Defining and Disclosing the Designated Record Set and the Legal Health Record

For years, healthcare organizations have been struggling to define their legal health record and marry it with the HIPAA privacy requirement for a designated record set. Questions often arise about the differences between the two sets because both identify a set of information that must be disclosed upon request.

To further complicate the issue, the scope of health records is expanding and records are increasingly being maintained in multimedia formats. An individual’s record can consist of a facility’s record, outpatient diagnostic test results or therapies, pharmacy records, physician records, other care providers’ records, and the patient’s own personal health record. Administrative and financial documents and data are intermingled with clinical data. Source records such as diagnostic images, video, voice files, and e-mail may be included as well.

Additionally, there is now extensive metadata linked to electronic records. A provider must clearly define the specific documents and data elements that make up the subset of information included in the content of its legal health record.1

This practice brief identifies the purposes of the designated record set and the legal health record for healthcare organizations and provides guidelines for disclosing health records from each set.

What Record Goes Where

The legal health record serves to identify what information constitutes the official business record of an organization for evidentiary purposes. It is typically used when responding to formal requests for information for legal and legally permissible purposes.2

The designated record set, on the other hand, is used to clarify the access and amendment rights by individuals under the HIPAA standards. These standards provide that individuals have the right to inspect and obtain a copy and request amendment of medical and billing information used to make decisions about their care. The differences between the two sets of information are outlined in the table below.

Designated Record Set versus the Legal Health Record

This side-by-side comparison of the designated record set and the legal health record demonstrates the differences between the two sets of information, as well as their purposes.

Designated Record Set

Legal Health Record

Definition

A group of records maintained by or for a covered entity that is the medical and billing records about individuals; enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; information used in whole or in part by or for the HIPAA covered entity to make decisions about individuals.

The business record generated at or for a healthcare organization. It is the record that would be released upon receipt of a request. The legal health record is the officially declared record of healthcare services provided to an individual delivered by a provider.

Purpose

Used to clarify the access and amendment standards in the HIPAA privacy rule, which provide that individuals generally have the right to inspect and obtain a copy of protected health information in the designated record set.

The official business record of healthcare services delivered by the entity for regulatory and disclosure purposes.

Content

Defined in organizational policy and required by the HIPAA privacy rule. The content of the designated record set includes medical and billing records of covered providers; enrollment, payment, claims, and case information of a health plan; and information used in whole or in part by or for the covered entity to make decisions about individuals.

Defined in organizational policy and can include individually identifiable data in any medium collected and directly used in documenting healthcare services or health status. It excludes administrative, derived, and aggregate data.

Uses

Supports individual HIPAA right of access and amendment.

Provides a record of health status as well as documentation of care for reimbursement, quality management, research, and public health purposes; facilitates business decision-making and education of healthcare practitioners as well as the legal needs of the healthcare organization.

Categorizing record types can assist in understanding the similarities and differences and help organizations develop policies for each. Some record types are found in both the designated record set and the legal health record, while others are specific to the designated record set. The table below provides examples of different types of records and shows the similarities and differences between the two sets of information.

Sorting Record Types

Some record types belong in both the designated record set (DRS) and the legal health record (LHR). Some belong in the designated record set only. Categorizing record types helps organizations set policies for each record set.

Clinical Record

  • History and physical
  • Orders
  • Progress notes
  • Lab reports (including contract lab)
  • Progress notes
  • Vital signs
  • Assessments
  • Consults
  • Clinical reports
  • Authorizations and consents

DRS and LHR

Source Clinical Data

  • X-rays
  • Images
  • Fetal strips
  • Videos
  • Pathology slides

DRS and LHR

External Records and Reports

  • External records referenced for patient care: other providers’ records, records provided upon transfer
  • Patient generated records
  • Personal health records

DRS and Possibly LHR*

* There are two points of view on whether external records referenced for patient care are part of the legal health record. One view is that they should be if they were relied upon to make care decisions. The other view is that although they are part of the designated record set and are available for patient care and disclosures, they should not be because of the organization’s inability to attest to how the external records were originally created. Organizations should consult with their counsels to weigh the risks and benefits of either approach.

Committee Reports
(of patient-specific care decisions)

  • Ethics committee or tumor board, if deciding on a course of treatment for an individual patient

Note: Documentation of findings could be reported in the patient’s medical record. Other legal privileges may apply to these records.

DRS Only

Administrative and Financial

  • Super bills/encounter forms
  • Remittance advice
  • Case management records

DRS Only

Secondary/Administrative
and Statistical

  • Tumor registries data
  • QI/QM reports and abstracts
  • Statistical data
  • Committee minutes (not patient-specific treatment related)

Neither

External Records and Reports

The decision of which category external records and reports fall into is dependent upon:

  • The applicability of HIPAA privacy rules
  • The applicability of state law or regulation
  • The source of the request
  • The type of request

If external records and reports are used to make decisions about an individual, they become part of the designated record set. If those decisions are care decisions, in most cases those same records and reports will also be included in the provider’s legal health record, especially if they are created pursuant to a contract.

Examples of these “dual nature” record types include reports generated by a contracted service that are used by a hospital or physician practice, such as a reference lab or outsourced radiology services, and records generated by other providers that are used for planning patient care, such as records received in an Emergency Medical Treatment and Active Labor Act transfer between hospitals.

Personal Health Records

Personal health records (PHRs) provided by the individual and used to make healthcare decisions become part of the designated record set; however, they are not part of an organization’s official business records and so are not part of the legal health record.

