Designated Record Set Examples Under HIPAA: What’s Included and What’s Not

Definition of Designated Record Set

A designated record set is the specific group of records that a covered entity maintains about you and uses to make decisions about you. Under HIPAA, this includes the medical and billing records a healthcare provider keeps, certain administrative record systems a health plan maintains, and any other records a covered entity uses—wholly or partly—to decide about an individual.

Covered entities include healthcare providers, health plans, and healthcare clearinghouses. Records in a designated record set can be held directly by the covered entity or “for” the entity by a business associate (for example, a cloud EHR vendor or third‑party administrator). Location does not matter; what matters is whether the record is used to make decisions about you.

Key elements of the definition

• Healthcare providers: medical records and billing records about individuals.
• Health plans: enrollment records, payment records, claims adjudication records, and case or medical management records.
• Catch‑all: any other records used, in whole or in part, to make decisions about individuals.

What counts as a “record”

A record can be any item, collection, or grouping of information containing protected health information—notes, forms, images, messages, and datasets—if it is maintained by or for a covered entity and used to make decisions about an individual.

Included Records in a Designated Record Set

The easiest way to spot what belongs in a designated record set is to ask: “Is this information used to make decisions about the person?” If yes, it likely belongs.

Healthcare provider examples

• Clinical documentation: histories and physicals, progress notes, problem lists, care plans, discharge summaries, operative notes, consultation reports, therapy notes (excluding psychotherapy notes as defined by HIPAA), and immunization records.
• Diagnostic content: lab results, pathology reports, imaging reports and diagnostic images (X‑rays, MRIs, CTs), cardiac tracings, and other test outputs used for diagnosis or treatment.
• Medication and orders: medication lists, allergies, e‑prescriptions, order sets, and administration records.
• Care coordination: referrals, inter‑provider consults, and communications that result in changes to the plan of care.
• Financial records about the individual: encounter forms, itemized bills, remittance details received from payers, and correspondence about patient billing disputes that inform account decisions.

Health plan examples

• Enrollment records: applications, coverage elections, plan changes, subscriber and dependent information, and disenrollment documentation.
• Payment and claims: claims files, explanation of benefits details, and claims adjudication records supporting approvals, denials, or adjustments.
• Utilization and medical management: prior authorization files, case management notes, disease management records, nurse advice documentation, and appeals/grievance files used to decide coverage or services.
• Premium and cost‑sharing determinations when used to make decisions about an individual’s coverage or benefits.

Cross‑cutting examples

• Authorizations and consents that affect treatment, payment, or healthcare operations decisions about the individual.
• Data imported from other sources (outside lab reports, consult letters) once the covered entity uses them to guide decisions.
• Patient‑generated health data incorporated into the record and used to inform care or benefits decisions.

Records Excluded from a Designated Record Set

Some information is deliberately outside the designated record set. Exclusions depend on how the information is used, not merely where it is stored.

Always excluded

• Psychotherapy Notes Exclusion: a mental health professional’s separate notes documenting or analyzing the contents of counseling sessions. (This does not include medication management, session start/stop times, treatment plans, diagnoses, or summaries—those are generally included.)
• Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding (for example, a litigation file).

Generally excluded unless used to make decisions about the individual

• Quality Assurance Records, peer review files, internal audits, and performance improvement materials created for quality assessment or training, unless they are actually used to make decisions about the individual.
• Business planning and development documents (budgeting, forecasting, product planning) that are not used to make individual decisions.
• Underwriting, risk assessment, and actuarial work products when not used to make a decision about a specific individual’s coverage or benefits.

Other common exclusions

• Employment records held by a covered entity in its role as employer (e.g., occupational health files maintained for employment purposes).
• De‑identified data sets and limited data sets used for operations or research, which are not used to make decisions about identifiable individuals.
• Personal notes or memory aides kept for a provider’s sole use that are not shared and not used to make decisions about the individual.

Ownership and Control of Records

HIPAA focuses on control and access, not property ownership. In practice, the covered entity owns or controls the physical or electronic record, while you hold strong rights to access, obtain copies, and request amendments to information in the designated record set.

When records are maintained by a business associate (such as an EHR vendor, billing company, or cloud archive), they are still “maintained for” the covered entity. The covered entity remains responsible for honoring requests, and business associates must support access under their contracts.

Custody does not limit access

Whether your information is on‑site, in a vendor’s system, or archived, if it is part of the designated record set, you can request access through the covered entity that controls it.

