By Elizabeth McElhiney, MHA, CHPS, CPHIMS, CRIS
Director of Compliance and Government Affairs
Verisma
August 30, 2024
In most electronic health record (EHR) systems, patients have one chart all providers within that organization share. Additionally, providers may receive and make treatment decisions based on records from providers outside of the organization. When a practice receives a record request for a provider to fulfill, should they only limit the records generated by that provider? Or include all records in the patient chart, even if from other providers?
What is the designated record set?
To know what to include, you’ll need to start with the designated record set. The HIPAA Privacy Rule indicates when a patient or requestor asks for a medical record, the information in the designated record set may be disclosed. The Privacy Rule defines the designated record set as:
- Medical and billing records about individuals maintained by, or for a, covered healthcare provider
- The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan
- Other records used, in whole or in part, by or for the covered entity to make decisions about individuals
Any record a provider uses for treatment decisions, generated by him or her, is part of the designated record set. If a provider references outside notes or labs from another provider, they become part of the designated record set. Multiple providers in an organization may use the same patient chart and have the same designated record set for the patient.
What do I release?
There’s often confusion over what to release when a designated record set includes records from multiple providers. An authorization, or Right to Access, request often indicates where the records should come from, but it’s the what that’s often most important.
If the request is directed at a specific doctor or organization and states “any and all records,” this indicates the designated record set utilized in caring for the patient. The designated record set could include labs and office visit notes from an outside provider if those records were used for treatment purposes. It’s rare for a provider to utilize only records created in the care of a patient.
However, if the request says “any and all records created by or limited to” a specific doctor or organization, this limits the authorization or access request to only those specified records – the what in this scenario has changed. So, the designated record set would be limited to the what specified in the request.
For most release of information (ROI) requests, it’s important to receive the appropriate records referenced in caring for the patient. This typically includes the entire designated record set and isn’t a restriction on what provider created the information. Occasionally requestors claim this scenario constitutes a HIPAA violation because the records provided have more than one provider name included. Requests for a provider’s records are for his or her designated record set. Because the designated record set may contain information from other providers, and requests for the provider’s records are asking for his or her designated record set, providing records from other providers doesn’t constitute a HIPAA violation or breach.
Release record requests to a partner
If record requests and compliance concerns take too much of your staff’s valuable time, consider releasing this administrative burden to a partner. Verisma processes hundreds of millions of requests annually with the industry’s highest accuracy rate. If you need to focus more on patient care and leave record requests and compliance questions to a partner, request a demo today to see how we can help.