In one of our last blog posts we discussed the HIPAA Privacy Rule’s Right to Access as it applies to the Designated Record Set of patients. We’re going to dive into the details of Designated Record Sets and what is included. 

The Designated Record Set is a group of records maintained by or for the organization that consists of the Medical Records and billing records about a resident and is used, in whole or in part, by or for the Facility to make decisions about the resident.  The term record means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for the organization. 

The organization maintains the following as the Designated Record Set: 

  • The patient’s Medical Record, 
  • The patient’s Business Office File, and  
  • The patient’s Personal Health Records. 

A patient’s Medical Record includes, at a minimum, the following (as applicable): 

  • Activity documentation 
  • Admission/readmission documentation 
  • Advance directives 
  • Assessments, flow sheets 
  • Care plan 
  • Informed consent 
  • History and physical exams and other related hospital records 
  • Minimum Data Set 
  • Medication and treatment records 
  • Nursing documentation/progress notes 
  • Nutritional services documentation 
  • Physician and professional consultant progress notes 
  • Physician’s orders 
  • Rehabilitative and restorative therapy records 
  • Reports from lab, x-ray and other diagnostic tests 
  • Face sheet 
  • Social service documentation 

Excluded from the Medical Record are source data, including photographs, films, monitoring strips, videotapes, slides, worksheets and daily communication sheets, and shadow files or charts, unless such data is used to make decisions related to the resident’s care. 

If records from other providers are used by your organization to make decisions related to the care and treatment of the resident, then these records are considered part of the Designated Record Set as well as the Medical Record, e.g., history and physical, discharge summary and labs from previous acute care hospitalization. 

A patient’s Business Office File includes, at a minimum, the following (as applicable): 

  • Admission documents 
  • Acknowledgement of receipt of the Facility’s Notice of Privacy Practices  
  • Correspondence relating to coverage and payment from insurance companies, health plans, Medicare, Medicaid and other payor sources 
  • Resident claim information, including claim, remittance, eligibility response, and claim status response 
  • Statements of account balance 
  • Collection activity documents and correspondence 

Personal Health Records consist of the patient’s personal health information provided to the organization by the patient.  If such records are used by the organization to make health care related decisions, provide care services, or document observations, actions or instructions, then the records will be considered part of the Designated Record Set. 

The following are excluded from the Designated Record Set:  Administrative data, such as audit trails, appointment schedules and practice guidelines that do not imbed PHI.  Also excluded are incident reports, quality assurance data, vital certificate worksheets, and derived data such as accreditation reports, anonymous resident data for research purposes, public health records and statistical reports. The Designated Record Set is to be retained according to state and federal regulations and following Facility or company retention procedures. 

Learn how BlueOrange Compliance can help you protect your organization and the people you serve by calling 855.500.6272, or request a free consult.

Request A Consult