The Health Insurance Portability and Accountability Act, widely known as HIPAA, created a regulatory framework to protect the privacy and security of an individual’s health data. This federal law governs how certain health care providers, health plans, and their business associates must handle Protected Health Information (PHI). Within this framework, the concept of a Designated Record Set (DRS) is fundamental, establishing the specific body of information that patients have a legal right to access and control. The DRS acts as the official collection of an individual’s health data that directly impacts decisions about their care and benefits.
Defining the Designated Record Set
The Designated Record Set (DRS) is a precise, legally defined term under HIPAA, specifically outlined in 45 CFR § 164.501. It refers to a group of records maintained by or for a Covered Entity (CE), such as a hospital or insurance company, that is used to make decisions about an individual. The definition is not limited solely to a patient’s medical chart but extends to any collection of records that serves this specific function. A CE’s Business Associate (BA), who performs services on the CE’s behalf, can also hold records considered part of the DRS.
The standard for inclusion is that the records must be used, in whole or in part, to make decisions about individuals, regardless of whether the information has been used to make a decision about the particular individual requesting access. This criterion ensures the patient has access to the information that influences their treatment, payment, and health plan enrollment. This definition delineates the exact boundaries of information over which a patient can exercise their rights of access and amendment.
Components: What Records Are Included
The Designated Record Set explicitly includes medical records and billing records maintained by or for a covered health care provider. This encompasses a broad range of clinical documents, such as physician notes, lab results, X-rays and other medical images, clinical case notes, and wellness program files. These records are considered part of the DRS because they directly inform treatment decisions and the ongoing management of a patient’s health.
For health plans, the DRS includes specific record systems related to the financial and administrative aspects of coverage. These are records for enrollment, payment, claims adjudication, and case or medical management systems. Any information that a health plan uses to determine eligibility, approve a service, or process a claim falls into this category.
Beyond these specific categories, the DRS includes any other group of records used by the Covered Entity to make decisions about the individual. This means that if a particular document is used to influence a patient’s care or benefits, it is automatically included in the set. This ensures that the patient’s right to access is determined by the record’s function in decision-making, not its format or name.
Practical Significance: Patient Rights of Access and Amendment
The Designated Record Set is the foundation for two significant individual rights granted by HIPAA: the right to access and the right to request an amendment.
Right of Access
The right of access allows an individual to inspect or obtain a copy of their Protected Health Information within the DRS. Covered Entities must respond to a request for access without unnecessary delay and generally no later than 30 calendar days after receiving the request. If a Covered Entity cannot meet the 30-day deadline, they are permitted a single 30-day extension. However, they must inform the individual in writing of the reason for the delay and the expected completion date before the initial deadline expires. HIPAA permits the CE to charge a reasonable, cost-based fee for fulfilling the request. This fee can only cover the costs of labor for copying, supplies, and postage, and cannot include the costs associated with searching for or retrieving the records.
Right to Request Amendment
The right to request an amendment allows an individual to ask a Covered Entity to change information in the DRS if they believe it is inaccurate or incomplete. This right applies exclusively to the DRS. If the Covered Entity denies the request for amendment, they must provide the individual with a written denial that includes the basis for the denial. The denial must also explain the individual’s right to submit a statement of disagreement regarding the denial.
Records That Are Not Included
Certain categories of information are explicitly excluded from the DRS definition, limiting a patient’s rights of access and amendment. One notable exclusion is psychotherapy notes, which are defined as notes recorded by a mental health professional documenting the contents of a private counseling session and kept separate from the rest of the medical record. While diagnoses, treatment modalities, and medication prescriptions are still included in the DRS, the personal, subjective notes are not.
Additionally, information compiled in anticipation of or for use in a civil, criminal, or administrative action or proceeding is excluded from the DRS to protect the integrity of legal processes. Internal administrative records, such as quality assessment or improvement data and peer review files, are also not part of the DRS if they are used for general business operations and not used to make decisions about the individual’s care.