Fundamentals of the Legal Health Record and Designated Record Set

Fundamentals of the Legal Health Record and Designated Record Set

Throughout this brief, sentences marked with the † symbol indicate AHIMA best practices in health information management. These practices are collected in the new AHIMA Compendium, offering health information management professionals "just in time" guidance as they research and address practice challenges.

For years healthcare organizations have struggled to define their legal health records and align them with the designated record set required by the HIPAA privacy rule. Questions often arise about the differences between the two sets because both identify information that must be disclosed upon request.

The expanding scope of health records adds to the challenge of defining and compiling these record sets. An individual's record can consist of a facility's record, outpatient diagnostic test results or therapies, pharmacy records, physician records, other care providers' records, and the patient's own personal health record. Administrative and financial documents and data may be intermingled with clinical data.

In addition, the type of media on which information is recorded is also expanding. Source records may include diagnostic images, video, voice files, and e-mail. The organization must determine which of these data elements, electronic-structured documents, images, audio files, and video files to include.

The emergence of electronic health records (EHRs) also is complicating organizational efforts to define and disclose information. Information in EHRs is often stored in multiple systems, inhibiting the ability to succinctly pull together the record for either the legal health record or the designated record set.

These input systems may include laboratory information, pharmacy information, picture archiving and communications, cardiology information, results reporting, computerized provider order entry, nurse care planning, transcription, document imaging, and fetal trace monitoring systems, as well as a myriad of home-grown or individual clinical department systems.

However, the same criteria that organizations used to determine what paper records to retain and include in their legal health records and designated record sets can be applied to electronic records. Questions organizations must ask include:

What information can be stored long term?
What is clinically useful long term?
What is the cost of storage?
How can the organization effectively and succinctly assemble the EHR for long-term use?

This practice brief compiles and updates guidance from four previously published practice briefs to provide an overview of the purposes of the designated record set and the legal health record and helps organizations identify what information to include in each. It also provides guidelines for disclosing health records from the sets. The four original practice briefs are listed in the "Sources" section at the end of this practice brief.

Defining the Legal Health Record and Designated Record Set

There is no one-size-fits-all definition for the legal health record and designated record set. The healthcare organization must explicitly define both in a multidisciplinary team approach. Medical staff, for example, should provide guidance to ensure that patient care needs will be met for immediate, long-term, and research uses.^†

In addition, organizations should consider the capabilities of their electronic systems, both immediate and long term. Additional considerations include ease of access to different components of patient care information and guidance from the organization's legal counsel considering community standards of care, federal regulations, state laws and regulations, standards of accrediting agencies, and the requirements of third-party payers.

Organizations should follow the following common principles when defining their legal health record and designated record set.

Legal Health Record Definition and Role

The legal health record serves to identify what information constitutes the official business record of an organization for evidentiary purposes. The legal health record is a subset of the entire patient database. The elements that constitute an organization's legal health record vary depending on how the organization defines it.

The legal health record is the documentation of healthcare services provided to an individual during any aspect of healthcare delivery in any type of healthcare organization. An organization's legal health record definition must explicitly identify the sources, medium, and location of the individually identifiable data that it includes (i.e., the data collected and directly used in documenting healthcare or health status).^† The documentation that comprises the legal health record may physically exist in separate and multiple paper-based or electronic systems.

The legal health record serves to:

Support the decisions made in a patient's care
Support the revenue sought from third-party payers
Document the services provided as legal testimony regarding the patient's illness or injury, response to treatment, and caregiver decisions
Serve as the organization's business and legal record

The legal health record is typically used when responding to formal requests for information for evidentiary purposes. It does not affect the discoverability of other information held by the organization.

When defining the legal health record, healthcare organizations should consider:^†

The available functions in the EHR system that may generate relevant information. For example, does the EHR have clinical decision support, digital image import, or patient portals? Will information sent to or by the patient through the portal be inserted into the record and considered part of the legal record?
The storage capacity and cost for the required retention period of the health record. For example, what is the cost and storage capacity for WAVE files, transcribed records, and scanned documents or images?
The data's importance for long-term use. For example, organizations should define how to differentiate between different types of raw data. Some source documentation for test results, whether digital or paper, generally is considered useful only for short-term use (e.g., EEG tracings).
Whether the EHR system is able to provide both readable electronic and paper copies of all components of the legal health record.

Designated Record Set Definition and Role

The HIPAA privacy rule defines the designated record set as a group of records maintained by or for a covered entity that may include patient medical and billing records; the enrollment, payment, claims, adjudication, and cases or medical management record systems maintained by or for a health plan; or information used in whole or in part to make care-related decisions.

