HIPAA Designated Record Set
Under the HIPAA Privacy Rule, behavioral health specialists are required to provide patients access to the protected health information (PHI) contained in their designated record set. What is a designated record set?
Definition of Designated Record Set
A designated record set is defined as a group of records maintained by or for a covered entity that comprises of:
- Billing records and medical records about patients maintained by or for a covered healthcare provider;
- Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
- Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals.
Under this definition, a record refers to any protected health information (PHI) maintained, collected, used, or disseminated by or for a covered entity. Examples of records that may be included in a designated record set are as follows:
- Medical records
- Clinical laboratory test results
- Clinical case notes
- Wellness and disease management program files
- Decisions about individuals
- Medical images (such as X-rays)
- Billing and payment records
- Insurance information
How Does the HIPAA Right Of Access Apply?
Under the HIPAA right of access, covered entities are required to give patients access to their designated record set. The records must be provided in the format the patient requests (i.e. email, mail, USB, etc.), must be provided within 30 days of the request, and cannot exceed the costs associated with compiling the records (i.e. labor, supplies, postage).
Reasons for Denial of Access
There are specific instances in which covered entities may deny a patient access to their designated record set:
- The request is for psychotherapy notes.
- The request is for information compiled in reasonable anticipation of litigation.
- The request is for information compiled for or for use in a legal proceeding.
- An inmate requests a copy of their PHI held by a covered entity that is a correctional institution, or healthcare provider acting under the direction of the institution, and providing the copy would:
- Jeopardize the health, safety, security, custody, or rehabilitation of the inmate or other inmates, or the safety of correctional officers, employees, or other persons at the institution, or responsible for the transporting of the inmate.
- The requested PHI is in a designated record set that is part of a research study that includes treatment (e.g., clinical trial) and is still in progress.
- The requested PHI is in federal Privacy Act-protected-records (i.e., certain records under the control of a federal agency, which may be maintained by a federal agency or a contractor to a federal agency), and denial of access is consistent with the requirements of the Act.
- The requested PHI was obtained by someone other than a healthcare provider (i.e. a family member of the individual) under a promise of confidentiality, and providing access to the information would be reasonably likely to reveal the source of the information.
Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.
Your TBHI Professional Training Options
TBHI specializes in teaching you how to relax when delivering telehealth. It offers you a step-by-step learning path of online training that helps you be legally and ethically compliant, clinically proficient, and able to handle even the most difficult of clinical scenarios. Take advantage of COVID discount pricing to learn how to sit back and enjoy your telehealth experiences, rather than struggling with ZOOM fatigue and clinical uncertainty. All courses are evidence-based, available 24/7 through any device and most count toward legal and ethical requirements for licensure. Two micro certifications are also available.
- Telehealth Group Therapy — Exciting, highly interactive telehealth learning experience designed to get answers to your questions about legally and ethically managing telehealth group therapy. Digital class will allow you to connect with colleagues ahead of time to ask questions and share answers. Distinguished faculty will lead you through telehealth group therapy theory and exercises.
- Telehealth Clinical Best Practices Workshop — Live, interactive webinar, w/ 4 CME or CE hours to discuss preventing and handling complex clinical issues.
- Course Catalog
- Micro Certifications to give you a broader range of legal and ethical grounding, and allow you to distinguish yourself as a TBHI-credentialed professional on your websites, in social media, directories and other areas.