The designated record set (DRS) is established to determine which health information a covered entity, such as healthcare providers, health plans, and healthcare clearinghouses, must maintain, and which information individuals have the right to access.
According to an Elsevier study exploring the scope of DRS, “An individual’s DRS only includes information about that individual and does not include information about other people that might be present in an individual’s medical files, and it only includes information that is currently stored by the covered entity at the time an access request is made.”
The record is designed to also provide patients with access to their health information. concepts like the Legal Medical Record (LMR) were often conflated with the broader DRS, though nuanced differences now exist, especially with electronic health records (EHRs).
Regular medical records were physical paper charts containing handwritten, authenticated entries such as progress notes, lab results, imaging, diagnoses, and treatment plans. while the LMR represents the official, authenticated documentation of care, the DRS encompasses the LMR plus additional records used to make decisions about patients.
How HIPAA defines designated record set
A designated records set is a specific group of records maintained by healthcare providers, health plans and other organizations that fall under HIPAAs jurisdiction. 45 CFR § 164.501 provides that these records include,
“(i) The medical records and billing records about individuals maintained by or for a covered health care provider;
(ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
(iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.”
Related: Why are designated record sets important to PHI?
How the DRS supports patients’ HIPAA right of access to their health information
The right to access information within the DRS allows patients to review their medical facts, verify correctness, and request amendments if errors are found. The Academic Forensic Pathology study titled ‘HIPAA and Access to Medical Information by Medical Examiner and Coroner Offices’ notes, “The HITECH Act gives patients a right to request electronic copies of their record; entities generally have 30 days to respond. Patients may complain of violations of their HIPAA rights to an entity’s Privacy Officer and, if not satisfied, to the HHS Office of Civil Rights or to state-level agencies.”
The amendment process is facilitated by the DRS's structured maintenance, creating a clear audit trail of changes. Access to billing and claims data within the DRS also empowers patients to identify discrepancies or fraud. By knowing who has accessed or disclosed their PHI from the DRS, patients gain transparency, which builds trust in the healthcare system.
Exceptions to access within the DRS are limited but carefully defined. For example, psychotherapy notes maintained separately from medical records are excluded, and providers may deny access if it would result in harm. However, these exceptions are narrowly construed to preserve patient rights broadly. Access extends beyond the patient's lifetime to 50 years post-mortem.
Should designated record sets be included in patient requests for their medical record
Healthcare organizations are required to provide patients with a copy of their designated record set upon request. The HHS guidance provides that, “The Privacy Rule generally requires HIPAA covered entities (health plans and most health care providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more "designated record sets" maintained by or for the covered entity.”
Designated record sets are designed to allow individuals to have both access to and control of their medical information. By including designated record sets in patient requests for their medical records, patients gain access to their complete medical history, billing records, and other relevant documentation influencing care decisions.
How to securely share designated records
According to a JMIR Medical Education study assessing the use of email amongst healthcare professionals notes, “Email has become a popular means of communication in the past 40 years, with more than 200 billion emails sent each day worldwide. When used appropriately, email can be an effective and useful form of correspondence.”
HIPAA compliant email is universally accessible across devices and platforms, enabling rapid communication that is crucial for clinical decision making and continuity of care, especially in urgent or complex cases. Unlike paper or fax, which involve logistical delays and manual handling, email expedites sharing while reducing lost or misdirected records.
It facilitates direct provider to patient communication, allowing patients quicker and easier access to their health information, thereby supporting HIPAA’s patient access rights. Encryption protocols, including TLS, protect DRS data during transmission, ensuring that unauthorized parties cannot intercept and read sensitive health records.
What a designated record set does not include
One exclusion from the DRS is psychotherapy notes. A chapter from StatPearls notes, “Individuals have the right to access all health-related information, except psychotherapy notes and information collected by a provider, for legal defense purposes.” The HIPAA Privacy Rule grants patients the right to access their health information but specifically excludes psychotherapy notes from mandatory access.
Other types of information ordinarily excluded from the DRS include various quality assessment or improvement records, patient safety activity records, and business planning or development documentation. Such records, although potentially containing or derived from an individual's PHI, are not maintained to make decisions about specific individuals and instead serve more general operational, quality control, or administrative purposes.
Another notable category of information excluded from the DRS is data that has been de-identified or stripped of direct identifiers as defined by HIPAA. De-identified data are exempt from the Privacy Rule's protections because the risk of re-identification is minimal. This form of data is commonly used in research, public health, or policy analysis.
FAQs
What are a patient's rights under HIPAA?
The right to access their medical records, request amendments, receive an accounting of disclosures, request restrictions on certain uses and disclosures, and file a complaint if their rights have been violated.
When is deidentification necessary under HIPAA?
When healthcare providers or researchers want to use or disclose health information without compromising patient privacy.
When can a patient's request for disclosure be rejected?
If the information requested is not part of a designated record set, if it relates to treatment notes made by a healthcare provider, or if the request is made by a third party without proper authorization.
Kirsten Peremore
%20-%202024-10-03T221701.103.jpg)
%20-%202024-11-05T152005.364.jpg)
