As organizations wrestle with implementing the new EHI requirements associated with Information Blocking, the topic of a Designated Record Set (DRS) is often front and center, as establishing a DRS is essentially a prerequisite for defining Electronic Health Information (EHI).
In this blog post we’ll answer some of the common questions associated with the Designated Record Set.
Is there a standard definition of the designated record set?
45 CFR Part 164.501 defines the Designated Record set as:
(1) A group of records maintained by or for a covered entity that is:
(i) The medical records and billing records about individuals maintained by or for a covered health care provider;
(ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
(iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.
(2) For purposes of this paragraph, the term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.
Under HIPAA, the DRS helps to define an individual’s rights to access, amend, restrict, and acquire an accounting of disclosures of their protected health information. Individuals have the right to inspect their health information, obtain copies if desired, and to request amendments for any incorrect information—all facilitated by a defined DRS definition for each Covered Entity.
Can individual organizations set their own definition for DRS?
Individual organizations are able to set their own definitions for their DRS, and in fact are required to do so under HIPAA. The definition in 45 CFR Part 164.501 is not absolute, as each organization—each Covered Entity—is afforded needed flexibility to define a DRS that meets its specific business needs. For example, each organization may have different medical records and billing systems, and different claims, enrollment and payment profiles, and consequently each potentially may have different Designated Record Sets. The general framework for a DRS will be the same, yet the details are likely to differ between different business entities.
While some may advocate for a single, “standard” definition for the DRS, this would likely prove unworkable given the various business and technical ecosystems in place at different health systems, as well as the varied business and legal structures of Covered Entities that are required to comply with these regulations.
Note that the DRS is not synonymous with PHI (Protected Health Information), nor ePHI (Electronic Protected Health Information), nor EHI (Electronic Health Information), yet it is a component in the definition of these regulatory terms, and influences their use and interpretation.
Are there clear guidelines for providers to follow to set their DRS definitions?
Because the DRS was defined by HIPAA in 1996, and because the HIPAA Security Rule requires organizations to complete an annual Security Risk Assessment (SRA), part of which includes documentation of “where the ePHI is stored, received, maintained or transmitted” (see 45 CFR 164.308(a)(1)(ii)(A) and 45 CFR 164.316(b)(1)), most organizations have already established clear definitions for ePHI as well as for their Designated Record Sets.
Unfortunately, many organizations do not routinely update their DRS definitions (if at all). While most still continue to conduct annual SRAs, updating DRS definitions to keep pace with our evolving technological systems seem to often fall by the wayside. This is unfortunate as innovations including telemedicine, the ubiquitous use of cell phones and apps, “smart” medical devices, patient portals, secure messaging with providers, and FHIR have all fundamentally changed how we access, use, and collect personal health information, and our DRS definitions should be amended accordingly.
Fortunately, many organizations are now re-examining and updating their DRS definitions in lieu of the recent Information Blocking rules (established as part of the 21st Century Cures Act), and have focused on documenting these new sources of ePHI that patients, providers and health systems are now leveraging on a daily basis.
Are there items that should be excluded from the DRS?
Yes. HHS has provided additional guidance to help organizations interpret HIPAA, and have explicitly called out the following items as not appropriate to include as part of the Designated Record Set as they typically would include PHI that is not used to make decisions about individuals. Examples of this type of information might include:
* Certain quality assessment or improvement records
* Patient safety activity records
* Business planning, development, and management records that are used for business decisions
* Peer review files
* Practitioner or provider performance evaluations
* A health plan’s quality control records
* Formulary development records
These (and similar) items may be generated from and include an individual’s PHI but might not be in the covered entity’s designated record set, and therefore would not be subject to access by the individual.
In addition, two categories of information are expressly excluded from the right of access:
Psychotherapy Notes: The personal notes of a mental health care provider documenting or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient’s medical record. (See 45 CFR 164.524(a)(1)(i) and 45 CFR 164.501.)
Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. See 45 CFR 164.524(a)(1)(ii).
Note that the underlying PHI from the individual’s medical or payment records or other records used to generate the above types of excluded records or information remains part of the designated record set and would be subject to access by the individual.
How should organizations define their DRS?
While most organizations have historically defined their DRS (as required by HIPAA), as EHR systems evolve, and organizations implement new and innovative technologies (some perhaps even implementing new EHRs), many would benefit from revisiting their existing DRS definitions.
Organizations should focus on new and emerging technologies added to their technical ecosystems since the time they last updated their DRS, especially in areas where patients have been driving such innovation. With the advance of electronic technologies to assist with collecting medical information (think “Fitbits” or connected “smart” glucometers as examples) the definition of where electronic health information originates (and the type of media where it is recorded) is expanding—and that means our definitions of EHI, and our DRS, should be evolving as well.
How fluid should a DRS definition be?
Given the pace of technology, it is likely that the definition of each organization’s Designated Record Set will remain fluid for the foreseeable future. Organizations would be wise to review and update their DRS on an annual basis, in concert with their annual SRA, to identify new sources of ePHI and add them to their existing DRS definitions.
Are there any grey areas when establishing a DRS definition?
Each organization will have different degrees and areas of grey when defining their DRS. For example, each state may have different laws governing how covered entities are required to handle, document and administer PHI, ePHI and EHI. Standards and requirements of third-party payers are also considerations, as well as requirements of various regulating agencies (both state and federal). And of course technologies in use and sources of ePHI are also likely to differ between organizations, necessitating the need for customized DRS definitions for each organization.
Who should be involved when defining an organization’s DRS?
Typically, we see Health Information Management (HIM) groups leading the effort to define an organization’s DRS, with contributions from compliance, legal, medical records and medical staff.
Are there resources they can tap?
Many professional, federal, state and legal organizations (e.g. AHIMA, NCDHHS, Law Insider) offer opinions, guidance and sample documents for helping to define the DRS for an organization. Organizations wishing to update their DRS definitions may benefit from reaching out to such organizations for recommendations, depending on their specific circumstances, systems in use and scope of practice.
How does the DRS definition impact patients?
The DRS ultimately establishes how patients interact with our health care system, how organization collect and interact with patient-generated data, as well as helping to define each individual’s rights associated with their ability to access, amend, restrict, and acquire an accounting of disclosures of their protected health information.
Furthermore (with the advent of the 21st Century Cures Act) the DRS now also helps to define how patients are able to access, exchange, and use their Electronic Health Information, and how providers and developers are now required to share patient EHI to the benefit of patients.
Anything else to add about defining the DRS?
There are currently regulations (e.g. Proposed Modifications to the HIPAA Privacy Rule and Health Data Use and Privacy Commission Act) moving through Congress to modernize HIPAA, which has historically been focused on maintaining and securing the privacy of patient data.
Yet Micky Tripathi (the National Coordinator for HIT at HHS) has recently stated that “we now have an obligation to share data” and newer regulations that promote the sharing of patient information (such as the 21st Century Cures Act, Information Blocking and TEFCA) now seem in many ways to be at odds with HIPAA.
It will be interesting to see how HIPAA may be amended in order to support information sharing, while still hopefully preserving patient privacy, and whether our definition and perhaps even the concept of a Designated Record Set potentially evolves as well.