Are Medical Records Protected by HIPAA? What’s Covered in the Designated Record Set and What Falls Outside

Your medical records are protected under the HIPAA Privacy Rule as Protected Health Information. The key to knowing what you can see and receive is the “Designated Record Set,” a defined group of records a provider or health plan uses to make decisions about you. This guide explains exactly what’s in, what’s out, and how your rights work.

Overview of HIPAA Privacy Rule

The Privacy Rule sets national standards for how a Covered Entity—health plans, most health care providers, and health care clearinghouses—uses and discloses Protected Health Information. It applies to PHI in any form: electronic, paper, or verbal, and it extends obligations to business associates that handle PHI on a covered entity’s behalf.

Beyond limiting uses and disclosures, the Privacy Rule gives you specific individual rights: to access your information, obtain copies, request amendments, and ask for restrictions. These Right of Access Provisions hinge on what’s contained within the Designated Record Set.

Because the right of access tracks the Designated Record Set, understanding what records are considered decision-making records is essential to exercising your rights effectively.

Definition of Designated Record Set

The Designated Record Set is the collection of records maintained by or for a covered entity that is used to make decisions about individuals. It is broader than a single system or electronic health record and includes both paper and electronic records.

For providers, the Designated Record Set includes medical and billing records about you. For health plans, it includes enrollment, payment, claims adjudication, and case or medical management records. It also captures any other records the entity uses to make decisions about you, regardless of the system or vendor holding them.

When a business associate stores part of the Designated Record Set for a covered entity, the covered entity still must produce those records to you upon request and coordinate with the business associate to do so.

Categories Included in Designated Record Set

While the exact contents vary by organization, the following types of records are typically included when they are used to make decisions about your care or coverage:

• Clinical documentation: problem lists, diagnoses, progress notes, care plans, orders, medication lists, allergies, immunizations, vital signs, discharge summaries, and treatment summaries.
• Test results and interpretations: completed laboratory reports, pathology and imaging reports, ECG interpretations, and clinician-signed result summaries.
• Provider billing and claims records: itemized bills, charge detail, coding records, and adjustments related to your encounters.
• Health plan records: enrollment and eligibility data, authorizations and denials, claims adjudication notes, case or medical management files, appeals and grievances, and Explanation of Benefits information maintained by the plan.
• Records received from other providers that your provider or plan maintains and uses to make decisions about you.
• Completed laboratory test reports that labs must provide under the Clinical Laboratory Improvements Amendments (often referred to as the Clinical Laboratory Improvement Amendments, or CLIA), when those reports are used to make decisions about you.

Exclusions from Designated Record Set

Certain materials are expressly outside the Designated Record Set and therefore not subject to the individual right of access:

• Psychotherapy Notes: a mental health professional’s separate notes analyzing a counseling session’s conversation. These do not include medication information, session times, treatment summaries, test results, or diagnoses, which are part of the regular record.
• Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
• Business records and operations materials not used to make decisions about individuals, such as quality assessment or improvement records, patient safety work product, peer-review and credentialing files, training materials, and business planning or management documents.
• De-identified data and other datasets that cannot reasonably identify you.
• Research records that include PHI but are not used to make decisions about your care or benefits (for example, blinded research data kept separate from your clinical chart).
• Laboratory information that falls outside the Designated Record Set, such as instrument logs, quality control data, or results from certain research laboratories that are not subject to the Clinical Laboratory Improvements Amendments.

Access Rights Under HIPAA

You have the right to inspect and obtain a copy of your PHI in the Designated Record Set from the covered entity. In general, the organization must respond within 30 calendar days, with one 30-day extension permitted if it provides you a written reason for the delay and a new date.

Format matters. If you ask for an electronic copy and the records are readily producible in that format, the covered entity must provide it electronically. If not, it must provide a readable alternative you agree to, such as a secure portal download, encrypted email, or paper.

Fees must be reasonable and cost-based, limited to labor for copying, supplies, and postage if you request mail. Retrieval fees and per-page charges for electronic copies are not permitted. You can also direct the covered entity to send a copy to a third party you designate in a written, signed request.

Some denials are permitted. Psychotherapy Notes and information prepared for legal proceedings are excluded categorically. Other denials (for example, if release would endanger life or safety) require review by a licensed professional, and you may request a second-level review. You also have the right to request an amendment to information in the Designated Record Set; the organization generally has 60 days to act, with one 30-day extension allowed.

Role of State Laws

HIPAA sets a national baseline, but State laws that are more protective of privacy or provide greater access generally control. States often impose heightened protections for sensitive categories such as mental health records, HIV and genetic information, reproductive health services, and records of minors who can consent to certain care.

Where state law is stricter than the HIPAA Privacy Rule, the covered entity must follow the state standard. Where state law conflicts and is less protective, HIPAA preempts it. Separate federal laws can also apply alongside HIPAA, and laboratories must also follow requirements under the Clinical Laboratory Improvements Amendments.

If you are unsure which standards apply, ask the provider’s or health plan’s privacy office which state rules govern your request and whether any special consent or identity verification steps are required.

Compliance and Enforcement

The U.S. Department of Health and Human Services’ Office for Civil Rights enforces the Privacy Rule, including the Right of Access Provisions. Common pitfalls include slow responses, refusing electronic formats that are readily producible, charging impermissible fees, and failing to send records to a third party you designate.

Covered entities should maintain written policies, designate a privacy official, train staff, execute business associate agreements, and map where their Designated Record Set lives across systems and vendors. Clear procedures for intake, identity verification, format fulfillment, fee calculation, third‑party direction, and timely logging help prevent violations.

• Identify all systems containing Designated Record Set information (EHR, imaging, labs, billing, plan platforms, care management tools).
• Document what is excluded (for example, Psychotherapy Notes, legal files, and internal quality materials).
• Publish a cost-based fee schedule and provide simple request pathways (portal, email, mail).
• Track turnaround times and escalate approaching the 30‑day deadline; use the single 30‑day extension only when necessary with written notice.
• Coordinate with business associates to deliver records held on the covered entity’s behalf.

Conclusion

HIPAA protects your medical records and grants strong access rights to the information a covered entity uses to make decisions about you—the Designated Record Set. Core clinical, billing, and health plan records are in; Psychotherapy Notes, legal files, and internal business or quality records are out. Knowing the line helps you ask precisely for what you need and hold organizations to timely, compliant responses.

FAQs.

Are psychotherapy notes protected differently under HIPAA?

Yes. Psychotherapy Notes are treated uniquely: they are kept separate from the general medical record, excluded from the Designated Record Set, and generally require your specific authorization for most uses and disclosures. You still have access to your broader mental health record—diagnoses, medication information, treatment summaries, and test results.

What records are excluded from the designated record set?

Exclusions include Psychotherapy Notes, information compiled for legal proceedings, business and quality records not used to make decisions about you (such as peer review or quality assurance files), de-identified data, research records not used for your care, and certain laboratory materials like instrument logs or data from research labs outside the Clinical Laboratory Improvements Amendments.

How does HIPAA define a covered entity?

A covered entity is a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in connection with standard transactions. Business associates that handle PHI for a covered entity must comply with HIPAA through agreements and by law, but your right of access runs through the covered entity.

Can state laws override HIPAA protections for medical records?

State laws that are more protective of privacy or give you greater access generally take precedence over HIPAA, while less protective or conflicting state laws are preempted by HIPAA. Many states add special rules for sensitive information such as mental health, HIV, genetic testing, and certain care minors can consent to independently.