Under the HIPAA Privacy Rule, behavioral health specialists are required to provide patients access to the protected health information (PHI) contained in their designated record set. What is a designated record set?
Definition of Designated Record Set
A designated record set is defined as a group of records maintained by or for a covered entity that comprises of:
- Billing records and medical records about patients maintained by or for a covered healthcare provider;
- Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
- Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals.
Under this definition, a record refers to any protected health information (PHI) maintained, collected, used, or disseminated by or for a covered entity. Examples of records that may be included in a designated record set are as follows:
- Medical records
- Clinical laboratory test results
- Clinical case notes
- Wellness and disease management program files
- Decisions about individuals
- Medical images (such as X-rays)
- Billing and payment records
- Insurance information
How Does the HIPAA Right Of Access Apply?
Under the HIPAA right of access, covered entities are required to give patients access to their designated record set. The records must be provided in the format the patient requests (i.e. email, mail, USB, etc.), must be provided within 30 days of the request, and cannot exceed the costs associated with compiling the records (i.e. labor, supplies, postage).
Reasons for Denial of Access
There are specific instances in which covered entities may deny a patient access to their designated record set:
- The request is for psychotherapy notes.
- The request is for information compiled in reasonable anticipation of litigation.
- The request is for information compiled for or for use in a legal proceeding.
- An inmate requests a copy of their PHI held by a covered entity that is a correctional institution, or healthcare provider acting under the direction of the institution, and providing the copy would:
- Jeopardize the health, safety, security, custody, or rehabilitation of the inmate or other inmates, or the safety of correctional officers, employees, or other persons at the institution, or responsible for the transporting of the inmate.
- The requested PHI is in a designated record set that is part of a research study that includes treatment (e.g., clinical trial) and is still in progress.
- The requested PHI is in federal Privacy Act-protected-records (i.e., certain records under the control of a federal agency, which may be maintained by a federal agency or a contractor to a federal agency), and denial of access is consistent with the requirements of the Act.
- The requested PHI was obtained by someone other than a healthcare provider (i.e. a family member of the individual) under a promise of confidentiality, and providing access to the information would be reasonably likely to reveal the source of the information.
Basic Telehealth Legal Issues: Rules, Regulations & Risk Management
Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!