Patient Record Requests: How Understanding the “Designated Record Set” Protects Your Small Practice (45 CFR § 164.501)

Executive Summary

For small healthcare practices, responding to patient requests for medical records is a frequent task that, if misunderstood, can lead to serious compliance issues. One of the most common pitfalls is providing either too much information or too little, exposing the practice to risks such as over-disclosure or denial-of-access complaints. The HIPAA Privacy Rule, specifically 45 CFR § 164.501, defines the “Designated Record Set” (DRS) as the set of records that patients have a right to access and amend. A clear understanding of what constitutes the DRS enables small practice owners to meet compliance requirements confidently, streamline operations, and maintain patient trust without disclosing inappropriate or extraneous information.

Introduction

As the healthcare industry embraces patient empowerment and information transparency, small practices are increasingly fielding requests from patients for access to their health records. While this reflects a positive shift toward collaborative care, it also raises questions for providers: What information must be shared? Are internal staff notes, emails, or appointment schedules included? What about billing or lab reports?

The answer lies in the definition of the “Designated Record Set” as outlined in 45 CFR § 164.501. This provision of the HIPAA Privacy Rule serves as a critical boundary between what must be disclosed and what can be rightfully excluded. For small practices, mastering this definition is essential not only to meet patient rights under HIPAA, but to protect the integrity of internal documentation, reduce administrative burden, and mitigate the risk of penalties.

Understanding the Designated Record Set icon

Understanding the “Designated Record Set” (45 CFR § 164.501)

The term “Designated Record Set” (DRS) refers to a specific set of records that a healthcare provider maintains and uses to make decisions about an individual. Contrary to popular belief, the DRS is not simply every piece of information about a patient held by the practice.

The Legal Definition Per 45 CFR § 164.501, a DRS is:

“A group of records maintained by or for a covered entity that is:
(i) The medical records and billing records about individuals maintained by or for a covered health care provider;
(ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
(iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.”

In Plain Language:

The DRS includes:

  • Medical records and billing records you maintain.
  • Any records used to make decisions about a patient’s care or payment
  • Information stored in electronic systems, paper files, or other formats, if it is used in clinical or administrative decision-making.

Common Examples of What Is Included

  • EHR data and paper charts.
  • Lab results and imaging reports.
  • Consultation and referral records.
  • Prescription records.
  • Progress notes and treatment plans.
  • Billing and payment histories.
  • Communication with other providers about the patient.

What Is Typically Excluded

  • Psychotherapy notes, as defined under HIPAA.
  • Quality assurance and peer review documents created solely for internal performance review.
  • Administrative records not used in patient decision-making (e.g., appointment logs, staffing schedules, internal emails).
Why the Designated Record Set Matters to Small Practices icon

Why the Designated Record Set Matters to Small Practices

  • Defines Patient Access Rights
    Patients have the right to inspect and obtain copies of the records in the DRS, and to request amendments to those records (see 45 CFR §§ 164.524 and 164.526). You are not required to provide access to records outside the DRS.
  • Prevents Over-Disclosure
    Accidentally disclosing peer review materials or psychotherapy notes can violate privacy rules. A firm understanding of the DRS helps your staff avoid these errors.
  • Streamlines Record Requests
    Knowing precisely what to include allows for faster processing and reduces confusion among staff.
  • Limits Amendment Obligations
    Patients only have the right to amend information within the DRS. Internal notes, opinions, or QA documents outside the DRS are not subject to amendment requests.
  • Guides to Breach Risk Assessments
    Although any unsecured PHI may constitute a breach, understanding what falls within the DRS helps in assessing the direct impact on patient rights.
  • Helps Avoid Penalties
    Disclosing too much or too little can lead to HIPAA complaints or OCR investigations. Clear knowledge of the DRS protects your practice from inadvertent missteps.
Practical Steps to Define and Manage the DRS in Your Practice icon

Practical Steps to Define and Manage the DRS in Your Practice

Step 1: Identify Your Practice’s DRS

Action:
Conduct a review of all systems and files where patient data is stored. This includes:

  • EHR platforms.
  • Billing and practice management systems.
  • Paper records.
  • Lab and imaging portals.
  • External software used for care coordination.