The designated record set also contains individually identifiable data stored on any medium and collected and directly used in documenting healthcare or health status. It includes clinical data such as WAVE files, images (e.g., x-rays), and billing information.

The designated record set is generally broader than the legal health record because it addresses all protected health information. While the legal health record is generally the information used by the patient care team to make decisions about the treatment of a patient, the designated record set contains protected health information along with business information unrelated to patient care.

Organizations must define the types of documentation that comprise the designated record set and identify where the records physically exist, such as in separate and multiple paper-based or electronic systems.^†

Under HIPAA, the designated record set is used to clarify the rights of individuals to access, amend, restrict, and acquire an accounting of disclosures. Individuals have the right to inspect and obtain a copy, request amendments, and set restrictions and accountings of medical and billing information used to make decisions about their care.

Guidance for Defining Record Sets

The challenge for HIM professionals in defining the legal health record or designated record set is to determine which data elements, electronic-structured documents, images, audio files, and video files to include. The primary consideration in defining the legal health record and designated record set must always be the needs for immediate and long-term patient care. An HIM committee comprised primarily of patient care team members can guide this process. Members of this committee should make the decision on what information is clinically meaningful.^†

1. Identify Relevant Regulations, Standards, and Laws

Based on the committee's clinical direction, the first step in defining the legal health record and designated record set is to determine what legal entities enforce relevant regulations, guidelines, standards, or laws on health records. Although these entities may have defined a legal record in paper terms (e.g., requiring a medication sheet rather than an electronic medication administration record), their definitions must become the basis for the organization's legal health record definition.

2. Determine Records Created in the Course of Business

The second step is to determine whether the records are created in the provider or entity's ordinary course of business. Source-system or raw data are the data from which interpretations, summaries, and notes are derived. They may be designated part of the legal health record, whether or not they are integrated into a single system or maintained as part of the source system.

Records from source systems may be considered part of the legal health record based on the content of the source system's record. Historically, reports or findings upon which clinical decision making is based are parts of the legal health record. For example, the written result of a test such as an x-ray, an ECG, or other similar procedures are always part of the record, whether these reports are integrated into a single system or part of a source system.

Working notes used by a provider to complete a final report are not considered part of the health record unless they are made available to others providing patient care. However, documents that are kept in a separate system (such as notes from a particular area of specialty that are kept separately but are treatment records) are always considered part of the health record.

The determining factor in whether information is to be considered part of the legal health record is not where it resides or the format it takes, but rather how it is used and whether it may be reasonably expected to be routinely released when a request for a complete medical record is received.

Uses of the information for business and legal purposes are usually, but not always, drawn from the legal health record. The most notable exceptions are those disclosures made for purposes of discovery or e-discovery in which any information requested under the court order must be provided.

Several states have laws or regulations that spell out the requirements and conditions under which health information from another healthcare organization or provider must be redisclosed. In the absence of more stringent state law, the HIPAA privacy rule prevails. However, because any medical or billing information that was used to make decisions about the individual is included as part of the designated record set under the HIPAA privacy rule, information must be disclosed or redisclosed if requested by the individual to whom it pertains, regardless of whether the information is external or internal.

3. Address Retention Requirements

The third step in determining the legal health record is ensuring that components are retained appropriately. Storing EHR components in disparate systems can cause problems. HIM professionals must identify and collaborate with IT professionals and system owners to define retention policies and practices. Without adequate retention of the EHR, compiling the complete record for release could be impossible.

A tool such as a matrix is critical for tracking the paper and electronic portions of the health record. As records are transitioned from paper to electronic, dates should be documented to provide a guide for staff when retrieving the patient's health information. (A sample matrix is provided in Appendix A, "Health Record Matrix.")

4. Consider How Data Would Be Produced

The fourth step in defining the legal health record and designated record set is to determine how information may be appropriately released. While it is easy to declare something such as an EKG WAVE file as part of the legal health record or designated record set, the organization must consider how it will be reproduced.

Questions to ask include if the source system can print or download to a CD, how it will be accessed by the requester, and if it will be in an understandable format. Components of the legal health record and designated record set must be reproducible in an accessible format. See appendix B for a comparison of the legal health record versus the designated record set.

5. Classify External Records

The fifth step is determining how to classify external records received by the organization. Some state laws address how to classify external records; however, in the absence of state law, the organization must determine if external records will be a part of the health record.

There is a school of thought that these external records cannot and should not become part of the legal health record because of the inability to attest to how they were originally created. To include them as part of the legal health record may result in implied liability for any inaccuracies the external records contain.

The opposing view is that if the external records were relied upon to make care decisions they should be included as part of the legal record. In addition, the College of American Pathologists requires that the laboratory director be involved with the decision on what lab results should be included in the EHR.

