By Kim Stanger
Ed. note: This article also appears in an issue of the Idaho MGMA monthly newsletter.
Question: What is the difference between a “designated record set” and “legal health record,” and what must we provide when we receive a request for “records”?
Answer: HIPAA defines “designated record set” as:
A group of records maintained by or for a covered entity that is:
(i) The medical records and billing records about individuals maintained by or for a covered health care provider; [or]
(iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.
(45 CFR 164.501). With very limited exceptions, patients and their personal representatives generally have a right to access protected health information in their designated record set. (45 CFR 164.524). As the OCR recently summarized:
The Privacy Rule generally requires HIPAA covered entities (health plans and most health care providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice. Individuals have a right to access this PHI for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated (e.g., whether the covered entity, another provider, the patient, etc.).
(OCR, Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524, available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html). Thus, the “designated record set” includes records received from outside providers or entities if the practice uses the record to make decisions about the patient, including treatment or payment; the practice must provide such outside records along with its own records in response to the patient’s request to access or transmit the records.
In contrast, there is no uniform or regulatory definition of the “legal health record”, and its meaning often depends on the user and context. Some may intend it to refer to the patient’s “formal” medical record as defined and maintained by a practice; others use it to describe the medical records that would be used in court or produced in response to a subpoena. Thus, when people refer to the “legal health record”, you have to determine what exactly they mean by it.
When responding to a request for records, you must confirm who is requesting the information and what they are seeking:
- If the patient or personal representative requests records or asks that the patient’s records be sent to a third party, you generally must produce all records they request if such records are maintained in the patient’s “designated record set” unless one of the limited exceptions apply. (See 45 CFR 164.524). You are free to ask or confirm with the patient which records they actually want. For more information on responding to a patient’s request to disclose information, see my article at https://www.hollandhart.com/hipaa-releases-of-information-per-request-or-authorization.
- If you receive a valid HIPAA authorization from a third party seeking records, you generally may (but are not required to) produce the specific records identified in the authorization, but not others. If there is any question about which records are covered by the authorization, check with the patient to confirm what they want disclosed. For more information about the requirements for a valid HIPAA authorization, see my article at https://www.hollandhart.com/valid-hipaa-authorizations-a-checklist.
- If you receive a subpoena, order or warrant requesting records, you generally must produce the specific records or information identified in the subpoena, order or warrant. Remember: the party issuing the subpoena or order may define the requested records differently than you. If you fail to produce the records that are fairly requested, you may be subject to contempt sanctions. If you produce more than the records requested, you may be subject to HIPAA penalties. Accordingly, if there is any doubt as to the scope of records requested, contact the party issuing the subpoena to confirm what they intend, and only produce the records identified in the subpoena or warrant. For more information about the rules for responding to subpoenas, orders and warrants, see my article at: https://www.hollandhart.com/hipaa-responding-to-subpoenas-orders_and-administrative-demands.
- If you are required to disclose protected health information pursuant to a statute or regulation, make sure that you limit the scope of your disclosure to the specific information or records identified in the statute or regulation. (See 45 CFR 164.512(a)).
- If you are disclosing information for a purpose permitted by HIPAA without the patient’s authorization (e.g., disclosures to other providers for treatment purposes, or to a payer for payment purposes), you should generally comply with the minimum necessary standard, i.e., don’t request or disclose more than you need for the permissible purpose. (See 45 CFR 164.514). Note that when you receive a request from another provider for treatment purposes, you may assume that they need the records requested, which may include outside records. Again, when in doubt, check with the requesting provider.