No, the Social Security Administration (SSA) is not a covered entity under HIPAA. According to the Department of Health and Human Services (HHS), the SSA does not meet the criteria outlined in HIPAA regulations, which define covered entities as health plans, healthcare providers that transmit health information electronically, or healthcare clearinghouses. The SSA primarily administers social security benefits and collects medical records for disability determinations, but it does not provide or pay for healthcare services, exempting it from HIPAA requirements.
HIPAA defines covered entities as health plans, healthcare providers that transmit health information electronically, and healthcare clearinghouses that process health information between payers and providers. These entities must comply with HIPAA regulations to protect the privacy and security of protected health information (PHI).
Types of covered entities:
Related: Resources to help covered entities maintain HIPAA compliance
The SSA administers social security programs, including Disability Insurance and Supplemental Security Income (SSI). It determines eligibility for these benefits, often requiring medical records to make informed decisions.
When evaluating applications for disability benefits, the SSA collects and assesses medical information. However, this function is specifically for eligibility determination, not for providing healthcare services.
According to the HHS, the SSA is not a covered entity under HIPAA. The definition of covered entities is outlined in 45 CFR 160.103 and includes health plans, healthcare providers that transmit health information electronically, and healthcare clearinghouses. The HHS further clarifies that "SSA meets none of these criteria as defined at 45 CFR 160.103 (GPO)":
Since the SSA is not a covered entity, it has different responsibilities regarding medical information. While it must handle sensitive data carefully, it is not directly governed by the HIPAA privacy and security rules. However, the SSA must still ensure its processes comply with other relevant privacy laws and regulations.
While the SSA does collect medical information, healthcare entities must ensure that any sharing of PHI with the SSA is compliant with HIPAA regulations and other applicable laws. When healthcare providers disclose information to the SSA, they should ensure that they have the necessary patient authorizations.
Healthcare professionals should also be aware of the implications for patient privacy and the secure handling of information during interactions with the SSA. This awareness will help maintain compliance with HIPAA while facilitating necessary communications with the SSA.
Covered entities must comply with stringent privacy and security regulations to protect patient information, including implementing safeguards, conducting risk assessments, and training employees on HIPAA compliance.
While non-covered entities are not directly subject to HIPAA, they may still need to comply with state laws and regulations governing the handling of personal health information, as well as contracts with covered entities that may impose specific requirements.
Organizations can assess their status by evaluating whether they provide or pay for healthcare services, transmit health information electronically in HIPAA transactions, or process health information between payers and providers, as defined by HIPAA regulations.
Read more: How to know if you’re a covered entity