However, including external records as part of the designated record set and making them available in all appropriate disclosures, including disclosures in response to a subpoena, may accomplish the same purpose. The organization's legal counsel should be consulted prior to determining policy regarding the inclusion of external records as part of the legal health record.

Ultimately, the admissibility of the requested information in court is not the concern of the party producing the information. Compliance with the terms of the subpoena or order is required.

Additional Elements and Functions to Consider

As technology continues to evolve, other features will need to be evaluated and reflected in the legal health record and designated record set policies. Consideration needs to be given to documents that are not yet complete or in interim/pending status. Functions such as clinical decision support triggers and annotations need to be considered as well. Appendix C [...] lists the features and functions that should be evaluated when creating the policy for the organization's designated record set and legal health record.

Equally as important, organizations need to identify information that is not in the legal health record or designated record set. Data such as audit trails, metadata, and psychotherapy notes are not included in the definitions for these record sets. See appendix D for a sample list of items outside the legal health record and designated record set.

Other Federal Laws and Regulations

In addition to the HIPAA privacy rule, other federal laws and regulations give individuals the right to access their health information. Organizations must meet these obligations, as well as protect the confidentiality of patient records by ensuring they are released to or accessed by authorized individuals only.

The Privacy Act of 1974, like the HIPAA privacy rule, gives individuals the right to access and request amendments to their records. The act defines a record as "any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph."¹

The Medicare Conditions of Participation for state long-term care facilities state that the resident or his or her legal representative has the right to access "all records pertaining to himself or herself" including current clinical records.² In addition to clinical records, the term "records" includes all records pertaining to the resident, such as trust fund ledgers pertinent to the resident and contracts between the resident and the facility.³

The Confidentiality of Alcohol and Drug Abuse Patient Records regulation allows federally subsidized alcohol and drug abuse programs to give patients access to their own records, including the opportunity to inspect and copy any records that the program maintains about the patient. The regulation defines records as "any information, whether recorded or not, relating to a patient received or acquired by a federally assisted alcohol or drug program."⁴

The Occupational Safety and Health Administration requires employers document certain employee injuries, including medical care provided in relation to those injuries. Employees and their designated representatives generally have access to such injury reports and related health records.⁵

The HIPAA privacy rule clearly indicates its intent is not to preempt other federal laws and regulations. Therefore, if an individual's rights of access are greater under another federal law, the individual should be afforded the greater access.

State Laws

Many states have laws or regulations that give individuals the right to their health information. Some state laws may define health information more broadly than the privacy rule. Some states may not limit access and amendment to PHI in a designated record set. When state laws or regulations afford individuals greater rights of access, the covered entity must adhere to state law.

Notes

Privacy Act of 1974. 5 USC, Section 552A. Available online at www.justice.gov/opcl/privstat.htm.
Centers for Medicare and Medicaid Services. "Part 483-Requirements for States and Long Term Care Facilities." Title 42-Public Health. Chapter IV. Available online at www.access.gpo.gov/nara/cfr/waisidx_01/42cfr483_01.html.
Centers for Medicare and Medicaid Services. "State Operations Manual: Appendix PP-Guidance to Surveyors for Long Term Care Facilities." Revised December 2, 2009. Available online at http://cms.gov/manuals/Downloads/som107ap_pp_guidelines_ltcf.pdf.
"Confidentiality of Alcohol and Drug Abuse Patient Records." 42 CFR, Part 2. Available online at http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&rgn=div5&view=text&node=42:1.0.1.1.2&idno=42.l.
Occupational Safety and Health Administration, Department of Labor. "Recording and Reporting Occupational Injuries and Illnesses." 29 CFR, Chapter 17, Part 1904.35, Section 657. 2002. Available online at www.osha.gov/pls/oshaweb/owastand.display_standard_group?p_toc_level=1&p_part_number=1904

Recommendations for Clarifying Disclosure

Healthcare organizations can take the following basic steps to help clear up confusion around the legal health record and the designated record set and the disclosure of information from both:

Develop and maintain an inventory of documents and data that comprise the legal health record. Consider whether other types of information that are not document-based are part of the legal health record (e.g., e-mail, electronic fetal monitoring strips, diagnostic images, digital photography, and video).
Develop a detailed inventory of items that comprise the designated record. Declare the official legal health record and designated record set in organizational policy.
Consider a single repository for legal retention requirements.
Consider the use of records management software that supports the records declaration process and records lifecycle management, particularly for messaging records (such as e-mail or instant messages that are considered part of the legal health record or designated record set).
Collaborate with clinicians to develop procedures for identifying external information that has been used in patient care. Once identified as such, provisions should be made for including this in the patient's record, whether paper or electronic. Within the record, consideration should be given to filing or indexing the external information under a separate tab or section of the electronic or paper record developed for this purpose. Review state statues that may require inclusion of external information.
Promptly return to the patient (if feasible) or dispose of (in accordance with the organization's destruction procedures) any health information that is not used or not solicited.
Consider developing policies and procedures that confine the ability to request health information from external sources and to place such information in the patient's record to specified staff or personnel.
Develop written policies and procedures as well as staff training for clinical users that address the use of external information. Train HIM staff on procedures related to redisclosure of health information.
Identify the records the organization believes individuals have the right to access and amend under state and federal laws and regulations
Apply HIPAA's pre-emption standards where individuals' rights to access and amend are not the same under other federal or state laws and regulations

