HIPAA, Patient Access, and Designated Record Sets
By Kim Stanger
With limited exceptions,1 HIPAA generally gives individuals the right to access or obtain copies of their protected health information (“PHI”) from covered entities. (45 CFR § 164.524(a)). But the right of access does not apply to all PHI that a covered entity might have; instead, individuals only have a right to access information in their “designated record set”. This article summarizes relevant standards for determining which records patients have a right to access.
1. Government Focus on the Right of Access. The right of access has been a priority for the Office for Civil Rights for several years. In 2016, the OCR published comprehensive guidance on individual access rights. (https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html). In 2019, the OCR launched its “Right of Access Initiative” targeting access violations for enforcement. (see, e.g., https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/sharp/index.html). Violations of the right of access may result in penalties ranging from $119 up to $59,522 per violation. (45 CFR § 160.404; 45 CFR § 102.3; 85 FR 2879). Violations due to willful neglect trigger mandatory penalties of $11,904 to $59,522 per violation. (Id.). And on January 21, 2021, the OCR published proposed rules that would expand individuals’ right of access. (86 FR 6446). Given the government’s focus and potential penalties, it is more important than ever that covered entities understand the access rules.
2. The Right to Access. The HIPAA Privacy Rule states:
Standard: Access to protected health information—(1) Right of access… [A]n individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set….
(45 CFR § 164.524(a)). Contrary to many patients’ and providers’ understanding, providers and other covered entities are only required to provide copies of or allow patients access to records maintained in the patient’s designated record set.
3. Designated Record Set. HIPAA defines “designated record set” as:
(1) A group of records maintained by or for a covered entity that is:
(i) The medical records and billing records about individuals maintained by or for a covered health care provider; [or]
(iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.
(2) For purposes of this paragraph, the term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.
(45 CFR § 164.501, definition of designated record set, emphasis added; see also 65 FR 82489). The OCR explained the “designated record set” in its 2016 Access Guidance:
Information Included in the Right of Access: The “Designated Record Set”
Individuals have a right to access PHI in a “designated record set.” A “designated record set” is defined at 45 CFR § 164.501 as a group of records maintained by or for a covered entity that comprises the:
• Medical records and billing records about individuals maintained by or for a covered health care provider; [or]
• Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals. This last category includes records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.
The term “record” means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity.
Thus, individuals have a right to a broad array of health information about themselves maintained by or for covered entities, including: medical records; billing and payment records; insurance information; clinical laboratory test results; medical images, such as X-rays; wellness and disease management program files; and clinical case notes; among other information used to make decisions about individuals. In responding to a request for access, a covered entity is not, however, required to create new information, such as explanatory materials or analyses, that does not already exist in the designated record set.
Information Excluded from the Right of Access
An individual does not have a right to access PHI that is not part of a designated record set because the information is not used to make decisions about individuals. This may include certain quality assessment or improvement records, patient safety activity records, or business planning, development, and management records that are used for business decisions more generally rather than to make decisions about individuals. For example, a hospital’s peer review files or practitioner or provider performance evaluations, or a health plan’s quality control records that are used to improve customer service or formulary development records, may be generated from and include an individual’s PHI but might not be in the covered entity’s designated record set and subject to access by the individual.
(OCR, Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524, available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html, hereafter “Access Guidance”).
a. Decisions Affecting the Individual. The first test for determining whether PHI is within a “designated record set” is whether the record (as opposed to the PHI itself) was “[u]sed, in whole or in part, by or for the covered entity to make decisions about individuals.” (45 CFR § 164.524(a), emphasis added). The 2000 commentary to the Privacy Rule explained:
[I]ndividuals have a right of access to any protected health information that is used, in whole or in part, to make decisions about individuals. This information includes, for example, information used to make health care decisions or information used to determine whether an insurance claim will be paid. Covered entities often incorporate the same protected health information into a variety of different data systems, not all of which will be utilized to make decisions about individuals. For example, information systems that are used for quality control or peer review analyses may not be used to make decisions about individuals. In that case, the information systems would not fall within the definition of designated record set. We do not require entities to grant an individual access to protected health information maintained in these types of information systems.
