What Is a Medical Record Under HIPAA? Definition, Examples, and What’s Not Included

Definition Of Medical Record Under HIPAA

Under HIPAA, a medical record is best understood through the “designated record set” (DRS): the information a covered entity uses to make decisions about an individual’s care or benefits. The DRS is a subset of Protected Health Information (PHI); it is not all PHI, only the portions used for decision‑making.

For health care providers, the DRS includes medical and billing records. For health plans, it includes enrollment, payment, claims adjudication, and case or medical management record systems, plus any other records used to decide about members. If a record informs a decision about you, it likely belongs in your HIPAA medical record.

A Covered Entity (health care provider, health plan, or health care clearinghouse) maintains the DRS. Business associates may create or store parts of it on behalf of the covered entity, but the covered entity remains responsible for HIPAA compliance and patient access.

Notably, some PHI sits outside the DRS. Psychotherapy Notes kept separately, Quality Assessment Records, and certain Legal Proceedings Documentation are PHI but are not part of your HIPAA “medical record” for access purposes.

Examples Of Medical Records Under HIPAA

Provider-side examples

• Clinical documentation: histories, physicals, progress notes, operative reports, discharge summaries, problem and medication lists, allergies, and immunizations.
• Test and procedure outputs: lab results, pathology reports, imaging reports and images when used for clinical decisions, and device downloads used in care.
• Treatment plans and orders: care plans, referrals, orders, and care coordination or Case Management Records used to guide treatment.
• Billing records used to make decisions about care or payment, including medical necessity justifications and prior authorization materials.
• Patient-generated data incorporated into care decisions, such as home monitoring logs or remote patient monitoring that informed treatment.

Health plan examples

• Health Plan Enrollment Records used to determine eligibility, coverage, and benefits.
• Claims and claims adjudication records, utilization management decisions, and explanations of benefits when used to decide coverage.
• Plan Case Management Records, disease management notes, and appeals/grievance determinations that influence benefit decisions.

Cross-cutting examples

• Electronic health record content and patient portals reflecting the same decision-making information.
• Secure messages or telehealth recordings when documented and relied upon for clinical or benefit decisions.

Records Excluded From Medical Records Under HIPAA

Some records are PHI yet excluded from the HIPAA medical record (DRS) because they do not drive decisions about an individual, or HIPAA treats them differently.

• Psychotherapy Notes maintained separately by a mental health professional.
• Legal Proceedings Documentation compiled for or in reasonable anticipation of a civil, criminal, or administrative action.
• Quality Assessment Records, peer review files, and internal performance improvement documents not used to make decisions about specific individuals.
• Business planning, development, and administrative records (e.g., budgeting, staffing) unrelated to individual decisions.
• Employment records held by a covered entity in its role as employer.
• De-identified data and data sets stripped of identifiers per HIPAA de-identification standards.
• Personal or “shadow” working notes and drafts kept for personal use and not shared for decision-making.
• Research records not used in treatment decisions for the individual participant.

HIPAA Compliance Requirements For Medical Records

Covered entities must identify and maintain a complete designated record set, keep it accurate, and make it accessible within HIPAA timeframes. You need policies describing what belongs in the DRS, how it is updated, and how to respond to access and amendment requests.

Use and disclosure must follow the Privacy Rule: apply the minimum necessary standard, obtain valid authorizations when required, and have Business Associate Agreements with vendors handling PHI. Psychotherapy Notes receive heightened protections and typically require individual authorization for most uses or disclosures.

Governance duties include workforce training, sanction policies, breach response procedures, and documentation retention of HIPAA-required policies and actions (generally six years). State medical record retention laws may require longer retention of the records themselves; HIPAA sets the floor, not the ceiling.

Interoperability and format matter: provide electronic copies when readily producible, enable directed disclosures to a third party at the patient’s request, and maintain a process to amend records while preserving prior entries and audit trails.

Access Rights To Medical Records Under HIPAA

You have the right to inspect or obtain a copy of your PHI in the designated record set, in the form and format you request if it is readily producible. You may direct a copy to a third party, and reasonable, cost-based fees may apply for labor, supplies, and postage.

Certain limits apply. A covered entity may deny access to excluded categories (for example, Psychotherapy Notes or information compiled for litigation) and, in narrow circumstances, when access could endanger life or physical safety. Denials must follow HIPAA procedures and explain review rights when applicable.

You also have the right to request amendments to correct inaccuracies. The entity must respond within HIPAA timelines, make corrections when appropriate, and attach statements of disagreement when amendments are denied.

Privacy And Security Standards For Medical Records

Privacy standards govern permissible uses and disclosures, notices of privacy practices, patient rights, and the minimum necessary rule. They also require an accounting of certain disclosures and prompt breach notifications when unsecured PHI is compromised.

Security standards protect electronic PHI through risk analysis and administrative, physical, and technical safeguards. Core controls include access management, authentication, audit logging, integrity protections, transmission security, and contingency planning. Encryption, while addressable, is a widely adopted safeguard for data at rest and in transit.

Business associates must implement parallel safeguards and are directly liable for compliance. Covered entities should inventory data flows, evaluate vendor risks, and routinely test incident response and backup/restore capabilities to keep medical records confidential, available, and accurate.

Conclusion

In HIPAA terms, a “medical record” is the decision-making content of the designated record set. It includes clinical, billing, enrollment, and case management information used to decide about care or benefits and excludes Psychotherapy Notes, Legal Proceedings Documentation, and Quality Assessment Records. Knowing what’s in—and out—helps you meet compliance duties and honor patient access rights while safeguarding PHI.

FAQs

What constitutes a medical record under HIPAA?

It is the portion of PHI in the designated record set that a covered entity uses to make decisions about an individual. For providers, that includes medical and billing records; for health plans, it includes enrollment, claims, payment, and case or medical management systems, plus any other records used to decide about members.

Are psychotherapy notes considered medical records under HIPAA?

No. Psychotherapy Notes kept separately are PHI but are excluded from the designated record set. They are not subject to the right of access, and most uses or disclosures require the patient’s written authorization. Mental health records other than psychotherapy notes (e.g., diagnoses, medications, treatment plans) typically are part of the medical record.

What types of records are excluded from HIPAA medical records?

Common exclusions include Psychotherapy Notes, Legal Proceedings Documentation compiled for or in anticipation of litigation, Quality Assessment Records and peer review files, business and employment records, de-identified data, personal working notes not used for decisions, and research records not relied upon for treatment decisions.

How does HIPAA regulate access to medical records?

HIPAA grants you the right to inspect or receive copies of PHI in the designated record set, in the requested format when feasible, and to direct copies to a third party. Covered entities must verify identity, respond within HIPAA timelines, allow amendments when appropriate, and may charge reasonable, cost-based fees. Limited, reviewable denials apply in specific circumstances.