There may be times when an individual has a legitimate need to access source data that are not considered part of the legal health record or designated record set. The organization's legal counsel should advise whenever there is uncertainty. Appendix E contains policy definitions that can be included in organizational policy. Appendix F offers a sample template for the legal health record, and Appendix G features a sample template for a designated record set policy.

Sources

AHIMA e-HIM Work Group on the Legal Health Record. "Update: Guidelines for Defining the Legal Health Record for Disclosure Purposes." Journal of AHIMA 76, no. 8 (Sept. 2005): 64A-G. Available online in the AHIMA Body of Knowledge at www.ahima.org.

AHIMA EHR Practice Council. "Developing a Legal Health Record Policy." Journal of AHIMA 78, no. 9 (Oct. 2007): 93-97. Available online in the AHIMA Body of Knowledge at www.ahima.org.

Hughes, Gwen. "Defining the Designated Record Set." Journal of AHIMA 74, no. 1 (Jan. 2003): 64A-D. Available online in the AHIMA Body of Knowledge at www.ahima.org.

Dougherty, Michelle, and Lydia Washington. "Defining and Disclosing the Designated Record Set and the Legal Health Record." Journal of AHIMA 79, no. 4 (Apr. 2008): 65-68. Available online in the AHIMA Body of Knowledge at www.ahima.org.

Appendixes

Seven appendixes are included in the online version of this brief.

Appendix A: Health Record Matrix

The matrix below is a tool organizations can use to help identify and track the paper and electronic portions of the health record during an EHR implementation and ongoing maintenance. HIM professionals can customize this matrix to their organization's needs and add specific items that should be considered when implementing an EHR. It is up to each individual organization to determine what health information is considered part of their legal health record and their designated record set.

Type of Document	Name of Document	Primary Source*	Primary Source System Start Date	Source of the Legal Health Record/ Designated Record Set	Legal Health Record, Designated Record Set, or Both	Comments
Nursing	ICU nursing assessment	Electronic nursing documentation system	1/2/2007	Enterprise document management system	Both	Phased implementation
Physician orders	Congestive heart failure order set	Computerized physician order entry system	1/2/2007	EHR	Both	Downtime paper orders scanned
Emergency department	Emergency department treatment record	Paper	3/15/2005	Enterprise document system	Both
Discharge summary	Discharge summary	Transcription system	12/15/2002	EHR	Both
Claims	Billing report	Patient financial system	7/1/1998	Patient financial system	Designated record set

*Includes scanned images

Appendix B: Comparison of the Designated Record Set versus the Legal Health Record

Editor's note: this appendix contains work previously published by AHIMA.

This side-by-side comparison of the designated record set and the legal health record demonstrates the differences between the two sets of information, as well as their purposes.

	Designated Record Set	Legal Health Record
Definition	A group of records maintained by or for a covered entity that is the medical and billing records about individuals; enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; information used in whole or in part by or for the HIPAA covered entity to make decisions about individuals.	The business record generated at or for a healthcare organization. It is the record that would be released upon receipt of a request. The legal health record is the officially declared record of healthcare services provided to an individual delivered by a provider.
Purpose	Used to clarify the access and amendment standards in the HIPAA privacy rule, which provide that individuals generally have the right to inspect and obtain a copy of protected health information in the designated record set.	The official business record of healthcare services delivered by the entity for regulatory and disclosure purposes.
Content	Defined in organizational policy and required by the HIPAA privacy rule. The content of the designated record set includes medical and billing records of covered providers; enrollment, payment, claims, and case information of a health plan; and information used in whole or in part by or for the covered entity to make decisions about individuals.	Defined in organizational policy and can include individually identifiable data in any medium collected and directly used in documenting healthcare services or health status. It excludes administrative, derived, and aggregate data.
Uses	Supports individual HIPAA right of access and amendment.	Provides a record of health status as well as documentation of care for reimbursement, quality management, research, and public health purposes; facilitates business decision-making and education of healthcare practitioners as well as the legal needs of the healthcare organization.

