In most electronic health records (EHR) systems, patients have one chart that all providers within that organization share. Additionally, providers may receive and make treatment decisions based on records from providers outside of the organization.  When a practice receives a records request for a provider to fulfill, should they only limit the records generated by that provider? Or include all records in the patient chart, even if from other providers?

What is the Designated Record Set?

To know what to include, you’ll need to start with the designated record set.  The HIPAA Privacy Rule indicates that when a patient or requestor asks for a medical record, the information in the designated record set may be disclosed.  The Privacy Rule defines the designated record set as the following:

  • The medical records and billing records about individuals maintained by or for a covered healthcare provider;
  • The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
  • Other records used, in whole or in part, by or for the covered entity to make decisions about individuals.

As defined above, any record that a provider uses for treatment decisions, regardless of whether generated by him or her, is part of the designated record set.  This means if a provider references outside notes or labs from another provider, they become part of the designated record set.  Multiple providers in an organization may use the same patient chart and thereby may also have the same designated record set for the patient.

How do I determine what to Release?

There is often confusion over what to release when a designated record set includes records from multiple providers.  An authorization or Right to Access request often indicates where the records are to come from, but it’s the what that is often most important.

If the request is directed at a specific doctor or organization and states “any and all records,” this translates to the designated record set utilized in caring for the patient in question. Remember, the designated records set could include labs and office visit notes from an outside provider if those records were used for treatment purposes.  In fact, it’s rare for a provider to utilize only records he or she created in the care of a patient.

However, if the request says “any and all records created by or limited to” a specific doctor or organization, this would limit the authorization or access request to only those specified records – the what in this scenario has changed.  Therefore, the designated record set would be limited to the what specified in the request.

For the majority of release of information requests, it’s important to receive the appropriate records referenced in caring for the patient.  Typically, this includes the entire designated record set and is not a restriction on what provider created the information.  Occasionally requestors claim this scenario constitutes a HIPAA violation because the records provided have more than one providers name included. Requests for a provider’s records are for his or her designated record set. Because the designated record set may contain information from other providers, and because requests for the provider’s records are asking for his or her designated record set, providing records from other providers does not constitute a HIPAA violation or breach.

Release Records Requests to a Partner

If you find records requests and the ensuing compliance concerns take too much of your staff’s valuable time, consider releasing this administrative burden to a partner.  ScanSTAT Technologies processes hundreds of thousands of records requests annually and is an industry leader with our 24-hour turnaround time and accuracy rate.  If you are ready to focus on patient care and leave the records requests (and compliance questions) behind, request a demo today to see how we can help.