Which HIPAA Rule Covers Records Management? The Privacy Rule Explained

HIPAA Privacy Rule Overview

The HIPAA Privacy Rule is the primary rule that governs records management because it dictates how protected health information (PHI) is created, used, disclosed, and made available to individuals. It applies to PHI in any format—paper, electronic, or oral—and sets the boundaries for Patient Access Rights and permissible disclosures.

For Covered Entity Compliance, the Privacy Rule requires you to maintain Privacy Policy Documentation, train your workforce, manage authorizations and requests, and respond to access and amendment requests tied to the Designated Record Set. The Security Rule complements this by protecting electronic PHI, but the Privacy Rule is what tells you which records you must manage and how you may use or share them.

Definition of Designated Record Set

The Designated Record Set (DRS) is the core records universe you must manage under the Privacy Rule. It includes the records you maintain that are used, in whole or in part, to make decisions about an individual, not just your electronic health record. Because Patient Access Rights attach to the DRS, defining it correctly is essential to compliance.

What the Designated Record Set typically includes

• Medical and billing records you maintain about a patient, including clinician notes, test results, imaging, and encounter documentation.
• For health plans: enrollment, payment, claims adjudication, and case or medical management records.
• Any other records you use to make decisions about individuals, such as care plans, correspondence that informs treatment, or utilization review determinations.

What is not in the Designated Record Set

• Excluded Records such as psychotherapy notes and information compiled in reasonable anticipation of legal proceedings.
• Administrative or business records not used to make decisions about individuals (for example, business planning, quality improvement files that do not drive individual-level decisions, or system logs).
• Duplicate copies kept solely for convenience.

Documenting your DRS scope helps standardize responses to access and amendment requests and strengthens Covered Entity Compliance.

Record Retention Requirements

HIPAA’s Privacy Rule sets a clear Record Retention baseline for HIPAA-required documentation: you must retain required Privacy Policy Documentation and related records for at least six years from the date of creation or the date last in effect, whichever is later. This retention duty is separate from how long you keep clinical records under state law.

HIPAA-required documentation you should retain

• Privacy policies and procedures, including your Designated Record Set definitions and workflows.
• Notices of Privacy Practices, authorization forms, access/amendment/accounting request records, and responses.
• Workforce training materials and completion records, sanctions, and complaint investigations with dispositions.
• Business associate agreements and other documentation demonstrating Covered Entity Compliance activities.

HIPAA does not prescribe a single nationwide retention period for medical charts themselves. For clinical records, follow state record retention laws and any applicable program rules (for example, Medicare) that may require longer periods, especially for minors or high-risk services. Many organizations harmonize these requirements into a written schedule so retention, storage, and secure destruction are consistent.

Exclusions from Record Access

Patient Access Rights are broad, but the Privacy Rule excludes certain materials and allows limited denials. Your first step is to determine whether the requested information is part of the Designated Record Set; if not, it is outside the access right.

Content that is excluded

• Psychotherapy notes kept separately from the medical record.
• Information compiled in reasonable anticipation of, or for use in, a legal action or proceeding.
• Records not used to make decisions about the individual (for example, some peer review or business planning files).

When access may be denied or limited

• If a licensed professional determines access is reasonably likely to endanger the life or physical safety of the individual or another person (a denial with review rights in many cases).
• If the record includes information about another person and disclosure would cause substantial harm, or if a personal representative’s access would cause harm to the individual.

When only part of a record is excluded or meets a denial criterion, provide the remainder. Explain the basis for any denial and how the individual can exercise review rights or complaint options. These steps demonstrate transparent, patient-centered compliance.

Management of Oral Information

Oral information is PHI when it identifies an individual and relates to health, care, or payment. The Privacy Rule therefore covers spoken communications—from hallway conversations to phone calls—alongside written and electronic records. Reasonable safeguards and the minimum necessary standard (for non-treatment purposes) apply to how you discuss PHI.

Practical safeguards for everyday operations

• Hold sensitive discussions in private areas; speak quietly in semipublic spaces and avoid using full identifiers when not necessary.
• Verify identity before discussing PHI by phone or in person, especially when family or caregivers are present.
• Use callback numbers and secure voicemail practices; avoid leaving detailed PHI in messages unless expressly permitted.
• Train staff on scripts and scenarios so routine communications balance efficiency with confidentiality.

When oral information is documented and used to make decisions about the patient, it becomes part of the Designated Record Set and is subject to Patient Access Rights. Your Privacy Policy Documentation should explain how staff manage oral disclosures, incidental disclosures, and documentation practices.

Conclusion

The HIPAA Privacy Rule is the anchor for records management: it defines the Designated Record Set, frames Patient Access Rights and exclusions, and sets six-year Record Retention for HIPAA-required documentation. By clarifying your DRS, aligning retention with state requirements, and safeguarding oral communications, you create a coherent, defensible compliance program.

FAQs.

What is the designated record set under HIPAA?

The Designated Record Set is the group of records you maintain that are used, in whole or in part, to make decisions about an individual. It includes medical and billing records for providers, certain administrative record systems for health plans, and any other decision-making records about the person.

How long must covered entities retain HIPAA records?

You must retain HIPAA-required documentation—such as Privacy Policy Documentation, notices, authorizations, training, complaints, sanctions, and business associate agreements—for at least six years from creation or last effective date. HIPAA does not set a single nationwide retention period for clinical medical records; follow state and program requirements for those.

Are psychotherapy notes included in HIPAA record access?

No. Psychotherapy notes kept separate from the medical record are excluded from the right of access. Other mental health records that are part of the Designated Record Set—such as medication lists, diagnosis, and treatment plans—remain accessible.

Does HIPAA cover oral information in records?

Yes. Oral PHI is protected by the Privacy Rule, and you must use reasonable safeguards when discussing it. If oral information is documented and used to make decisions about the individual, it becomes part of the Designated Record Set and is subject to access rights.