Categorizing record types can assist in understanding the similarities and differences and help organizations develop policies for each. Some record types are found in both the designated record set and the legal health record, while others are specific to the designated record set. The table below provides examples of different types of records and shows the similarities and differences between the two sets of information.

Sorting Record Types

Some record types belong in both the designated record set and the legal health record. Some belong in the designated record set only. Categorizing record types helps organizations set policies for each record set.

Clinical Record

History and physical
Orders
Progress notes
Lab reports (including contract lab)
Progress notes
Vital signs
Assessments
Consults
Clinical reports
Authorizations and consents

designated record set and legal health record

Source Clinical Data

X-rays
Images
Fetal strips
Videos
Pathology slides

designated record set and legal health record

External Records and Reports

External records referenced for patient care: other providers? records, records provided upon transfer
Patient generated records
Personal health records

designated record set and possibly legal health record*

* There are two points of view on whether external records referenced for patient care are part of the legal health record. One view is that they should be if they were relied upon to make care decisions. The other view is that although they are part of the designated record set and are available for patient care and disclosures, they should not be because of the organization's inability to attest to how the external records were originally created. Organizations should consult with their counsels to weigh the risks and benefits of either approach.

Committee Reports (of patient-specific care decisions)

Ethics committee or tumor board, if deciding on a course of treatment for an individual patient

Note: Documentation of findings could be reported in the patient's medical record. Other legal privileges may apply to these records.

designated record set only

Administrative and Financial

Super bills/encounter forms
Remittance advice
Case management records

designated record set only

Secondary/Administrative and Statistical

Tumor registries data
QI/QM reports and abstracts
Statistical data
Committee minutes (not patient-specific treatment related)

neither

Appendix C: Considerations for the Legal Health Record and Designated Record Set

Editor's note: this appendix compiles work previously published by AHIMA.

The move toward electronic health records is complicating organizational efforts to define and disclose information. Many of the items within the EHR have not historically been included in the legal health record and the designated record set. Examples of documents and data that should be evaluated for inclusion or exclusion include, but are not limited to:

Administrative data/documents: patient-identifiable data used for administrative, regulatory, healthcare operations, and payment (financial) purposes.¹
Annotations/"sticky notes": additional information that is added as a layer on top of the note. The annotation or sticky note may be suppressed when viewing or printing. These may be considered part of the health record. This documentation may become a permanent part of the record and is maintained in a manner similar to any other information contained within the health record.
Clinical decision support systems: a subcategory of clinical information systems that is designed to help healthcare professionals make knowledge-based clinical decisions.² Currently there are no generally accepted rules on including decision support such as system-generated notifications, prompts, and alerts as part of the health record.³ Alerts, reminders, pop-ups, and similar tools are used as aides in the clinical decision-making process. The tools themselves are usually not considered part of the legal health record; however, associated documentation is considered a component.⁴ At a minimum the EHR should include documentation of the clinician's actions in response to decision support. This documentation is evidence of the clinician's decision to follow or disregard decision support. The organization should define the extent of exception documentation required (e.g., what no documentation means).⁵ When an organization decides to include the decision support trigger as part of the health record, the organization will need to define if all triggers will be part of the record or just the clinical decision support triggers. For example, alerts for patient appointment reminders may not be considered part of the legal health record, but alerts for drug-drug interaction may be.⁶
Coding queries: a routine communication and education tool used to advocate complete and compliant documentation. Retention of the query varies by healthcare organization. First, an organization must determine if the query will be part of the health record. If the query is not part of the health record, then the organization must decide if the query is kept as part of the business record or only the outcome of the query is maintained in a database.⁷
Continuing care records: records received from another healthcare provider. Historically, these records were generally not considered part of the legal health record unless they were used in the provision of patient care. In the EHR it may be difficult to determine if information was viewed or used in delivering healthcare. It may be necessary to define such information as part of the legal health record. Policies should reflect the proper disposition of health records from external sources (e.g., other healthcare providers) if they are not integrated into the electronic and legal health record.⁸
Data/documents: documentation of patient care that took place in the ordinary course of business by all healthcare providers.⁹
Data from source systems: written results of tests. Data from which interpretations, summaries, notes, flowcharts, etc., are derived.¹⁰
Discrete structured data: laboratory orders/refills, orders/medication orders/MARs, online charting and documentation, and any detailed charges.¹¹
Document completion (lockdown): organizations must determine when users can no longer create or make changes to electronic documentation. Organizations with several source systems should consider locking down documents at some determined time after a patient encounter. There may be limitations with how the EHR handles this function, which organizations will need to factor into their policies.¹²
External records and reports: healthcare records that are created by providers outside of the organization that are received by the organization for patient care. The decision of which category external records and reports fall into depends on the applicability of HIPAA privacy rules, state law or regulation, source of the request, and type of request. If external records and reports are used to make decisions about an individual, they become part of the designated record set. If those decisions are care decisions, in most cases those same records and reports will also be included in the provider's legal health record, especially if they are created pursuant to a contract.¹³
Personal health records (PHRs): copies of PHRs that are created, owned, and managed by the patient and are provided to a healthcare organization (s) may be considered part of the health record if so defined by the organization.¹⁴
Research records: organizational policy should differentiate whether research records are part of the health record and how these records will be kept.¹⁵
Version control. Organizations must decide whether all versions of a document or ancillary report will be displayed or just the final version.¹⁶
Diagnostic image data: CT, MRI, ultrasound, nuclear medicine, etc.¹⁷
Signal tracing data: EKG, EEG, fetal monitoring signal tracings, etc.¹⁸
Audio data: heart sounds, voice dictations, annotations, etc.¹⁹
Video data: ultrasound, cardiac catheterization examinations, etc.²⁰
Text data: radiology reports, transcribed reports, UBS, itemized bills, etc.²¹
Original analog document ? document image data: signed patient consent forms, handwritten notes, drawings, etc.²²

