Paubox blog: HIPAA compliant email made easy

Can healthcare providers disclose SSI recipient data?

Written by Kirsten Peremore | November 08, 2023

Social Security Income (SSI) is a financial assistance program by the Social Security Administration (SSA) for individuals with limited income and resources. Healthcare providers may disclose data to the SSA when patients or beneficiaries are applying for or receiving SSI benefits. These disclosures need to comply with HIPAA. 

Required SSA data

The SSA aims to ensure that individuals who meet the eligibility criteria receive financial support, especially those with severe medical conditions. For this reason, specific data related to patients' medical conditions may be required.

This includes:

  • Medical records
  • Treatment history
  • Diagnosis information
  • Prognosis details
  • Medication history
  • Functional limitations
  • Physical or mental condition information
  • Treatment plans
  • Laboratory test results
  • Physician's notes

See alsoHIPAA Compliant Email: The Definitive Guide

Disclosures to the SSA

Healthcare facilities might need to report patient information to the SSA. The Social Security Act outlines the requirements for disclosing information related to SSI.

SSI application/claim: PHI can be shared when the patient is applying for or already receiving SSI benefits, and the SSA requires medical records or information for the eligibility determination or review process.

Admission to facilities: Healthcare facilities, such as nursing homes, must report the admission of Social Security beneficiaries and their spouses to the SSA within a specific timeframe.

Changes in circumstances: Healthcare providers may need to report changes in a patient's status that could affect their eligibility for Social Security benefits. This reporting might include changes related to the patient's health status, change of address, or changes in living conditions.

See alsoPublic health activities and HIPAA

HIPAA and SSA disclosures

Under HIPAA, healthcare providers are bound to safeguard patients' PHI. However, HIPAA does permit the disclosure of PHI to government agencies, such as the SSA, under certain circumstances:

Required disclosures: HIPAA allows disclosures of PHI to government agencies if required by law. The Social Security Act mandates that certain PHI must be shared with the SSA to determine SSI eligibility and benefit amounts.

Minimum necessary standard: Healthcare providers sharing PHI with the SSA must limit the information disclosed to what is essential for SSI eligibility purposes. They should only provide details required for the specific determination, ensuring the minimum necessary standard under HIPAA.

Safeguarding PHI: While sharing PHI with the SSA, healthcare providers are required to ensure the security and confidentiality of the information. 

Patient notification: Healthcare providers are generally not required to inform patients when PHI is disclosed to the SSA for SSI determination. However, patients may request an account of the disclosures.

See also: What are patient rights under HIPAA?