Legal Issues Presented by the Social Security Administration’s New Electronic Signature Process for Authorizations to Disclose Information
By John R. Christiansen, Christiansen IT Law, Seattle, WA
and Alan S. Goldberg, Attorney and Counselor-at-Law, McLean, VA*
In applying for Social Security disability benefits, applicants must provide the Social Security Administration (“SSA”) with health information demonstrating their disability. This information typically includes medical records and related information from applicants’ healthcare providers. Because this information likely would be classified as protected health information (“PHI”) under the privacy and security rules promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), healthcare providers must obtain a HIPAA-compliant authorization signed by the applicant (or a duly authorized agent) before disclosure to SSA is permitted.
|This process has depended on paper authorizations with pen and ink signatures, and has been burdensome and time-consuming for individuals, healthcare providers, and SSA. SSA therefore developed an electronic signature process for the Authorization to Disclose Information to the Social Security Administration (SSA) (Form SSA-827) as an alternative to the wet-signed paper form. Members of the American Bar Association provided suggestions and information during the development process.|
For more information on the new electronic signature process, please download the Health Law Section's complimentary podcast
at this link.
The SSA-827 electronic signature process is to begin in April 2012. Since SSA requests more than 15 million medical records each year on behalf of applicants for disability benefits, healthcare providers will be receiving many electronically signed SSA-827s.
This article therefore is intended to clarify the issues presented by the new SSA-827 electronic signature process for lawyers advising healthcare providers.
Electronic Signature in the Application Process
Adults applying for disability benefits online will now “click and sign” the SSA-827 as part of the electronic application process. Upon execution of this process, an image of the electronically signed form immediately uploads and becomes part of SSA’s electronic disability folder for the applicant. This uploading eliminates the need for the applicant to print, sign, mail, or deliver a paper copy to a Social Security Administration office, and creates an official government record of the document as electronically signed.
SSA is responsible for verifying the identity of the signer and protecting the information and records received. Applicants are encouraged to print a copy of the electronically signed and dated SSA-827 for their records.
Responding to an Electronically Signed SSA-827
The electronically-signed SSA-827 is virtually identical to the paper version. Both versions include all the elements and statements required for a valid authorization under the HIPAA Privacy Rule.1 The only difference between the forms will be in the completed electronic signature field, which will indicate that the applicant electronically signed the form using the new process. Healthcare providers will receive images of the electronically signed SSA-827 as they do today, so the new process should not require changes to existing provider office procedures for processing requests for records from SSA or its affiliated state agencies (disability determination services).
Initially, SSA will offer this new process only to adults using the internet to apply for disability benefits on their own behalf, so there will continue to be images of pen and ink wet-signed paper SSA-827s for other claims. SSA expects the use of this new electronic signature process to expand over time as the number of internet filers increases.
Legal Aspects of the Electronically Signed SSA-827
HIPAA does not specifically address standards for electronic signatures, although a Notice of Proposed Rule Making for the HIPAA Security Rule published in 1998 proposed an electronic signature standard.2 However, in 2000 Congress enacted the Electronic Signatures in Global and National Commerce Act (“E-SIGN”),3 and beginning in 1999 the states began adopting the model Uniform Electronic Transactions Act (“UETA”).4 No final HIPAA electronic signature standard has been promulgated.
E-SIGN and UETA therefore are the controlling law regarding electronic signatures, subject to other federal and state laws that might be applicable in particular instances. E-SIGN preempts most federal and state laws which deny “legal effect, validity, or enforceability” of any electronic “signature, contract or other record relating to [a] transaction.”5 Specifically and in general, E-SIGN preempts all state laws controlling electronic signatures except UETA.6 The only exceptions include laws pertaining to wills, trusts, etc.; adoption, divorce, and family law matters; certain judicial documents; and consumer default and foreclosure notices.7 E-SIGN, and in almost all states UETA as well, therefore enable electronic signatures both for HIPAA authorizations and any comparable authorizations required by state law.
Neither E-SIGN nor UETA requires any specific technology or process for the enforceability of electronic signatures. Instead, any “electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with intent to sign the record” can be accepted as an electronic signature.8
The SSA electronic signatures process meets these statutory criteria as follows:
An electronic sound, symbol, or process : The applicant’s “click and sign” agreement is given electronically and is recorded in SSA’s databases. The electronic signature is part of an electronic process of storing and recording information relevant to each claim. Such “click to accept” and “clickwrap” processes consistently have been recognized as legally enforceable.9
Logically associated with a record : The fact of the online application, the thorough vetting of the applicant’s identity, and the applicant’s acceptance of the process and form, are recorded in SSA’s data systems. The electronic signature process (and claims intake-process), undertaken logically and consistently, therefore are associated with the record (that is, the authorization form). The process therefore evidences the acceptance of the electronic authorization form.
Adopted by a person with the intent to sign the record : The applicant is given the opportunity to understand the content and nature of the form and agrees to authorize, via the form, disclosure of the requested information. SSA provides a copy of the completed form to the applicant, and the copy will include the electronic signature of the applicant exactly as sent to the healthcare provider.
Finally, despite the absence of a HIPAA electronic signatures standard, electronic signatures have been considered fully acceptable as reflected in the development of HIPAA standards and guidance generally. The U.S. Department of Health and Human Services (“HHS”) has stated that a HIPAA covered entity such as a doctor or hospital does not need to verify the identity of the purported signer of an electronically signed document,10 and that an electronic signature is a sufficient signature for an authorization form.11 No instance has been found in which HHS has questioned the legal efficacy of an electronic signature that complied with non-HIPAA applicable federal and state laws.
HHS has also posted a frequently asked question ("FAQ") on its website setting forth in detail how the HIPAA privacy rule allows otherwise HIPAA-compliant authorizations to be obtained electronically from individuals, provided any electronic signature otherwise is valid under applicable law.
To view the entire HIPAA FAQ, go to http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/554.html
For more information about Social Security Administration’s electronic signature process, go to http://www.socialsecurity.gov/disability/professionals/eAuthorization.htm
To view the current AUTHORIZATION TO DISCLOSE INFORMATION TO THE SOCIAL SECURITY ADMINISTRATION (SSA), go to
*The Social Security Administration contributed to this article.
See 45 CFR §164.508(c).
|2 ||42 U.S.C. §1320d-2(e); 63 Fed. Reg. 43,242, 43,268 (Aug. 12, 1998) (proposed electronic signature standard).|
Codified at 15 U.S.C. §§7001 et. seq.
15 U.S.C §7001(a).
15 USC §7002(a)(1).
15 USC §7003(a), (b)(1), (b)(2)(b).
15 USC §7006(5).
See e.g. Hammer, Internet Law and Electronic Contracting Cases 2010- 2011, 67 Bus. Law. 279 (2011); Moringiello and Reynolds, Electronic Contracting Cases 2008–2009, 65 Bus. Law 317 (2009); Moringiello and Reynolds, Survey of the Law of Cyberspace: Electronic Contracting Cases 2005 – 2006 , 62 Bus. Law 195 (2006); etc.
65 Fed. Reg. 82,462, 82,518 (Dec. 28, 2000) (“We do not require verification of the individual’s identity or authentication of the individual’s signature.”).
65 Fed. Reg. 82,462, 82,660 (Dec. 28, 2000) (“Electronic signatures are sufficient, provided they meet standards to be adopted under HIPAA. In addition, we do not intend to interfere with the application of the Electronic Signature in Global and National Commerce Act.”).
The ABA Health eSource is distributed automatically to members of the ABA Health Law Section . Please feel free to forward it! Non-members may also sign up to receive the ABA Health eSource.