Appendix C Notes

AHIMA EHR Practice Council. "Developing a Legal Health Record Policy: Appendix A." Journal of AHIMA 78, no. 9 (Oct. 2007): Web extra. Available online in the AHIMA Body of Knowledge at www.ahima.org.
AHIMA. Pocket Glossary of Health Information Management and Technology. Chicago, IL: AHIMA, 2009.
AHIMA EHR Practice Council. "Developing a Legal Health Record Policy." Journal of AHIMA 78, no. 9 (Oct. 2007): 93-97. Available online in the AHIMA Body of Knowledge at www.ahima.org.
AHIMA e-HIM Work Group on the Legal Health Record. "Update: Guidelines for Defining the Legal Health Record for Disclosure Purposes." Journal of AHIMA 76, no. 8 (Sept. 2005): 64A-G. Available online in the AHIMA Body of Knowledge at www.ahima.org.
AHIMA EHR Practice Council. "Developing a Legal Health Record Policy."
Warner, Diana. "Evaluating Alerts and Triggers: Determining Whether Alerts and Triggers Are Part of the Legal Health Record." Journal of AHIMA 81, no. 3 (Mar. 2010): 40-41. Available online in the AHIMA Body of Knowledge at www.ahima.org.
AHIMA. "Guidance for Clinical Documentation Improvement Programs." Journal of AHIMA 81, no. 5 (May 2010): expanded Web version. Available online in the AHIMA Body of Knowledge at www.ahima.org.
AHIMA e-HIM Work Group on the Legal Health Record. "Update: Guidelines for Defining the Legal Health Record for Disclosure Purposes."
AHIMA EHR Practice Council. "Developing a Legal Health Record Policy: Appendix A."
Ibid.
Ibid.
AHIMA EHR Practice Council. "Developing a Legal Health Record Policy."
Dougherty, Michelle, and Lydia Washington. "Defining and Disclosing the Designated Record Set and the Legal Health Record." Journal of AHIMA 79, no. 4 (Apr. 2008): 65-68. Available online in the AHIMA Body of Knowledge at www.ahima.org.
AHIMA EHR Practice Council. "Developing a Legal Health Record Policy: Appendix A."
Ibid.
AHIMA EHR Practice Council. "Developing a Legal Health Record Policy."
AHIMA EHR Practice Council. "Developing a Legal Health Record Policy: Appendix A."
Ibid.
Ibid.
Ibid.
Ibid.
Ibid.

Appendix D: Documents that Fall Outside the Designated Record Set and Legal Health Record

Editor's note: portions of this document were previously published in two practice briefs. The original practice briefs are listed in the "Sources" section at the end of this appendix.

In its definition of the designated record set the privacy rule does not specifically address source data such as pathology slides, diagnostic films, and tracings. However, narrative throughout the preamble suggests that providing interpretations from source data would generally be acceptable in the designated record set. In most cases, individuals cannot interpret source data, so such data is meaningless. On the other hand, the interpretations of source data provide individuals with information needed to make informed decisions about their healthcare.

There may be times, however, when an individual has a legitimate need to access source data. When such a need arises, the covered entity will want to provide the individual with greater rights of access, allowing the individual access to or copies of the source data when possible.

The following table provides examples of those documents that are not included in the designated record set.

