/

Bottom Line

In most electronic health records systems, patients have one chart that all doctors share. Because all doctors in that facility use that chart to make treatment decisions, all the records in that chart constitute the designated record set for all the doctors that use that chart. Therefore, Dr. Smith’s and Dr. Jones’ records are the same group of records.

ScanSTAT Technologies processes a lot of requests, and it’s not uncommon for many of those requests to be directed to a specific doctor. Periodically, after receiving records, some requestors will call with concerns about receiving records that have other doctors’ names on them, sometimes concerned that this is a HIPAA violation. As healthcare data experts, we want to ensure ScanSTAT provide requestors with accurate information based on their authorization.

When ScanSTAT provides records, we are providing what the HHS refers to as the “designated record set.” The HHS defines this as: “A group of records maintained by or for a Covered Entity that is:

    1. The medical records and billing records about individuals maintained by or for a covered healthcare provider;
    2. The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
    3. Other records used, in whole or in part, by or for the covered entity to make decisions about individuals. [1]

When ScanSTAT receives a compliant request for records, we provide the medical and billing records about patients, maintained by a healthcare provider who uses the records in whole or in part to make decisions.

This is generally understood by requestors, who understand that if they request records from Dr. Smith, a covered healthcare provider, they will receive records Dr. Smith used while treating the patient. Occasionally it is presumed that Dr. Smith only uses records he or she made. However, this is rarely the case.

In most clinics, doctors share a patient chart with one another and often receive records from providers outside of their clinic or health system. Because the designated record set is both a set of records maintained (not necessarily created) by a healthcare provider and is used in whole or in part to make decisions about individuals, if Dr. Smith receives records from another provider which have been placed in the patient’s chart, those records become part of Dr. Smith’s designated record set for that patient because he or she can use it for making decisions about the patient.

This same scenario applies to doctors within the clinic itself. In most health systems, patients have one chart that all doctors treating the patient share. Because all of those doctors both maintain and use the same chart to make decisions about individuals, all of the doctors in the same clinic have the same designated record set. Consequently, if a requestor sends a request for Dr. Smith’s records, and another request for another doctor in the same practice, the requestor will receive the same information twice because Dr. Smith uses the same set of records to make decisions as any other doctor with access to that EHR.

Occasionally requestors believe that this scenario constitutes a HIPAA violation because records that do not have Dr. Smith’s name on them have been provided. Requests for Dr. Smith’s records are for his or her designated record set. Because Dr. Smith’s designated record set may contain information from other providers, and because requests for Dr. Smith’s records are asking for his or her designated record set, providing records from other providers does not constitute a HIPAA violation or breach.

[1] 45 CFR 164.501

Share This