HIPAA has been around since 1996, and the guidance inside has been updated and amended (albeit slowly) to attempt to keep up with the fast-paced digital era. But understanding and interpreting HIPAA never seems to get easier for healthcare organizations. So when given the opportunity to delve into a specific HIPAA challenge, HealthMark CEO and AHIOS president Bart Howe thoughtfully outlined the importance, and challenge, of the designated record set in the Fall Issue of For the Record Magazine; “HIPAA Challenges: The Increasing Importance of a Clearly Defined Designated Record Set.”
Regulatory guidance is just that – guidance. It’s rare for a regulation to spell out exactly what to do and how to do it, and HIPAA’s designated record set is no exception. So, let’s take a closer look at the guidance we do have from HIPAA on the designated record set, then I’ll share some recommendations to help you ensure that you have your designated record set policy clearly defined. We will wrap up with a few other regulations you’re going to want to keep an eye on since all this stuff tends to be interconnected (and if you analyze it long enough, all roads usually lead back to HIPAA.)
HIPAA Guidance on the Designated Record Set
The designated record set refers to a defined collection of records that are maintained by or for a healthcare provider (i.e. covered entity as defined in HIPAA). Before we dive into legal-infested waters, let’s start at the high-level.
What qualifies for inclusion as part of the designated record set?
- Patient data input by your organization
- Patient data transmitted to your EMR from another provider
- Patient data you can access from your EMR
- Patient data housed and maintained by your EMR