Providers must use HIPAA compliant emails when communicating with the Social Security Administration (SSA) for disability determinations.
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law governing the protection of individuals' medical records and other personal health information. HIPAA applies to covered entities including healthcare providers, health plans, healthcare clearinghouses, and their business associates, who handle protected health information (PHI).
Under HIPAA, covered entities are required to protect PHI through security measures like encryption, access controls, and regular security audits. They must also notify individuals of their privacy practices and obtain their consent before using or disclosing their PHI for purposes other than treatment, payment, or healthcare operations.
Go deeper: What is HIPAA?
The Social Security Administration (SSA) administers Social Security Disability Insurance (SSDI), providing benefits to individuals who have worked and paid Social Security taxes but cannot work due to a disability. More specifically, it “provides monthly payments to people who have a disability that stops or limits their ability to work.”
To qualify for disability benefits through these programs, individuals must meet the SSA's definition of disability, which includes “having a disability or blindness” and “having enough work history.”
According to the SSDI application process, applicants must provide documentation on:
The intersection of HIPAA and the Social Security Disability Programs occurs when healthcare providers are asked to provide medical records and other health information to the SSA for disability determinations. While HIPAA governs the privacy and security of PHI, “The SSA is not a covered entity, so it is exempt from certain HIPAA provisions,” according to the HHS.
However, providers must comply with HIPAA regulations when sending medical records and other health information to the SSA for disability determinations. More specifically, providers must use a HIPAA compliant emailing platform, like Paubox, to secure patients’ PHI during transit and at rest.
HIPAA compliant emails can also be integrated with provider workflows when communicating with the SSA to improve efficiency while maintaining patient privacy.
The SSA Code of Federal Regulations upholds privacy rights as individuals “have a right to access [their] medical records, including any psychological information that we maintain.”
Health records are still protected by HIPAA, even though the SSA has access when determining a person's disability. So, providers must first obtain explicit patient consent before releasing their medical records and only disclose the minimum necessary information required for disability evaluations.
Providers must use a HIPAA compliant platform, like Paubox, when submitting a patient's medical records to the SSA to support their disability claim. These platforms use encryption and access controls to safeguard PHI during transit and at rest.
If the SSA requests additional information on a patient's medical condition, the provider can respond using HIPAA compliant emails, maintaining compliance with privacy regulations while fulfilling the SSA's requirements for disability evaluations.
Multiple healthcare professionals are involved in assessing a patient's disability status. These providers can use HIPAA compliant emails to coordinate evaluations and ensure that all relevant medical information is considered by the SSA during the decision-making process.
In cases where the SSA requires clarification or verification of a patient's medical history, providers use HIPAA compliant emails to communicate the required details. Additionally, HIPAA compliant platforms, like Paubox, automatically encrypt attachments so providers can include supporting documents like lab results or imaging reports without compromising patient privacy.
Providers can use HIPAA compliant emails to inform the SSA of improvements in a patient's medical condition that could affect their eligibility for disability benefits. The SSA can then use this information to update the patient's file and make any necessary adjustments to their benefits.
Healthcare providers, health plans, healthcare clearinghouses, and their business associates must comply with HIPAA regulations.
No, the SSA is not classified as a covered entity under HIPAA.
Yes, providers must use a HIPAA compliant emailing platform, like Paubox, when communicating with the SSA. These platforms use encryption and other security measures like two-factor authentication to safeguard patients’ PHI.