Bottom Line

In most electronic health records systems, patients have one chart that all doctors share. Because all doctors in that facility use that chart to make treatment decisions, all the records in that chart constitute the designated record set for all the doctors that use that chart. Therefore, Dr. Smith’s and Dr. Jones’ records are the same group of records.

ScanSTAT Technologies processes a lot of requests, and it’s not uncommon for many of those requests to be directed to a specific doctor. After receiving records, some requestors will call with concerns about included records that have other doctors’ names on them, sometimes concerned this is a HIPAA violation. As healthcare data experts, we want to ensure ScanSTAT provides requestors with accurate information based on their authorization.

When ScanSTAT provides records we are providing what the HHS refers to as the “designated record set.” The HHS defines this as:

A group of records maintained by or for a Covered Entity that is:

  • The medical records and billing records about individuals maintained by or for a covered healthcare provider;
  • The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
  • Other records used, in whole or in part, by or for the covered entity to make decisions about individuals. [1]

When ScanSTAT receives a compliant request for records, we provide the medical and billing records about patients, maintained by a healthcare provider who uses the records in whole or in part to make decisions.

This is generally understood by requestors, who recognize that if they request records from Dr. Smith, a covered healthcare provider, they will also receive records Dr. Smith used while treating the patient. Occasionally it is presumed that Dr. Smith only uses records he or she made. However, this is rarely the case.

In most clinics, doctors share a patient chart with one another and often receive records from providers outside of their clinic or health system. The designated record set is both a set of records maintained, not necessarily created, by a healthcare provider and used as a whole or in part to make decisions about individuals. So, if Dr. Smith receives records from another provider which have been placed in the patient’s chart, those records become part of Dr. Smith’s designated record set for that patient.

This same scenario applies to doctors within the clinic itself. In most health systems, patients have one chart that all treating providers share. Because they all maintain and use the same chart to make decisions about individuals, all of the doctors in the same clinic have the same designated record set. Consequently, if a request is made for Dr. Smith’s records and records for another doctor in the same practice, the requestor will receive the same information twice because they both use the same set of records to make decisions.

Occasionally requestors believe that this scenario constitutes a HIPAA violation because records that do not have Dr. Smith’s name on them have been provided. Requests for Dr. Smith’s records are for his or her designated record set. Because Dr. Smith’s designated record set may contain information from other providers and because requests for Dr. Smith’s records are asking for his or her designated record set, providing records from other providers does not constitute a HIPAA violation or breach.

[1] 45 CFR 164.501