An issue may arise when unsolicited copies of paper or electronic PHRs are provided and it becomes difficult to determine if they were used to make decisions about the individual. Organizations should develop policies and procedures to address the disposition of unsolicited PHRs.

Which Data Set Determines Redisclosure

Identifying the appropriate data for requests for information can prove problematic for healthcare organizations. The table below identifies which data set determines the redisclosure of information for the various types of requests.

Request Type or Source

Redisclosure Determined By

Designated Record Set

Legal Health Record

State Law and Regulation

Individual

X

Legal/subpoena/court

X

X

Third party

X

X

Determining Source for Disclosures

The designated record set is the set of information from which disclosures to an individual will be drawn because it is usually broader than the legal health record. Uses of the information for business and legal purposes are usually, but not always, drawn from the legal health record. The most notable exceptions are those disclosures made for purposes of discovery or e-discovery in which any information requested under the court order must be provided.

Several states have laws or regulations that spell out the requirements and conditions under which health information from another healthcare organization or provider must be redisclosed. In the absence of more stringent state law, HIPAA privacy rules prevail. However, because any medical or billing information that was used to make decisions about the individual is included as part of the designated record set under HIPAA privacy rules, information must be disclosed or redisclosed if requested by the individual to whom it pertains, regardless of whether the information is external or internal.

Legal Requests

If the source of the request is a subpoena or court order, the terms of the subpoena or order dictate what information must be disclosed. External records and reports in the organization’s possession, regardless of whether they are part of the legal health record, must be disclosed if they are within the scope of the subpoena or court order.

However, the party in possession of external information ordinarily cannot attest to how those records originally were created. It is important to establish this when the court requests how the information was obtained. A possible exception to this may be the incorporation of external information (such as the reference laboratory result mentioned above) into the record of care that most likely would result in that record being “made and kept in the ordinary course of business” in accordance with the business record exception to the hearsay rule.

There is a school of thought that these external records cannot and should not become part of the legal health record because of the inability to attest to how they were originally created. To include them as part of the legal health record may result in implied liability for any inaccuracies the external records contain. An opposing view is that if the external records were relied upon to make care decisions they should be included as part of the legal record.

However, including external records as part of the designated record set and making them available in all appropriate disclosures, including disclosures in response to a subpoena, may accomplish the same purpose. The organization’s legal counsel should be consulted prior to determining policy regarding the inclusion of external records as part of the legal health record.

Ultimately, the admissibility of the requested information in court is not the concern of the party producing the information. Compliance with the terms of the subpoena or order is required.

Nonlegal Third-Party Requests

If the source of the request is a third party (not the individual and not a court of law) and there are no applicable state laws or regulations, redisclosure of external records and reports should be determined by organizational policy after consulting with legal counsel. The matrix “Which Data Set Determines Redisclosure,” above, outlines whether the designated record set, the legal health record, or state laws and regulations determine rediclosure of the different types of requests.

Recommendations

Healthcare organizations can take some basic steps to help clear up the confusion around the legal health record and the designated record set and the disclosure of information from both:

  • Develop and maintain an inventory of documents and data that comprise the legal health record. Consider whether other types of information that are not document-based are part of the legal health record (e.g., e-mail, electronic fetal monitoring strips, diagnostic images, digital photography, and video).
  • Develop a detailed inventory of items that comprise the designated record set if a policy exists that identifies the general types of information used to make decisions about an individual.
  • Declare the official legal health record and designated record set in organizational policy.
  • Consider the use of records management software that supports the records declaration process and records lifecycle management, particularly for messaging records (such as e-mail or instant messages that are considered part of the legal health record or designated record set).
  • Collaborate with clinicians to develop procedures for identifying external information that has been used in patient care. This may entail somehow marking the information, special delivery provisions, or other methods that help clearly indicate that external information was used. Once identified as such, provisions should be made for including this in the patient’s record, whether paper or electronic. Within the record, consideration should be given to filing or indexing the external information under a separate tab or section of the electronic or paper record developed for this purpose.
  • Promptly return to the patient (if feasible) or dispose of (in accordance with the organization’s destruction procedures) any health information that is not used or not solicited.
  • Consider developing policies and procedures that confine the ability to request health information from external sources and to place such information in the patient’s record to specified staff or personnel.
  • Develop written policies and procedures as well as staff training for clinical users that address the use of external information. HIM staff should also be trained on procedures related to redisclosure of health information.

Notes

  1. Servais, Cheryl E. The Legal Health Record. Chicago, IL: AHIMA, 2008.
  2. Ibid.

References

AHIMA e-HIM Work Group on the Legal Health Record. “Update: Guidelines for Defining the Legal Health Record for Disclosure Purposes.” Journal of AHIMA 76, no. 8 (Sept. 2005): 64A–G.

Hughes, Gwen. “Defining the Designated Record Set.” Journal of AHIMA 74, no. 1 (Jan. 2003): 64A–D.

Jedd, Marcia. “Declaring Records.” eDocMagazine. November/December 2007. Available online at https://www.aiim.org/article-docrep.asp?ID=34041.

Prepared by

Michelle Dougherty, MA, RHIA, CHP

Lydia Washington, MS, RHIA, CPHIMS

Acknowledgments

Jill Callahan Dennis, JD, RHIA

Barry Herrin, JD, FACHE

Keith Olenik, MA, RHIA, CHP

Cheryl Servais, MPH, RHIA


Article citation:
Dougherty, Michelle; Washington, Lydia. "Defining and Disclosing the Designated Record Set and the Legal Health Record." Journal of AHIMA 79, no.4 (April 2008): 65-68.