Jul 17
3 min read
Share Post
Share Post

Is Your Designated Record Set Defined? What You Need to Know.


blog pic 1-01


Designated Record Sets (DRS) is patient information that is maintained by a provider that includes protected health information (PHI). Providers should be aware that the information they import into their electronic medical records may become part of their designated record set(s), but they are not obligated to provide access to all of it. It is up to each covered to define what they consistently want to be part of their record.

To start the process, inventory all places (electronic and paper) where the office keeps patient information to get a full understanding of WHAT and HOW PHI is stored.  Be sure to query staff and providers to determine if there is any information kept elsewhere (e.g., patient summaries used to enter into EHR later, forms, etc.).  Do you have software or other vendors that may store some patient information?  Off-site storage?  Keep in mind the following definition from HHS: 

U.S. Department of Health and Human Services Definition:

(1) A group of records maintained by or for a covered entity that is:

(i) The medical records and billing records about individuals maintained by or for a covered health care provider...

(ii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.

(2) For purposes of this paragraph, the term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.

HIPAA specifically allows patients specific rights in regard to their medical records, including access (physician cannot prohibit access except under very specific conditions), amendments, and restriction requests.  However, these rights are limited to the information defined as the DRS.  As noted above, this must include medical records and billing records, which includes any appeals, correspondence, etc.

The “BIG” question is usually in regard to records received from other providers.  Were these records ‘used, in whole or in part to make decisions about the individual?’ 

  • Some records may be used in decision making regarding patient care. Ideally, the provider will document/reference the records used, but in my experience, this is rare. 
  • Some practices use them only to determine if they will take the individual as a patient, or for the medication history and chronic diagnoses that could be obtained from the patient. Are these “decisions” about the patient?
  • Are the copies sent separately, scanned into the EHR? If so, under what tab(s)?  This may make the decision to include or exclude these records as part of the DRS a little more obvious.   

Source of Truth – remember there can be only ONE ORIGINAL record of the patient.  For example, I had an office where the physician insisted the records be printed out for each visit as he did not want to use the EHR system.  He would write notes on the papers and keep them in his office ‘for a while’ as reference and dictate a note for  the visit.  Where is the source of truth?  The physician made changes to documentation in the EHR, but only he was aware?  What records were sent to other providers for continuity of care?  Remember that incomplete and inaccurate information can very negatively impact patient care!

Finalizing and Documenting your DRS

Once you have a full understanding of where and how PHI is maintained, you must determine, document and train the entire team on YOUR Designated Record Set.  Below is an article that can help you think about what should and should not be included.  RRS also has a tool to help determine and communicate your DRS.  Make sure to also designate from WHERE the information can be retrieved.


When a patient request for records states “any and all,” there should be no confusion or inconsistency in the process in regard to what should be released and where to find it.  Lack of this clarification can have legal consequences as well as the impact on patient care.


Sue Chamberlain, MSCTE, RHIA, CDIP, CCS-P

VP Compliance and Privacy