3 min read

Why are designated record sets important to PHI?

Nancy Parode April 13, 2022

HIPAA compliance
Person holding a patient medical history form
Designated record sets are an important part of PHI.  The HIPAA Privacy Rule  guarantees the rights of individuals to see their protected health information (PHI) stored in designated record sets. In addition, the Department of Health and Human Services determined that patients have a Right of Access to their PHI within a designated record set.
 
Therefore, patients can get copies of their PHI from  covered entities and their business associates maintaining patient PHI under this right.
 

Which types of PHI are in designated record sets?

 

A designated record set is a grouping of information or items that includes PHI. A covered entity uses it to make decisions about individuals.  Examples include:
 
  • Medical records
  • Billing records
  • Payment records
  • Lab test results
  • Medical images (X-rays, for example)
  • Insurance information
  • Wellness program files
  • Disease management program files
  • Case management records
  • Health plan enrollment records
  • Information on medications prescribed for a patient

 

Is any PHI excluded from the Right of Access?

 

Yes. Covered entities are not required to provide access to the following  PHI categories:
 
  • A mental health provider's personal psychotherapy notes, which are, per accepted professional practice, stored separately from the patient's other PHI and used to document or analyze therapy sessions
  • Information prepared for use in current or possible future criminal, civil, or administrative proceedings or actions
  • When PHI is not part of a designated record set because covered entities do not make decisions about individuals based on  the following specific information:
    • Provider performance reviews
    • Business planning or management records
    • Peer review records
    • Quality assurance records

 

What information must a covered entity provide, and in what format?

 

The covered entity does not have to create new information about the requested PHI, such as explanations for the records. All that is required is the existing designated record set information. And patients must receive their documents within 30 days. 
 
Patients or their representatives can request electronic or paper copies by mail or email. Also, patients cannot be required to pick up copies in person. Emails containing PHI must be HIPAA compliant.

 

Can the covered entity charge a fee to copy and send the requested PHI?

 

Yes, however, the fee can only cover labor and materials to prepare the requested copies, including postage.

 

Are there any circumstances when a patient's Right of Access request can be denied?

 

Yes, but they are narrowly defined. A patient can appeal a decision and ask a licensed healthcare professional to review it. It is the responsibility of the covered entity to choose the reviewer.
 
However, the reviewer cannot have participated in the original decision to deny access. If the following situations are likely to occur by viewing the PHI then a request can be denied.
 
  • The patient's physical safety, life, or endangers another individual's physical safety or life.
  • The PHI can "cause substantial harm" to someone named in the PHI (excluding healthcare providers mentioned in the PHI).
  • Allowing the patient's personal representative access to the PHI can "cause substantial harm" to the patient or someone else.
 
Other grounds for denial are unreviewable.

 

The patient will not be able to access PHI with the following requests

 

  • Psychotherapy notes or for PHI used in, or in preparation for, a criminal, civil, or administrative legal proceeding.
  • Copies of PHI requested by an inmate which a correctional institution or a healthcare provider working under that institution's oversight holds, and possession of the copies will jeopardize the safety, health, custody, security, or rehabilitation of that inmate or other inmates or the safety of correctional institution employees or persons required to transport the inmate. The inmate will still be able to view their PHI.
  • A designated record set used in a current clinical trial. The patient voluntarily agreed to a temporary suspension of the Right of Access when the trial began. The Right of Access will be reinstated after the clinical trial in this scenario.
  • Records protected by the Privacy Act and the Privacy Act's stipulations require denial of the Right of Access.
  • Someone other than a healthcare provider promised confidentiality and obtained the PHI. And patient access to the PHI "would be reasonably likely to reveal" the information's source.

 

How can covered entities safely send copies of the designated record set PHI to patients?

 

As determined by HHS, mailing and emailing copies of PHI to individuals, although posing a security risk to the PHI while it is in transit, is an acceptable risk to the covered entity's computer systems. Therefore, it is permitted to mail and email copies of protected health information.

 

Protect PHI by using encrypted email

 

The safest way for covered entities to send PHI copies to patients who request them is via encrypted email. To ensure strong email security, encrypt your emails. Cybercriminals routinely access computer systems through email. In addition, modern healthcare organizations are bombarded with  phishing and ransomware attacks, making this more important than ever.  
 
With Paubox Email Suite, healthcare organizations can seamlessly encrypt all outbound email messages, including the ePHI copies that your patients request. Integrate existing email platforms such as Microsoft 365 and Google Workspace directly into Paubox without downtime for training.
 
No patient portal or third-party applications are required. It's that easy. And a familiar email with no extra steps makes life easy for your patients. In addition, any Right of Access requests sent with Paubox guarantee HIPAA compliance. Send requested  ePHI copies via encrypted email to ensure HIPAA compliance and give your patients an easy way to retain their PHI. 
 
Don't leave your organization at risk. It's easier than you think to put the leading and most robust email cybersecurity solution in place with Paubox. 
 
Try Paubox Email Suite for FREE today.
Start for free
Secure every email you send and receive HIPAA compliant. Threat-proof. Hassle-free.
hand writing on paper with stethoscope

What is the HIPAA right to amend?

Gugu Ntsele : July 18, 2023

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule gives individuals the right to request amendments to their protected...

HIPAA compliance
Read More
Microphone icon inside a protective shield with sound waves and glowing rings

Understanding HIPAA regulations for audio recording

Picture of Farah Amod Farah Amod : June 26, 2024

According to the HHS, “The rule does not require covered entities to tape or digitally record oral communications, nor retain digitally or...

HIPAA compliance
Read More
Finger pressing a blue send button on a keyboard

How Paubox can help with HIPAA Right of Access

Picture of Kapua Iao Kapua Iao : July 13, 2021

Did you know that Paubox can help with the HIPAA Right of Access Initiative? HIPAA (Health Insurance Portability and Accountability Act of 1996) is...

HIPAA compliant email Patient privacy
Read More

Subscribe to Paubox Weekly

Every Friday we bring you the most important news from Paubox. Our aim is to make you smarter, faster.