Fall 2023

HIPAA Challenges: The Clearly Defined Designated Record Set
By Bart Howe
For The Record
Vol. 35 No. 4 P. 30

In light of changing regulations, it’s more important than ever.

The designated record set has always mattered. But new regulations and updates to existing regulations (read: HIPAA) have put a spotlight on just how important it is to have a clearly defined designated record set.

Regulatory guidance is just that—guidance. It’s rare for a regulation to spell out exactly what to do and how to do it, and HIPAA’s designated record set is no exception. So, let’s take a closer look at the guidance we do have from HIPAA on the designated record set, then consider some recommendations for ensuring that your designated record set policy is clearly defined. We’ll wrap up with a few other regulations you’re going to want to keep an eye on, since all this tends to be interconnected (and if you analyze it long enough, all roads usually lead back to HIPAA).

HIPAA Guidance on the Designated Record Set
The designated record set refers to a defined collection of records that is maintained by or for a health care provider. Before we dive into legal-infested waters, let’s start at the high level.

What qualifies for inclusion as part of the designated record set?

• patient data created by your organization;

• patient data transmitted to your EMR from another provider;

• patient data you can access from your EMR; and

• patient data housed and maintained by your EMR.

It’s important to note that records maintained by a health care organization can qualify for inclusion in the designated record set regardless of whether the data were added to the record directly by your providers or if they originated from an outside provider or source. An example here is a primary care patient who sees a specialist who can directly access and input data into the primary care practice’s EMR. In this example, the data and chart information from that specialist’s visit can qualify as part of the designated record set for that patient.

As you can see, the designated record set includes various types of patient information—and usually more than you may think. So, when it comes to the designated record set, what’s in and what’s out?

Typical Categories of Data Inside the Designated Record Set
The following are the components typically found in a designated record set as outlined in HIPAA:

• Medical data: Patient medical histories, exam results, diagnoses, treatment plans, and any other information related to the patient’s medical care.

• Billing information: Information regarding the services provided, costs, and payments made by the patient or their insurance company.

• Health insurance information: Patient’s health insurance coverage, claims, and payment information may be part of the designated record set.

• Clinical laboratory reports: Results from diagnostic tests and lab work are usually included as they are crucial to the patient’s diagnosis and treatment.

• X-rays, images, and test results: Radiology reports, images (such as X-rays, MRIs, and CT scans), and other diagnostic test results are commonly included.

• Consultation reports: Reports from specialists or consultants who have provided input on the patient’s condition or treatment plan.

• Correspondence: Relevant communications between health care providers, including emails, faxes, and letters, may be included if they pertain to the patient’s care.

• Other relevant records: Any other records that are used to make decisions about the patient’s care, such as progress notes, discharge summaries, and referral information.

How to Define a Designated Record Set for Your Organization
So now for the million-dollar question—which information should be included when a patient or other authorized party requests access to medical records? This is where a clear, designated record set policy comes into play.

At a high level, a good, designated record set policy would outline the following:

• minimum inclusion (eg, progress notes, discharge summaries, nursing documentation);

• source documents that may be included based on request type (eg, birth certificates, radiology films, insurance cards);

• inclusions that require specific authorization (eg, substance use disorder protected health information, student health records protected by the Family Educational Rights and Privacy Act); and

• exclusions (eg, psychotherapy notes, cancer registry information, research documentation).

The biggest thing you can do to protect your organization from potential penalties is to have a clearly defined, designated record set policy, with documentation on how you have trained anyone handling medical records to comply with said policy.

Why the Designated Record Set Matters Now More Than Ever
The designated record set requirement has always been part of HIPAA, and it has always mattered. After all, a patient making a right of access request for records under HIPAA (45 CFR 164.524) is entitled to access all protected health information in the designated record set, subject to limited exceptions. But consider why it’s more important than ever before.

If you follow the health care regulatory rodeo, you are likely familiar with the Information Blocking Rule. And if you do not, or if you need a quick refresher, information blocking prohibits any “practice by an ‘actor’ that is likely to interfere with the access, exchange, or use of electronic health information” to the extent that such electronic health information is included in the designated record set. Even though this is a rule under the 21st Century Cures Act, the recently announced enforcement and final penalties are covered under HIPAA. It matters less which regulation covers what and more that things are getting serious when it comes to information blocking and the associated penalties.

Enter the designated record set. Having clear policies and definitions around your designated record set also helps ensure your organization is not (however inadvertently) participating in any practices that can be considered information blocking. Two birds with one stone.

The Scary Stuff
The lack of a clear designated record set policy could lead to a violation under the Information Blocking Rule.

Consider the following scenario. A patient is entitled to access all his personal health information in the designated record set under HIPAA’s patient right of access provision. So, what if a health care provider has excluded certain categories of information (like records from outside providers) from these requests in an inconsistent manner? This type of practice could lead to an information-blocking investigation and penalties of up to $1 million per violation. Yes, you read that right. Up to $1 million per violation. Sounds scary, doesn’t it?

However, if the investigation reveals that the health care provider had a well-documented policy describing the scope of the designated record set and training of employees on that designated record set policy, the outcome of the investigation could be swayed in the provider’s favor. The health care provider is much more likely to make it out of the investigation unscathed with a clear policy and established training to show that these inconsistent errors were not a practice of the covered entity.

Wrapping Up
Don’t miss the forest for the trees here. Yes, defining a designated record set can be complicated, but it’s well worth your time and energy, especially given the recent uptick in enforcement actions on violations and the sheer amount of money that penalties could cost your organization. In summary, your organization needs a clear, designated record set policy and training plan (and documentation!) to stay compliant.

— Bart Howe is the CEO of HealthMark Group, a leader in digital health information management based in Dallas. In that role, he leads a team focused on developing patient-centric technology solutions that streamline the flow of health care data to promote information accessibility and workflow optimization without sacrificing privacy or security. He’s also president of the Association for Health Information Outsourcing Services. Howe previously was executive vice president of business development and corporate strategy at Caris Life Sciences, a pioneering leader in precision medicine, biotechnology, and molecular diagnostics, where he led global business development, corporate strategy, international distribution, marketing, and biopharma services. Howe’s entrepreneurial experience includes cofounding Ubiquitous Energy, Inc, a venture-backed solar energy technology company. He began his career in finance as an analyst at JPMorgan Chase. Howe holds a BBA in finance from Texas A&M University and a master’s degree in business administration from Harvard Business School.