Organizations may receive a records request from a patient that asks for ALL information/the entire record. Medical records fulfillment personnel may wonder what should be included when a patient requests “ALL” information. The Office for Civil Rights (OCR) provides guidance regarding the patient right of access, the designated record set, and the definition of protected health information (PHI).
Protected Health Information (PHI)
The HIPAA Privacy Rule protects most “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper, or oral. The Privacy Rule calls this information protected health information (PHI). PHI is information, including demographic information, which relates to:
- the individual’s past, present, or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.
PHI includes many common identifiers (e.g., name, address, birth date, Social Security Number) when they can be associated with the health information listed above. For example, a medical record, laboratory report, or hospital bill would be PHI because each document would contain a patient’s name and/or other identifying information associated with health data/content.
By contrast, a health plan report that only noted the average age of health plan members was 45 years would not be PHI because that information, although developed by aggregating information from individual plan member records, does not identify any individual plan members and there is no reasonable basis to believe that it could be used to identify an individual.
The relationship with health information is the important piece to remember. Identifying information alone, such as personal names, addresses, or phone numbers, would not necessarily be designated as PHI. For instance, if such information was reported as part of a publicly accessible data source, such as a phone book, then this information would not be PHI because it is not related to heath data (see above). If such information was listed with health condition, health care provision or payment data, such as an indication that the individual was treated at a certain clinic, then this information would be PHI.
An enforcement example helps to shed light on what is considered PHI. A health system sent the wrong bills to a large number of patients, but reported the breach as affecting only a handful of patients, because most of the bills had only the names, dates of service, account numbers and amounts. The OCR explained that because the dates of service and account numbers were linked to demographic information, the information breached was indeed PHI, and was reportable.
The Designated Record Set
Individuals have a right to access PHI in a “designated record set.” A “designated record set” is defined as a group of records maintained by or for a covered entity that comprises the:
- Medical records and billing records about individuals maintained by or for a covered health care provider;
- Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
- Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals. This last category includes records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.
The term “record” means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity. Thus, individuals have a right to a broad array of information about themselves maintained by or for covered entities, including:
- medical, billing and payment records;
- insurance information; clinical laboratory test results;
- medical images, such as X-rays;
- wellness and disease management program files; and
- clinical case notes; among other information used to make decisions about individuals.
In responding to a request for access, a covered entity is not required to create new information, such as explanatory materials or analyses, that does not already exist in the designated record set.
You may store information about patients in different locations or systems. Patients have the right of access to all information that qualifies as PHI and falls into the designated record set, regardless of its storage location. Many practices have separate practice management and EMR systems, but if patients request ALL of their information, you would include information from both systems, because the designated record set includes both billing and clinical records.
Phone notes, although not specifically addressed in the information above, should be included in a records request, because they often contain clinical/treatment information. For example, a patient may call and describe symptoms, request a referral, or ask about prescription dosage, frequency, etc.
