What Does a HIPAA Designated Record Set Consist Of? Definition & Examples

Definition of Designated Record Set

A HIPAA designated record set (DRS) is the group of records that a covered entity maintains about you to make decisions regarding your care, coverage, or benefits. It contains protected health information created or kept by or for the entity, in any medium—paper or electronic.

For providers, the DRS includes medical records and billing records. For health plans, it includes enrollment records, payment files, claims adjudication systems, and case management records. If a business associate maintains these records on the entity’s behalf, they are still part of the entity’s DRS.

Components of a Designated Record Set

Provider components

• Medical records that document your treatment and clinical status (e.g., histories, exam findings, test results, care plans).
• Billing records, including itemized statements, coding, and documentation that supports charges.
• Any records used to make decisions about you (for example, clinical protocols or notes referenced to approve or deny a service).

Health plan components

• Enrollment records used to establish eligibility and coverage tiers.
• Payment and claims adjudication records showing how claims were processed, denied, or paid.
• Case management and utilization management records used to authorize services or coordinate care.
• Any other records used to make decisions about an individual member’s benefits.

Cross-cutting elements

• Records may span multiple systems and formats (EHRs, scanned documents, email, image archives) as long as they are used to make decisions about you.
• Duplicates are not required if an identical copy is already provided; the focus is on the information, not the container.

Examples of Records in a Designated Record Set

Common provider examples

• Problem lists, medication lists, allergies, immunizations, vital signs, and care plans.
• Clinic notes, operative reports, discharge summaries, and therapy notes (excluding psychotherapy notes, which are separate).
• Lab reports, pathology reports, imaging reports, and key images when used to make decisions.
• Orders, referrals, prior-authorization requests, and decision rationales tied to your care.
• Billing records such as superbills, charge tickets, remittance advice, and coding justifications.

Common health plan examples

• Enrollment records, beneficiary applications, and coverage elections.
• Claims detail, claims adjudication notes, and payment determinations.
• Case management records, utilization review decisions, and appeal files.
• Provider network determinations and benefit interpretations applied to your claim.

Other examples across settings

• Care coordination communications when used to approve services.
• After-visit summaries and patient education documents included in the medical record.
• Correspondence that influences a decision about eligibility, coverage, or treatment.

Exclusions from Designated Record Set

• Psychotherapy notes (the clinician’s separate notes documenting or analyzing counseling sessions).
• Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding (litigation files).
• Quality improvement, peer review, accreditation, or business planning documents not used to make decisions about a specific individual.
• Research records that are not used to make decisions about the participant’s current care.
• De-identified data sets and data maintained only for teaching or testing that are not used for decisions about you.
• Employment records held by a covered entity in its role as an employer (these are not HIPAA protected health information).

Access Rights Under HIPAA

You have the right to inspect and obtain a copy of your designated record set from a covered entity. The entity must act on your request generally within 30 days, with one permitted 30‑day extension if it provides a written reason for the delay. You may request the form and format you prefer if it is readily producible, including electronic copies.

Reasonable, cost-based fees may cover labor for copying, supplies, and postage for mailed copies. You may direct your records to a third party in writing. If access is denied for a permissible reason, you must receive a written denial explaining the basis and, when applicable, how to appeal. You also have the right to request amendments to information in the DRS when it is inaccurate or incomplete.

Record Definition

Under HIPAA, a “record” means any item, collection, or grouping of information that includes protected health information and is maintained by or for a covered entity. A designated record set is the organized group of those records used to make decisions about you.

Two clarifications help avoid confusion: the DRS is broader than a hospital’s “legal health record” label and narrower than all data a covered entity holds. If a document or data element is used to decide your treatment, eligibility, coverage, payment, or benefits, it belongs in the DRS; if it is purely administrative or educational and never factors into a decision about you, it does not.

FAQs.

What records are included in a designated record set?

It includes medical records and billing records kept by or for your provider; a health plan’s enrollment, payment, claims adjudication, and case management records; and any other records a covered entity uses to make decisions about you.

How does HIPAA define a designated record set?

HIPAA defines it as a group of records maintained by or for a covered entity that comprises medical and billing records, health plan records like enrollment and claims adjudication systems, and other records used to make decisions about individuals.

Are psychotherapy notes part of the designated record set?

No. Psychotherapy notes are expressly excluded from the DRS. They are kept separate from the rest of the medical record and have heightened protections.

What rights do individuals have to access their designated record sets under HIPAA?

You have the right to inspect and obtain a copy of your DRS in the form and format requested if readily producible, generally within 30 days (with one possible 30‑day extension). You may be charged a reasonable, cost-based fee, direct records to a third party, and request amendments to correct inaccuracies.