(65 FR 82554, emphasis added).
We do not require a covered entity to provide access to all individually identifiable health information, because the benefits of access to information not used to make decisions about individuals is limited and is outweighed by the burdens on covered entities of locating, retrieving, and providing access to such information. Such information may be found in many types of records that include significant information not relevant to the individual as well as information about other persons. For example, a hospital’s peer review files that include protected health information about many patients but are used only to improve patient care at the hospital, and not to make decisions about individuals, are not part of that hospital’s designated record sets….
(65 FR 82606).
Note that relevant decisions are not limited to healthcare decisions. The Privacy Rule Commentary states:
Comment: … Other commenters believed accessible information should be more limited; for example, some commenters argued that accessible information should be restricted to only information used to make health care decisions.
Response: … We disagree that accessible information should be restricted to information used to make health care decisions, because other decisions by covered entities can also affect individuals’ interests. For example, covered entities make financial decisions about individuals, such as whether an individual’s deductible has been met. Because such decisions can significantly affect individuals’ interests, we believe they should have access to any protected health information included in such records.
(65 FR 82606). Thus, the test for relevant “decisions” appears to be whether “the information might be used to affect the individual’s interests.” (65 FR 82607, emphasis added). In response to commenters’ suggestion that the right to access should only apply to “retrievable” PHI, HHS stated:
We have modified the proposed definition of the designated record set to focus on how information is used, not how it is retrieved. … [I]f it is never used to make decisions about any individuals, the burdens of requiring a covered entity to find it … outweigh any benefits to the individual of having access to the information. When the information might be used to affect the individual’s interests, however, that balance changes and the benefits outweigh the burdens.
(65 FR 82606-07, emphasis added). Again, from the Privacy Rule commentary:
Comment: … Specific suggestions for exclusion, either from the right of access or from the definition of designated record set, include quality assurance activities, information related to medical appeals, peer review and credentialing, attorney-client information, and compliance committee activities. Some commenters suggested excluding information already supplied to individuals on previous requests and information related to health care operations. However, some commenters felt that such information was already excluded from the definition of designated record set….
Response: We do not agree that records in these categories are never used to affect the interests of individuals. For example, while protected health information used for peer review and quality assurance activities typically would not be used to make decisions about individuals, and, thus, typically would not be part of a designated record set, we cannot say that this is true in all cases. We design this provision to be sufficiently flexible to work with the varying practices of covered entities.
(65 FR 82607, emphasis added).
b. Records Used to Make Decisions. Significantly, when defining the designated record set, the question is not whether the PHI is used to make decisions about the patient; instead, the question is whether the specific records containing PHI are used to make decisions about the patient:
Designated record set means:
(1) A group of records maintained by or for a covered entity that is:
. . .
(iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.
(45 CFR § 164.501, emphasis added). This is illustrated by the following OCR FAQ:
Does the HIPAA Privacy Rule require that covered entities provide patients with access to oral information?
Answer: No. The Privacy Rule requires covered entities to provide individuals with access to protected health information about themselves that is contained in their “designated record sets.” The term “record” in the term “designated record set” does not include oral information; rather, it connotes information that has been recorded in some manner.
The Rule does not require covered entities to tape or digitally record oral communications, nor retain digitally or tape recorded information after transcription. But if such records are maintained and used to make decisions about the individual, they may meet the definition of “designated record set.” For example, a health plan is not required to provide a member access to tapes of a telephone “advice line” interaction if the tape is maintained only for customer service review and not to make decisions about the member.
4. Conclusion. Whether a covered entity must provide access or copies of a record depends on whether the specific record containing PHI is used to make decisions about the individual that affect the individual’s interests. If not, then the covered entity or provider may properly deny the request. On the other hand, if the records are used to make decisions about the individual, then the covered entity must generally provide access in the form and format requested unless one of the limited exceptions apply.
1The exceptions include psychotherapy notes; information prepared in anticipation of litigation; information obtained under a promise of confidentiality; information which, if disclosed, is reasonably likely to endanger the patient or others; certain information about inmates; certain information about research subjects; and information protected by the Privacy Act. (45 CFR § 164.524(a)).