us enough information about the records he or she wants us to disclose to a third party to help us locate and release the correct records.

EXAMPLE:

A disabled claimant submits a signed Form SSA-3288 requesting us to send a copy of his most recent disability “medical report form” to his new doctor. We have several disability report forms. The claimant does not know that the number of the form to which he is referring is the Form SSA-3368 (Disability Report - Adult). Therefore, the claimant must describe the exact information on the form in enough detail to help us determine:

• •

  which disability form is the correct form, and

• •

  where it is located in his or her record.

Personal information about other individuals for whom we do not have a written consent document authorizing the release of information about them may be contained in the Number Holder’s (NH) record. The NH may not provide consent authorizing the release of their information from his or her record. Therefore, we must redact any such information about other individuals before releasing the requested information about the NH.

The Public Health Service (PHS) regulations (42 CFR 2.31) prohibit us from disclosing ADAP records without specific written consent from the individual to whom the records pertain. For more information about ADAP records and the related consent requirements, see GN 03305.030.

An individual may authorize us to disclose specific information from his or her record, on an ongoing basis, for a definite or indefinite period. Accordingly, the individual must indicate on the original consent document that he or she is requesting us to disclose information on an ongoing basis. The individual must also provide the time frame in which we can disclose the information. The consent is valid during this time frame. We may honor these requests as long as the consent document meets the requirements for a valid consent document and the individual or third party provides a copy of the original consent document with each subsequent request.

It is unnecessary to document a record to indicate that an individual has provided consent to disclose information on an ongoing basis. In these instances, the individual or third party must provide a copy of the original consent document along with each subsequent request for the same information originally requested. If a copy of the original consent does not accompany a subsequent request, do not honor the request. Return the information to the requester with an explanation of why we cannot honor it. Advise the requester to provide a copy of the original consent that indicates the information may be disclosed on an ongoing basis.

An individual may revoke his or her consent at any time by providing a written request to revoke the consent. Associate the request with the record file. If the record file is not available, annotate the special message field in the electronic record to indicate the individual has revoked his consent.

Under the HIPAA Privacy Rule, the term “covered entity” refers to the following three specific organizational group types:

• •

  Health care providers,

• •

  Health plans, and

• •

  Health care clearinghouses.

Although SSA is not a covered entity under the HIPAA Privacy Rule, we may accept a HIPAA consent document if it meets our consent requirements for non-tax return information (GN 03305.003D) or the Internal Revenue Service consent requirements (GN 03305.003E) for tax return information.

The Privacy Act permits federal agencies to exempt certain records from some of its specific requirements. In part, this means an individual may not receive access to records we maintain in certain exempt systems of records. Typically, these exempt records contain investigatory information related to potential fraud in our programs. Since an individual may not request access to this type of record, he or she may also not provide consent to disclose it to a third party.

Exempt records, for example, reside in program integrity files maintained by the Office of the Inspector General (OIG). Program integrity records are exempt from access and should be kept separately from the claims folder. Refer all requests for exempt records information located in program integrity files to the Office of Privacy and Disclosure (OPD) at ^OGC OPD Controls. OPD will work with OIG for a decision on disclosure under the guidelines of the FOIA. Also refer requests for exempt records information in other systems of records to OPD.

Section 1106 of the Social Security Act and our implementing regulations authorize us to charge the full cost of supplying information to first and third- party requesters where the information requested is for a non-program purpose. For more information about fees for non-program purposes, see GN 03311.005E.