designated record set

The HIPAA Privacy Rule generally requires HIPAA covered entities (health plans and most healthcare providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in a designated record set (or sets) maintained by or for the covered entity. 

What is PHI?

PHI is defined as individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, or transmitted, or maintained by a HIPAA covered entity, in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations.

What is a Designated Record Set?

Individuals have a HIPAA Right of Access to PHI contained in a designated record set. A designated record set is defined as a group of records maintained by or for a covered entity that comprises the:

  • Medical records and billing records about individuals maintained by or for a covered healthcare provider;
  • Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
  • Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals. 
    • These records include records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

G2 Leader Fall 2024

What is a Record?

The definition of the word “record” in designated record set is fairly broad. A “record” includes any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity.

What are Examples of Records?

Because the word “record” is so broadly defined, numerous types of information that contain PHI that are maintained by or for covered entities, are subject to the right of access.  This information includes (but is not limited to):

  • Medical records 
  • Billing and payment records 
  • Insurance information
  • Clinical laboratory test results
  • Medical images (such as X-rays)
  • Wellness and disease management program files
  • Clinical case notes
  • Decisions about individuals
    • Note: “Other records” include records that are used to make decisions about any individuals, regardless of whether the records have been used to make a decision about the particular individual requesting access.

In responding to a request for access, a covered entity is not required to create new information, such as explanatory materials or analyses, that does not already exist in the designated record set.

What is the Significance of a Designated Record Set?

The patient right of access to PHI contained in a designated record set, includes the right to receive a paper or electronic copy of the designated record set; the right to inspect and receive copies of a designated record set; and the right to amend information in the designated record set. 

Covered entities should, to ensure patient right of access is not impeded, have written policies and procedures governing designated record sets. These policies and procedures should clearly define what a designated record set is, and what information it consists of.