Outside the Designated Record Set	Examples
Health information generated, collected, or maintained for purposes that do not include decision making about the individual	Data collected and maintained for research Data collected and maintained for peer review purposes Data collected and maintained for performance improvement purposes Appointment and surgery schedules Birth and death registers Surgery registers Diagnostic or operative indexes Duplicate copies of information that can also be located in the individual's medical or billing record
Psychotherapy notes	The notes of a mental health professional about counseling sessions that are maintained separate and apart from the regular health record
Information compiled in reasonable anticipation of or for use in a civil, criminal, or administrative action or proceeding	Notes taken by a covered entity during a meeting with the covered entity's attorney about a pending lawsuit
CLIA	Requisitions for laboratory tests Duplicate lab results when the originals are filed in the individual's paper chart
Employer records	Pre-employment physicals maintained in human resource files The results of HIV tests maintained by the infectious disease control nurse on employees who have suffered needle stick injuries on the job
Business associate records that meet the definition of designated record set but that merely duplicate information maintained by the covered entity	Transcribed operative reports that have been transmitted to the covered entity
Education records	Records generated and maintained by teachers and teachers' aides employed by a school district or patients in acute care hospitals, institutions for the developmentally disabled and rehabilitation care centers
Source (raw) data interpreted or summarized in the individual's medical or health record	Pathology slides Diagnostic films Electrocardiogram tracings from which interpretations are derived
Versions	Management of multiple revisions of the same document. By versioning, each iteration of a document is tracked.
Metadata	Data that provides a detailed description about other data. "Information about a particular data set or document that describes how, when, and by whom it was collected, created, accessed, or modified and how it is formatted.¹
Audits	Results of reviews to identify variations from established baselines or used to track an individual's activity in an electronic system (e.g., view, print, edit).
Pending reports	Reports that have been initiated by a member of the healthcare team but not yet authenticated and may not be available for viewing by staff until completed. An EHR system will keep these documents in a pending or incomplete status.

Administrative and Derived Data

There are many types of patient-identifiable data elements that are pulled from the patient's healthcare record that are not included in the legal health record or designated record set definitions. Administrative data and derived data and documents are two examples of patient-identifiable data that are used in the healthcare organization.

Administrative data are patient-identifiable data used for administrative, regulatory, healthcare operation, and payment (financial) purposes. Examples of administrative data include:

Audit trails related to the EHR
Authorization forms for release of information
Birth and death certificate worksheets
Correspondence concerning requests for records
Databases containing patient information
Event history and audit trails
Financial and insurance forms
Incident or patient safety reports
Institutional review board lists
Logs
Notice of privacy practices acknowledgments (unless the organization chooses to classify them as part of the health record)
Patient-identifiable data reviewed for quality assurance or utilization management
Protocols and clinical pathways, practice guidelines, and other knowledge sources that do not imbed patient data
Work lists and works-in-progress

Derived or administrative data are derived from the primary healthcare record and contain selected data elements to aid in the provision, support, evaluation, or advancement of patient care. Derived data and documents should be provided the same level of confidentiality as the legal health record. However, derived data should not be considered part of the health record and would not be produced in response to a court order, subpoena or request for the health record.

Derived data consist of information aggregated or summarized from patient records so that there are no means to identify patients. Examples of derived data are:

Accreditation reports
Anonymous patient data for research purposes
Best-practice guidelines created from aggregate patient data
OASIS reports
ORYX, Quality Indicator, Quality Measure, or other reports
Public health reports that do not contain patient-identifiable data
Statistical reports
Transmission reports for MDS, OASIS, and IRF PAI

Appendix D Note

Sedona Conference. "The Sedona Guidelines: Best Practice Guidelines and Commentary for Managing Information & Records in the Electronic Age." September 2005. Available online at www.thesedonaconference.org/content/miscFiles/TSG9_05.pdf.

Appendix D Sources

Hughes, Gwen. "Defining the Designated Record Set." Journal of AHIMA 74, no. 1 (Jan. 2003): 64A-D. Available online in the AHIMA Body of Knowledge at www.ahima.org.

Appendix E: Policy Definitions

Editor's note: this appendix contains work previously published by AHIMA.

Definitions

The following definitions may be helpful for organizations when creating the legal health record and designated record set policies. Any key terms the organization identifies should also be included in the organization's final policy.

