What is a designated record set

A designated record set is a collection of records used to make decisions related to patient care. The record also provides patients with access to their health information. 

How HIPAA defines designated record set

A designated records set is a specific group of records maintained by healthcare providers, health plans and other organizations that fall under HIPAAs jurisdiction. 45 CFR § 164.501 provides that these records include, “(i) The medical records and billing records about individuals maintained by or for a covered health care provider; (ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.”

Related: Why are designated record sets important to PHI?

Requirements for designated record sets

Healthcare organizations are required to provide patients with a copy of their designated record set upon request. The HHS guidance states, “The Privacy Rule generally requires HIPAA covered entities (health plans and most health care providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more ‘designated record sets maintained by or for the covered entity.”

Designated record sets are designed to allow individuals to have both access to and control of their medical information. By including designated record sets in patient requests for their medical records, patients gain access to their complete medical history, billing records, and other relevant documentation influencing care decisions. 

How to securely share designated records 

• Use HIPAA compliant email services to send designated records.
• Use software to password protect files containing designated records and communicate these passwords through alternative methods like HIPAA compliant text messages. 
• Avoid sharing additional personal details or documents. Only include the necessary information in the email. 
• Implement the practice of double checking the recipient's email address amongst staff to prevent unintentional privacy breaches. 
• Add confidentiality notices at the bottom of emails to remind the recipient that the information is sensitive and intended solely for them. 

FAQs

What are a patient's rights under HIPAA? 

The right to access their medical records, request amendments, receive an accounting of disclosures, request restrictions on certain uses and disclosures, and file a complaint if their rights have been violated. 

When is deidentification necessary under HIPAA? 

Deidentification is necessary when healthcare providers or researchers want to use or disclose health information without compromising patient privacy.

When can a patient's request for disclosure be rejected?

A request may be rejected if the information requested is not part of a designated record set, if it relates to treatment notes made by a healthcare provider, or if the request is made by a third party without proper authorization.