Purpose and Importance of Designated Record Sets

Designated record sets establish the precise scope of what you can access under HIPAA. Clear boundaries reduce confusion, prevent over‑ or under‑disclosure, and help both individuals and organizations understand which records are in play during access requests.

For covered entities, maintaining an accurate designated record set map improves responsiveness to Individual Access Rights, supports consistent responses across departments and vendors, and lowers compliance risk. For individuals, it promotes transparency, enables second opinions, and supports care coordination.

Access Rights Under HIPAA

You have the right to inspect and obtain a copy of your protected health information in the designated record set. That right applies to both paper and electronic information and is not limited by where the data is stored.

What you may request

• Inspection on‑site or copies of records in the designated record set, including medical, billing, enrollment, claims adjudication, and medical management records.
• A summary or explanation of your records, if you agree to it.
• Transmission of a copy to a third party you designate, when requested in writing.

Form, format, and delivery

• You can request records in the form and format you prefer if they are readily producible that way (for example, electronic PDF, portal download, or paper copy). If not, you will receive a reasonably accessible alternative.
• Delivery options may include secure portal, secure email, mail, or in‑person pickup, consistent with your preference and the entity’s capabilities.

Fees

Covered entities may charge a reasonable, cost‑based fee for copies. Allowable components typically include labor for copying, supplies, postage, and, if you agree, costs to prepare a summary. Routine “access fees” beyond these are not permitted.

Denials and partial access

Access can be denied for specific reasons (for example, psychotherapy notes or information compiled for litigation). In some situations, you may be entitled to a review of a denial by a licensed professional not involved in the original decision, and you should receive written reasons for any denial along with instructions on how to seek a review or obtain any portions that are not excluded.

Compliance Considerations for Covered Entities

• Build and maintain a designated record set inventory across systems: EHR, imaging/PACS, LIS, RIS, pharmacy, portal, CRM/call center tools, data warehouses, plan admin platforms, enrollment records, claims adjudication records, and medical management records.
• Define inclusions and exclusions in policy: cite examples (e.g., enrollment records and claims adjudication records included; Quality Assurance Records and psychotherapy notes excluded) and specify how to handle edge cases.
• Operationalize access: standardize intake, identity verification, task routing, BA coordination, deadline tracking, redaction for mixed files, and delivery in the requested form and format.
• Segment sensitive content: ensure clear separation of psychotherapy notes; flag litigation files; configure role‑based access and data labeling so excluded content is not inadvertently released.
• Train staff: emphasize the difference between the “medical record” and the broader designated record set; practice responding to complex requests (e.g., payer appeals files, prior authorization dossiers).
• Manage fees and communications: publish a reasonable, cost‑based fee schedule; offer estimates; provide plain‑language denials with review rights where applicable.
• Hold business associates accountable: include access support in BAAs, test retrieval from hosted systems, and document turnaround expectations.

Summary

Designated Record Set examples under HIPAA center on records used to make decisions about an individual. For providers, that means clinical and billing information; for health plans, enrollment records, payment files, claims adjudication records, and medical management records. Psychotherapy notes, litigation files, and most Quality Assurance Records are excluded. Knowing the boundaries helps you exercise your access rights and helps covered entities meet their compliance obligations efficiently and accurately.

FAQs.

What records are included in a designated record set?

Included records are those a covered entity maintains and uses to make decisions about you. Examples include a provider’s medical and billing records and a health plan’s enrollment records, payment files, claims adjudication records, and medical management records. Diagnostic results, medication lists, and care coordination notes used to inform decisions are also included.

How does HIPAA define a designated record set?

HIPAA defines it as a group of records maintained by or for a covered entity that includes (1) medical and billing records about individuals maintained by or for providers, (2) enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for health plans, and (3) any other records used, in whole or in part, to make decisions about individuals.

What records are excluded from a designated record set?

Psychotherapy notes, information compiled for legal actions or proceedings, and materials created for quality assurance, peer review, or business planning (when not used to make decisions about an individual) are excluded. Employment records held by a covered entity in its role as employer and de‑identified datasets are also excluded.

Who maintains designated record sets under HIPAA?

Covered entities—healthcare providers, health plans, and healthcare clearinghouses—maintain designated record sets. Records may be held directly by the entity or by business associates on the entity’s behalf, but the covered entity is responsible for responding to access requests.

How can individuals access their designated record set?

You can submit a request to the covered entity asking to inspect or receive copies in your preferred form and format if readily producible. You may ask for a summary, direct a copy to a third party, and choose a delivery method (such as portal, secure email, or paper). Reasonable, cost‑based fees may apply, and certain exclusions and limited denial rights exist under HIPAA.