Summer 2024 Issue

The Designated Record Set
By Joe Licata, JD
For The Record
Vol. 36 No. 3 P. 18

Answering Your Frequently Asked Questions

If HIPAA is the cornerstone of health care’s regulatory standards, then the designated record set (DRS) is its foundation. The DRS, found within the HIPAA Privacy Rule, refers to a collection of patient information ranging from medical histories and test results to billing and payment records that are used by or for a covered entity to make decisions about patients.

At a high level, HIPAA provides the following guidance on information that qualifies for minimum inclusion in a DRS: medical records, billing and payment records, health plan records, clinical decision-making records, health screenings, and consent forms. The list of inclusions is pretty broad, so the exclusion guidance becomes particularly critical to understand. Within the broad categories above, there are certain types of information and certain circumstances under which information may be acceptable to exclude from the DRS. We’ll dive into some more specifics on exclusions below.

Getting the right answer to “what is in the DRS?” is the foundation for figuring out the answer to an almost endless set of possible questions when it comes to HIPAA and health care data access.

Defining Your DRS Policy: What’s the Big Deal?
While HIPAA provides guidance on the DRS, it (wisely) does not outline a specific policy that every organization has to follow to the letter of the law. But while what to include and exclude from your DRS has some gray area, the requirement is black and white that a covered entity releases all records in the DRS to a patient who has a right of access request.1,2 Therefore, having a policy to handle these requests in a consistent manner is a best practice.

Trying to untangle the nuances around the DRS is how some organizations get overwhelmed and end up with no policy at all, which is surprisingly common. But that’s a mistake. Don’t let the gray area get you down—the best way to move forward is by creating a clearly documented DRS policy that includes justifications for what you’ve decided to include and exclude based on the guidance in HIPAA.

Answering Frequently Asked Questions
As you work to build or refine your DRS policy, what happens when situations arise that don’t fall neatly into your existing policy? It’s pretty common, and to that end, we’ve compiled the questions we most commonly encounter when we work with a new client or update or document a workflow that touches the various rules a DRS policy creates.

Are records from an outside provider that are in our system part of the record?
Yes. HIPAA does not provide a qualifier that says you can exclude information that originated from outside your organization or from another provider. If you have the information accessible (ie, maintained or stored) in your EHR, then that “custodial” or “creation” exclusion is irrelevant as it relates to what should be included in the record set. Who created or who was the first custodian of that information is not a filter to be applied.

If my organization has multiple locations, should I include patient records from all locations?
Yes, similar to that discussed previously, information from other locations across your organization should likely be included in your DRS because HIPAA does not provide any qualifiers about the origin of the information; rather it’s focused on the information that’s accessible to you. The request and authorization control how much data should be included in a responsive record being generated, so the internal definitions should be exceptions that limit small amounts of data in most cases. Also, if you do run into a strange outlier, it’s okay to have an exceptions escalation in your policy.

Provider organizations should be especially careful not to use entity names or organizational structure definitions to carve data up or out of a DRS. If there is a valid reason for such a structural “blocker” to what would be released in an otherwise valid request, it should be considered in the security and architecture of the system itself. The biggest red flag here is when organizations try to “redefine” the HIPAA rules to allow for certain carve-outs in data at the point of release even though their systems handle the data as one organization or through one access point. That’s not the right path to take from a regulatory or compliance perspective.

One possible exception here is if your organization uses different EHRs at different locations. If that’s the case, and you do not have reasonable access to that information as part of the patient chart at your location, you would not be expected to include it in the release. But even in this example, try to make it easy on patients: if you have a standard release form, include some guidance that reflects the silos of information. In terms of patient satisfaction, an ounce of communication on this kind of complexity is worth a pound of patient frustration avoided.

Does the request type change what I should include in the DRS?
Yes. As request types vary, so should the information in the DRS. Here are a few guidelines for the most common types of requests:

• Patients should have broad access to their DRSs for review, copies, and amendments. While access here is generally comprehensive, it does exclude specific sensitive records like psychotherapy notes.

• Attorney access depends on patient authorization or other state or federal laws governing the request itself. Because these requests are often focused on records related to a legal matter, they are also subject to a whole host of confidentiality requirements and legal use restrictions that go far beyond the HIPAA rules.

• Insurance companies’ access is limited to the information necessary for payment and health care operations (which is fairly broad in its scope as well), and they’re required to have patient authorization or a legal basis. These releases would typically exclude nonrelevant sensitive records but, as always, what that limitation looks like is driven by the particulars of the systems themselves and the nature of the care being provided.

