Understanding the nuances of the Health Insurance Portability and Accountability Act (HIPAA) and its respective Rules is essential to maintaining a compliant healthcare practice. While some of the requirements set forth by the Privacy, Security and Breach Notification Rules are relatively straight forward and require little-to-no explanation, others can be more confusing, such as the case involving designated record sets.
Designated Record Sets Defined
So, what is a designated record set and how does it pertain to HIPAA? The HIPAA Privacy Rule describes designated record sets as being any group of records maintained by a covered entity that may include the billing records, patient medical records, medical payments, enrollment, adjustments, or medical management records for health plans.
In order for a group of records to be considered a designated record set, it must also contain individually identifiable information of one or more patients. Such information may consist of the patient's name and address, phone number, Social Security Number, medical ID number, etc. If the information can be used to identify the patient, it's considered personally identifiable; thus, it becomes a component of a designated record set.
Designated Record Sets vs Legal Health Records
It's a common assumption that designated record sets and legal health records refer to the same thing. Although similar in terms of function, they each have their own unique characteristics. Designated record sets are larger, comprising of a broader range of health records and documents than its counterpart. A legal health record, on the other hand, is an official, legal record of healthcare services that are delivered to a patient. If a patient requests his or her medical records, the covered entity will usually provide them with a legal health record.
What's the Purpose of Designated Record Sets?
Now that you know the basic definition of a designated record set, you might be wondering why the Office for Civil Rights (OCR) cares about them in the first place. Well, the purpose of designated record sets is to clarity patients' rights to obtain medical accounting and billing information that is used to make decisions about their healthcare.
Both designated record sets and legal health records are governed by the HIPAA Privacy and Security Rule. This means, among other things, that covered entities must implement the necessary safeguards to protect the data within these documents from unauthorized use or access. You can learn more about designated record sets by visiting the OCR's guide titled “The HIPAA Privacy Rule's Right of Access and Health Information Technology.”
Image credit: Tom Woodward via Flickr Creative Commons.