What Is a HIPAA Designated Record Set? Definition, Examples & Patient Access

Definition of Designated Record Set

A HIPAA designated record set is the group of records maintained by or for a covered entity that is used, in whole or in part, to make decisions about you. It includes your medical and billing records held by providers, and a health plan’s enrollment, payment, claims adjudication, and case or medical management record systems. In short, it is the portion of your protected health information (PHI) actually relied on to determine your care, coverage, or benefits.

The definition covers records in any medium—paper or electronic—and it follows the records wherever they are maintained “by or for” the covered entity. That means data stored by a business associate on a covered entity’s behalf is still part of the covered entity’s designated record set and subject to your right of access.

What “used to make decisions” means

Records are in the designated record set when they inform clinical, administrative, or benefit decisions about you: diagnoses and treatment plans, benefit determinations, prior authorizations, claims payments, and case management notes. Materials kept solely for internal business purposes (for example, budgeting analyses that never inform an individual decision) are outside the set.

Relationship to EHI and exchange

Under interoperability rules, electronic health information (EHI) generally maps to the electronic PHI that would be in a designated record set. As organizations share data through an electronic health information exchange, the data used to make decisions about you remains part of the designated record set regardless of which system holds it.

Examples of Designated Record Set

Provider-held records

• Medical records: histories and physicals, progress notes, operative reports, immunizations, allergies, medication lists, lab results, pathology reports, and radiology images and reports used for your care.
• Billing records: itemized bills, superbills, charge masters tied to your visit, and account notes used to resolve patient balances.
• Care coordination and case management records: care plans, outreach notes, transition-of-care documents, and utilization management notes when they inform decisions about your treatment.

Health plan–held records

• Enrollment and eligibility files, premium billing, and coverage elections for your policy.
• Claims adjudication records, explanations of benefits, prior authorization requests and determinations, and appeals files that affect your benefits.
• Case management records for disease management, complex case review, or medical necessity determinations.

Other common inclusions

• Pharmacy dispensing histories and formulary exceptions used to guide therapy or coverage decisions.
• Data accessed via patient portals or shared through electronic health information exchange networks when those data are used to make decisions about you.

Patient Access Rights

You have the right to inspect and obtain a copy of PHI in your designated record set from any covered entity that maintains it, with limited exceptions. You may request access directly or ask that the covered entity send a copy to you or, for electronic records, to a third party you designate in writing.

You may request the form and format you prefer (for example, PDF, readable CD, secure email, or portal download) if it is readily producible. You can also ask for a summary or explanation of your records if you agree to any associated fees in advance.

If you have a personal representative under applicable law (for example, a parent, legal guardian, or someone with a valid health care power of attorney), that person generally stands in your shoes and may exercise your access rights, subject to specific limitations intended to protect you from harm.

Exclusions from Patient Access

Some information is not accessible through the right of access because it is either not part of the designated record set or it falls under explicit exceptions. Key exclusions include:

• Psychotherapy notes kept separate from the medical record.
• The Reasonable Anticipation Exception: information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
• Clinical Trial Suspension: research records when you have agreed, during consent, to a temporary suspension of access while a clinical trial is in progress; access resumes at the trial’s conclusion.
• Records not used to make decisions about you, such as quality improvement files, peer review materials, accreditation prep documents, business planning or development notes, and training materials.
• For inmates, copies may be denied if providing them would jeopardize the health, safety, security, custody, or rehabilitation responsibilities of the correctional institution.

Format and Timing of Access

Covered entities must provide access in the form and format you request if readily producible; otherwise, they must offer a readable alternative you agree to. For electronic PHI, an electronic copy is required when feasible, which may be delivered through a patient portal, secure email, encrypted media, or via an electronic health information exchange workflow.

Timing is critical: the general deadline is within 30 days of receiving your request. If more time is needed, the covered entity may take one 30-day extension but must provide you a written explanation of the delay and a new completion date before the initial period ends.

Reasonable, cost-based fees may be charged for copies (for example, labor for copying, supplies, and postage). Fees may not include costs for searching, retrieving, or other non-copying overhead, and you should be told the fee up front.

Denial of Access

If your request is denied, you must receive a timely, written denial stating the specific reason, whether the denial is reviewable, and how to file a complaint or, if applicable, request a review by a licensed professional not involved in the original decision.

Unreviewable grounds

• Psychotherapy notes kept separate from the medical record.
• Information compiled in reasonable anticipation of, or for use in, legal proceedings (the Reasonable Anticipation Exception).
• Temporary denial for research when you consented to a Clinical Trial Suspension.
• For inmates, when providing a copy would jeopardize institutional operations as permitted by HIPAA.
• Information obtained from someone other than a health care provider under a promise of confidentiality, if access would likely reveal the source.

Reviewable grounds

• A licensed professional determines that access is reasonably likely to endanger the life or physical safety of you or another person.
• The record references another person and access is likely to cause substantial harm to that person.
• A personal representative requests access and a licensed professional determines access is likely to cause substantial harm to you or another person.

For reviewable denials, you may request an independent review. If the reviewer overturns the decision, the covered entity must provide access as directed by the reviewer.

Research Records Considerations

Whether research information is in the designated record set depends on how it is used. If research results or notes are used to make decisions about your treatment or eligibility for benefits, they are part of the designated record set. Research data that are de-identified or kept solely in a research repository and never used to make decisions about you are generally outside the set.

During a clinical trial, you may consent to a Clinical Trial Suspension that temporarily delays access to related records to protect study integrity. Once the trial ends, your right of access attaches to those records, subject to the usual process and timelines.

In multi-institution studies, data may flow through an electronic health information exchange or research platforms. Regardless of where the data reside, if a covered entity uses them to make decisions about you, they belong to that entity’s designated record set and are available to you under HIPAA’s access requirements.

FAQs.

What types of records are included in a designated record set?

It includes records maintained by or for a covered entity that are used to make decisions about you: medical and billing records held by providers; and, for health plans, enrollment, eligibility, payment, claims adjudication, and case management records. It also includes any other PHI—paper or electronic—used to determine your care, coverage, or benefits.

What records are excluded from patient access?

Psychotherapy notes kept separate from the medical record; information compiled in reasonable anticipation of or for use in legal proceedings (the Reasonable Anticipation Exception); and research records subject to a Clinical Trial Suspension you agreed to are excluded. Materials not used to make decisions about you—such as quality improvement files, peer review, business planning, or training materials—are also not accessible under the right of access.

How quickly must a covered entity respond to access requests?

Generally within 30 days of receiving your request. If the covered entity cannot meet that deadline, it may take one 30-day extension by sending you a written explanation of the reason for delay and a new completion date before the initial 30 days expire.

Can a personal representative access an individual’s designated record set?

Yes. A personal representative, as defined under applicable law, typically has the same right to access the individual’s designated record set. However, access may be limited when allowing it is reasonably likely to cause substantial harm to the individual or another person, or when other HIPAA conditions for denial apply.