Are there any inclusions that require specific authorization?
Certain DRS inclusions may require a specific authorization or consent based on special protections under different areas of the law. Following are a few key examples:

Psychotherapy Notes
As a best practice, these should be kept separate from the rest of the patient’s medical records as release is governed by a separate set of rules.3 An important note here is that EHRs are increasingly providing tools to flag this type of information, so a default export would not include it, but a skilled user could see that something potentially relevant does exist in the system.

Substance Abuse Disorder Records
These are governed by strict confidentiality rules under 42 CRF Part 2.4 We advise handling these records using a specific workflow designed with Part 2 in mind.

HIV/AIDS Information
Many states have laws that provide additional protections for this information, including rules around minors and guardians, among other legal complexities.5

Genetic Information
The Genetic Information Nondiscrimination Act imposes restrictions on the use and disclosure of genetic information.6 This information is mushrooming in scale and therefore becoming a huge focus of privacy and security concerns, in addition to being challenging from a compliance standpoint as it relates to appropriately handling medical records.

Behavioral Health Records
State laws frequently define and add additional protections for behavioral health records such as psychiatric evaluations and medically assisted treatment.7

Other Sensitive Information
Other types of sensitive information that may have additional authorization requirements based on state law include information related to sexual assault, reproductive health, and domestic violence. Unfortunately, this last grouping is short on underlying definitions and consistency, so it requires a thoughtful approach to how you handle requests to make sure that you can exclude appropriately. EHRs themselves do not easily lend themselves to workflows that enable this kind of scrubbing.

Is outlining a DRS policy enough to protect my organization?
In and of itself, no. As explained above, the most critical part of a DRS is actually having it so that you can train on it and use it. But if it’s collecting dust on a (figurative) shelf and not being actively used as the guide when releasing health information, the level of protection it will provide you is limited. If a question or issue arises, you’ll want the ability to demonstrate not only that a policy exists but also how you actively leverage it. That means outlining the roles and responsibilities at your organization for accessing, leveraging, and maintaining the DRS, and ensuring you have someone (like a privacy officer) with clear oversight of the DRS and its ongoing use.

Set Yourself Up for Success
HIM professionals have a lot to manage. Hopefully this article offers some reassurance that developing and implementing a DRS does not have to be an insurmountable task. While there’s some up-front work to define your DRS and implement it across your organization, once that’s done, it’s really just a matter of setting up a cadence for a regular review (we suggest at least annually). And the level of protection and oversight that a clearly defined DRS provides for both you and your patients is well worth the effort. You’ll be more compliant and more confident that your patient’s sensitive information is being handled properly each time.

— Joe Licata, JD, is the chief operating officer and general counsel for HealthMark Group, where he drives the company’s commitment to operational excellence. In his role, he oversees day-to-day operations and collaborates with cross-functional teams to optimize processes that enhance patient care and drive success for the millions of patients and thousands of providers that HealthMark serves. Licata is also the leader for both the HealthMark privacy office and HIPAA steering committee, where he leverages his health care regulatory knowledge to ensure HealthMark maintains the highest standards for the handling and dissemination of confidential patient health information. He’s is an active member of the Association of Health Information Outsourcing Services, the Association of Corporate Counsel, and the Texas Bar Association, Health Law Section. Licata’s professional experience includes expertise in process automation, privacy and security, internet and e-commerce transactions, HIPAA, and other health care regulatory matters. He holds a BS from Texas A&M University and a JD from Southern Methodist University, where he was a Walsh Scholar.

 

References
1. Code of Federal Regulations: The HIPAA Privacy Rule, 45 CFR Sect 164.501 (2002).

2. Code of Federal Regulations: The HIPAA Privacy Rule, 45 CFR Sect 164.524 (2002).

3. Does HIPAA provide extra protections for mental health information compared to other health information? Health and Human Services website. https://www.hhs.gov/hipaa/for-professionals/faq/2088/does-hipaa-provide-extra-protections-mental-health-information-compared-other-health.html. Updated September 12, 2017. Accessed June 18, 2024.

4. Confidentiality regulations FAQs. Substance Abuse and Mental Health Services Administration website. https://www.samhsa.gov/about-us/who-we-are/laws-regulations/confidentiality-regulations-faqs. Updated October 27, 2023. Accessed June 18, 2024.

5. State HIV laws. Centers for Disease Control and Prevention website. https://www.cdc.gov/hiv/policies/law/states/index.html. Updated March 17, 2022. Accessed June 18, 2024.

6. Genetic information. Health and Human Services website. https://www.hhs.gov/hipaa/for-professionals/special-topics/genetic-information/index.html. Updated June 16, 2017. Accessed June 18, 2024.

7. HIPAA privacy rule and sharing information related to mental health. Health and Human Services website. https://www.hhs.gov/sites/default/files/hipaa-privacy-rule-and-sharing-info-related-to-mental-health.pdf. Published February 20, 2014. Accessed June 18, 2024.