Evaluation Criteria:
Ask: “Is this record used to make decisions about the individual’s care or payment?”
If yes, it’s part of the DRS.

Documentation:
Create a clear, written inventory of DRS sources and exclusions.

Pro Tip:
Involve multiple departments—clinical, administrative, and billing—for a comprehensive review.

Step 2: Establish Written Policies

Action:
Develop a formal policy that:

  • Defines your practice’s DRS.
  • Details procedures for responding to access and amendment requests.
  • Lists what types of records are and are not included.

Why It’s Critical:
Policies promote consistency and ensure that all staff understand the boundaries of disclosure.

Step 3: Train Staff

Action:
Provide training to all staff involved in handling patient records, especially front desk personnel, clinical staff, and billing administrators.

Training Topics:

  • What constitutes the DRS.
  • How to process access requests.
  • Timeframes for compliance (generally 30 days).
  • Proper use of secure transmission methods.

Step 4: Leverage EHR and Practice Management Tools

Action:
Configure your EHR to easily generate the DRS. Many systems have built-in templates to help export the appropriate data set.

Why It’s Critical:
Automation reduces the risk of omitting necessary data or including restricted information.

Step 5: Review Authorization Forms

Action:
Ensure your PHI disclosure authorization forms clearly identify what information will be released, and that this aligns with your DRS definitions.

Common Pitfalls and Expert Tips

Pitfalls to Avoid:

  • Over-inclusion: Sharing internal notes or documents not intended for patient access.
  • Under-inclusion: Withholding decision-making records based on mistaken assumptions.
  • Delayed Responses: Failing to meet the 30-day deadline for access requests.
  • Unreasonable Fees: Charging excessive fees for copies of medical records.
  • Poor Documentation: Not logging access requests and responses.

Expert Tips:

  • Prioritize Clarity: Be transparent with patients while adhering to the DRS.
  • Secure Delivery: Use patient portals or encrypted email; avoid standard email.
  • Consistency is Key: Use the same process for every request.
  • Review Regularly: Update your policies as technology and workflows evolve.
  • Separate Psychotherapy Notes: Keep these distinctly stored and governed by a separate policy.

Simplified DRS Patient Access Checklist

Task Responsible Party Frequency Notes
Inventory all systems containing patient data. Practice Administrator / IT. Initial / Annual. EHR, billing, labs, imaging.
Determine which records are used to make decisions. Clinical Lead / Billing. Initial / Annual. Define DRS scope clearly.
Document inclusions/exclusions. Practice Administrator. Initial / Updates. Keep policy on file.
Train staff on DRS and request procedures. Practice Administrator. Initial / Annual Include HIPAA refresher.
Provide patients with request instructions. Front Desk / Admin. Ongoing. Website and intake forms.
Log each request upon receipt. Front Desk. Per Request. Start 30-day timeline.
Verify identity before release. Admin / Clinical. Per Request. Use two-factor authentication if possible.
Extract and review DRS records. Admin / Clinical. Per Request. Use EHR export tools.
Use secure delivery methods. Admin / IT. Per Request. Patient portal or encrypted USB.
Document fulfillment or denial. Admin Per Request. Include format, method, and date.

Regulatory References and Official Guidance

Concluding Recommendations and Next Steps

Understanding and correctly applying the definition of the “Designated Record Set” under 45 CFR § 164.501 is foundational to HIPAA compliance. It empowers your practice to fulfill patient rights confidently while protecting internal documentation and avoiding costly mistakes.

Start by identifying what’s in your DRS. Then, document your process, train your team, and configure your technology to streamline access requests. A thoughtful, standardized approach ensures regulatory compliance and strengthens patient relationships through transparency and professionalism.

As technology and expectations evolve, revisit your policies regularly and consider adopting a compliance management system to centralize record tracking, automate workflows, and maintain peace of mind. With a well-defined DRS and a clear response process, your small practice can navigate HIPAA requirements efficiently and responsibly.

Compliance should be invisible.

Here’s how we made it that way

Compliance Assessment Score