DHHS POLICIES AND PROCEDURES

___________________________________________________________________________________________________________________

Section VIII:	Privacy and Security
Title:	Privacy Manual
Chapter:	Client Rights Policies, Designated Record Sets
Current Effective Date:	5/1/05
Revision History:	4/14/03
Original Effective Date:	4/14/03

___________________________________________________________________________________________________________________

Purpose

The purpose of this policy is to provide criteria for identifying categories of records that will become Designated Record Sets.

The North Carolina Department of Health and Human Services (NC DHHS) agencies that are covered health care components and/or internal business associates must comply with this policy.

Background

Allowing clients the right to access and amend their personal health information facilitates an open and cooperative relationship between clients, their health care providers, and health plans and provides clients the opportunity to know what health information may be used to make decisions about them.

The client's right to request access, amendment, and copies of his/her personal health information is limited to that information that is maintained in Designated Record Sets, as determined by each agency.

DHHS agencies are not required to allow clients access to Designated Record Sets if a licensed health care professional determines that access to such information would not be in the best interest of the client or another individual, and such determination is documented.

DHHS agencies are not required to amend, at a client's request, any information in a record that the agency knows to be true and accurate.

Policy

DHHS agencies shall identify categories of records maintained, collected, used, or disseminated by the agency that contain individually identifiable health information including medical records and billing records maintained by health care providers, specified records maintained by health plans and other records used in making decisions about clients.

Such records shall be termed "Designated Record Sets" and shall be considered the only personal health information records to which clients have a right to request access, amendment, and copies.

Designated Record Sets

A Designated Record Set is a description of health and/or business information that can be maintained in one or many areas within an agency.

The term record means any item, collection, or grouping of information that includes information (including individually identifiable health information) and is maintained, collected, used, or disseminated by or for a health plan or health care provider.

Designated Record Sets are maintained by or for a health plan or health care provider and include:

• Medical records and billing records of individual clients, maintained by or for a covered health care provider;
• Employee health records that are maintained separately from personnel records;
• The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
• Categories of records that are used, in whole or in part, to make decisions about clients.

External Business Associate Records

Records created and/or maintained by an External Business Associate for services rendered to a DHHS agency must be considered when evaluating documentation for Designated Record Sets.

It is the responsibility of each DHHS agency to ensure that a Business Associate Agreement is in place when required.

Health information specifically created and/or maintained by External Business Associates, when acting on behalf of a DHHS agency, is subject to the client rights provisions to request access to or amendment of such information in accordance with the Business Associate Agreement. Copies of information that are also maintained by a health care provider or health care plan should not be included in the Business Associate's Designated Record Set.

Internal Business Associate Records

Internal Business Associates who maintain individually identifiable health information are subject to the requirements of this policy in identifying Designated Record Sets. This is accomplished by joint agreement of the DHHS agency and its Internal Business Associate(s).

Implementation

Evaluation of Documentation

A process must be developed to evaluate the documentation maintained by the agency to determine those groups of records that should be categorized as Designated Record Sets. The defined process should ensure that the following information is gathered about the evaluated records:

• Documentation type (e.g., medical record)
• Basic content (e.g., assessments, reports, examinations)
• Location of the documentation (e.g., Medical Record Department)
• Contact person (e.g., agency privacy official)
• Paper/electronic documentation (e.g., paper)
• Documentation contains individually identifiable information (e.g., yes)
• Documentation is used to make decisions about the client (e.g., yes)

Categorizing Designated Record Sets

The first step in the implementation of Designated Record Sets that are to be made available to clients is to identify and assess those health information records within the agency that may be classified as a Designated Record Set.

Identifying categories of Designated Record Sets requires an assessment of all documentation to determine which records should be included or excluded before further consideration is given to the categories to be classified as Designated Record Sets.

1. Inclusions
   Documentation requirements must be assessed in order to identify those records that meet the intent of this policy. Health information in all types of media (e.g., paper, oral, video, electronic, film, digital) must be considered. Minimally, the following categories of records should be considered Designated Record Sets:
1. Medical Records
1. Identify what constitutes the medical records in your agency (e.g., paper records stored in medical record folders maintained in the Health Information Management Department; active medical records utilized by health care staff prior to client discharge).


2. If the agency uses an electronic medical record for all or parts of the medical record, specify if the Designated Record Set is the automated system or a copy produced from the automated system.


3. Specify if copies of records from other health care providers will be included as part of the Medical Record Designated Record Set.
   
   Copies may be included as part of the Designated Record Set for access only; clients may be required to go to the source of the information to request amendments.
2. Business Records
   Specify if the Designated Record Set is an automated system or a hard copy report produced by an automated system for the following:
1. Eligibility information maintained by health plans


2. Enrollment records maintained by health plans


3. Claims records submitted to or received from health plans


4. Remittance Advices and records of payments


5. Patient Statements


6. Claims adjudication records


7. Case or medical management records maintained by health plans
3. Other records used by health plans and health care providers to make decisions about individuals. For example, documentation such as raw test data and laboratory reports maintained by various programs in the agency are considered "working records" and should be evaluated as to the benefit to clients to request access and amendment. Reports developed from working records that are filed in the medical record should be evaluated with the medical record as a whole and not as separate documentation. Examples of working records may include:
1. Raw test data from psychological tests


2. Audio tapes (e.g., dictation tapes, taped sessions with clients/family that would not be considered psychotherapy notes)


3. Psychotherapy notes


4. Videos/photographs of clients used for teaching purposes


5. Telemedicine


6. Coding worksheets


7. Utilization review worksheets


8. X-ray film


9. Working notes summarized and dictated into the client record
2. Exclusions
1. Health information that is not used to make decisions about individuals should not be included in a Designated Record Set. Such information may be found in many types of records that include significant information not relevant to the client, as well as information about other persons.



2. Some records (e.g., administrative records, oversight records) that are maintained by the agency require independent evaluation to determine whether or not they should be considered a Designated Record Set, such as:
1. Quality Improvement records


2. Risk Management records (including Incident Reports)


3. Copies of reports/documentation/forms already designated


4. Cancer Registry information


5. Research documentation


6. Education records governed by Family Educational Rights Privacy Act (FERPA)

Documentation of Designated Record Sets

Documentation must be maintained that supports the agency's assessment of its records for determination of its Designated Record Sets. Documentation may be maintained electronically or on paper.

Such information must be kept current and available for reference should a client request access to his/her health information, including comments that identify any information included in a Designated Record Set that the client would not have a right of access, amendment, or copies.

Documentation requirements must be maintained for a period of at least six (6) years.

Reference:

DHHS Directive Number III-11; 45CFR 164-524; 45CFR 164-526

For questions or clarification on any of the information contained in this policy, please contact DHHS Privacy Officer. For general questions about department-wide policies and procedures, contact the DHHS Policy Coordinator.