HIPAA Designated Record Set
|Title||HIPAA Designated Record Set|
|Sub-category||Health Affairs Matters - General|
Effective: September 19, 2013
Revised: January 8, 2004; October 8, 2010; September 18, 2013
Transitioned from Interim to Permanent: July 17, 2014.
"Modification to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule," 78 Federal Register 17 (25 January 2013), pp. 5566-5702.
1.1. East Carolina University's Health Care Components ("ECU's Health Care Components") have a legal duty to accommodate individuals' right to inspect, obtain a copy of, and request amendments to protected health information ("PHI") about themselves that is maintained in a Designated Record Set. The purpose of this regulation is to define the Records that comprise the Designated Record Sets for ECU's Health Care Components.
2.1. Access means the individual's right to inspect and obtain a copy of their PHI.
2.2. Designated Record Set means a group of Records maintained by or for an ECU Health Care Component that is:
2.2.1. The medical and billing Records about an individual;
2.2.2. The enrollment, payment, claims adjudication and case or medical management record systems; or
2.2.3. Used, in part or in whole, by an ECU Health Care Component to make decisions about the individual.
2.3. Protected Health Information means:
2.3.1. Individually identifiable information, that is a subset of health information, including demographic information collected from an individual, and:
22.214.171.124. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
126.96.36.199. Relates to the past, present, or future physical or mental health or condition of a subject; the provision of health care to a subject, or the past, present, or future payment for the provision of health to a subject; and
188.8.131.52.1. That identifies the subject; or
184.108.40.206.2. With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
2.3.2. PHI can be:
220.127.116.11. Transmitted by electronic media;
18.104.22.168. Maintained in electronic media; or
22.214.171.124. Transmitted or maintained in any other form or medium.
2.3.3. PHI excludes individually identifiable information that is:
126.96.36.199. In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;
188.8.131.52. In records described at 20 U.S.C. 1232g(a)(4)(B)(iv);
184.108.40.206. In employment records held by a covered entity in its role as employer; and
220.127.116.11. Regarding a person who has been deceased for more than 50 years.
2.4. Record means any item, collection, or grouping of information that includes PHI that is maintained, collected, used or disseminated by or for an ECU Health Care Component.
3.1. It is the policy of ECU to ensure that its Health Care Components have a defined Designated Record Set in order to allow individuals Access and to request amendments to their PHI maintained in these Designated Record Sets.
3.2. ECU's Health Care Components create or receive PHI that is incorporated into a Designated Record Set to be used jointly across multiple sections/clinics within the Component or across multiple ECU Health Care Components if feasible.
3.3. ECU Health Care Components classifies their Designated Record Sets as follows:
3.3.1. Medical Record, in any medium, includes:
18.104.22.168. Documentation by health care professionals while providing patient care services, for reviewing patient data, research or clinical trials, and documenting observations, actions, or instructions.
22.214.171.124.1. Examples of these documents include but are not limited to: care plans, progress notes, consents, consultation reports, immunization records, medication orders, nursing assessments, patient submitted documents, telephone consultations, lab orders/reports, etc.
126.96.36.199. Auxiliary or working Records maintained outside/independent of the Designated Record Set that are collected or directly used for documenting healthcare, health status, or decision making related to the provision of health care.
188.8.131.52.1. Examples may include paper medical records, databases, or systems, that have duplicative information from the Designated Record Set but contain new or original documents or documentation.
184.108.40.206. Documents received from other institutions that are incorporated into a Component's Designated Record Set.
3.3.2. Billing Record, in any medium, includes:
220.127.116.11. Enrollment, payment, claims, and adjudication of health care services provided to an individual.
3.4. The following will not be considered part of the Designated Record Set for any ECU Health Care Component:
3.4.1. Duplicate or "shadow" Records that contain only copies of information otherwise located in the Designated Record Set. These records contain no new or original documents or documentation.
18.104.22.168. Duplicate or "shadow" Records are only allowed upon approval from the designated custodian of the Designated Record Set for each ECU Health Care Component.
3.4.2. Psychotherapy Notes
3.4.3. Quality Improvement Records
3.4.4. Risk Management Records and certain other records created as part of health care operations, e.g., auditing functions, business management, compliance efforts.
3.4.5. Appointment Schedules
3.4.6. CDs, raw test data, images in various electronic medium, etc. that are maintained but result in some form of interpretive results being incorporated into the Component's Designated Record Set.
3.4.7. Records compiled in reasonable anticipation of, or for use in a civil, criminal, or internal/external administrative action or proceeding, i.e., incident reports.
3.4.8. Records maintained that are subject to the Clinical Laboratory Improvement Act (CLIA), 42 USC 263a, to the extent that CLIA would prohibit individual access.
3.4.9. Records exempt from CLIA, 42 CFR 493.3(a)(2). This includes testing for forensic purposes, labs that test human specimens but do not report patient specific results, and lab testing that is certified by the National Institute on Drug Abuse (NIDA) and meets the NIDA guidelines and regulations.
3.4.10. Complaints, attorney-client communications, compliance committee records and departmental logs.