Business record: "a recording/record made or received in conjunction with a business purpose and preserved as evidence or because the information has value. Because this information is created, received, and maintained as evidence and information by an organization or person, in pursuance of legal obligation or in the transaction of business, it must consistently deliver a full and accurate record with no gaps or additions."¹

Data: basic facts about people, processes, measurements, and conditions represented in dates, numerical statistics, images, and symbols. An unprocessed collection or representation of raw facts, concepts, or instructions in a manner suitable for communication, interpretation, or processing by humans or automatic means.²

Data element: a combination of one or more data entities that forms a unit or piece of information, such as patient identifier, a diagnosis, or treatment.³

Electronic health record: medical information compiled in a data-gathering format for retention and transferral of protected information via secured, encrypted communication line. The information can be readily stored on an acceptable storage medium such as compact disc.⁴

Evidence: information that a fact finder may use to decide an issue. Information that makes a fact or issue before court or other hearing more or less probable.⁵

Legal health record: AHIMA defines the legal health record as "generated at or for a healthcare organization as its business record and is the record that would be released upon request. It does not affect the discoverability of other information held by the organization. The custodian of the legal health record is the health information manager in collaboration with information technology personnel. HIM professionals oversee the operational functions related to collecting, protecting, and archiving the legal health record, while information technology staff manage the technical infrastructure of the electronic health record."⁶

The legal health record is a formally defined legal business record for a healthcare organization. It includes documentation of healthcare services provided to an individual in any aspect of healthcare delivery by a healthcare organization.^7,8 The health record is individually identifiable data in any medium, collected and directly used in documenting healthcare or health status. The term also includes records of care in any health-related setting used by healthcare professionals while providing patient care services, reviewing patient data, or documenting observations, actions, or instructions.⁹

Original document: an authentic writing as opposed to a copy. ¹⁰

Regular course of business: doing business in accordance with the normal practice of business and custom, as opposed to doing it differently because an organization may be or is being sued.¹¹

Source systems: The systems in which data were originally created.

Primary source system: an information system that is part of the overall clinical information system in which documentation is most commonly first entered or generated.
Source of legal health record: the permanent storage system where the documentation for the legal health record is held.

Appendix E Notes

AHIMA e-HIM Work Group on e-Discovery. "New Electronic Discovery Civil Rule." Journal of AHIMA 77, no. 8 (Sept. 2006): 68A-H.
AHIMA e-HIM Work Group on the Legal Health Record. "Update: Guidelines for Defining the Legal Health Record for Disclosure Purposes." Journal of AHIMA 76, no. 8 (Sept. 2005): 64A-G.
Ibid.
Ibid.
Ibid.
Ibid.
Amatayakul, Margaret, et al. "Definition of the Health Record for Legal Purposes." Journal of AHIMA 72, no. 9 (Oct. 2001): 88A-H.
AHIMA e-HIM Work Group on the Legal Health Record. "Update: Guidelines for Defining the Legal Health Record for Disclosure Purposes."
Ibid.
Ibid.
Ibid.

Appendix F: Legal Health Record Sample Template

Editor's note: this appendix contains work previously published by AHIMA.

Legal Health Record Policy Template

Policy Name: The Health Record for Legal and Business Purposes

Effective Date:

Departments Affected: HIM, Information Systems, Legal Services, [any additional departments affected]

Purpose: This policy identifies the health record of [organization] for business and legal purposes and to ensure that the integrity of the health record is maintained so that it can support business and legal needs.

Scope: This policy applies to all uses and disclosures of the health record for administrative, business, or evidentiary purposes. It encompasses records that may be kept in a variety of media including, but not limited to, electronic, paper, digital images, video, and audio. It excludes those health records not normally made and kept in the regular course of the business of [organization].

Note: The determining factor in whether a document is considered part of the legal health record is not where the information resides or its format, but rather how the information is used and whether it is reasonable to expect the information to be routinely released when a request for a complete health record is received. The legal health record excludes health records that are not official business records of a healthcare provider. Organizations should seek legal counsel when deciding what constitutes the organization's legal health record.

Policy: It is the policy of [organization] to create and maintain health records that, in addition to their primary intended purpose of clinical and patient care use, will also serve the business and legal needs of [organization].

It is the policy of [organization] to maintain health records that will not be compromised and will support the business and legal needs of [organization].

Routine disclosures will only include information needed to fulfill the intent of the request. It excludes information determined to not be included in the legal health record.

Responsibilities

It is the responsibility of the Health Information Management Director, working in conjunction with the Information Services Department (IS) and the Legal Department [or other appropriate departments] to:

Maintain a matrix or other document that tracks the source, location, and media of each component of the health record. [Reference an addendum or other source where the health record information is found.]
Identify any content that may be used in decision making and care of the patient that may be external to the organization (outside records and reports, PHRs, e-mail, etc.) that is not included as part of the legal record because it was not made or kept in the regular course of business.
Develop, coordinate, and administer a plan that manages all information content, regardless of location or form that comprises the legal health record of [organization].
Develop, coordinate, and administer the process of disclosure of health information.
Develop and administer a health record retention schedule that complies with applicable regulatory and business requirements.
Ensure appropriate access to information systems containing components of the health record
Execute the archiving and retention schedule pursuant to the established retention schedule
[Other responsibilities]

[Additional responsibilities for other individuals or departments]

Appendix G: Sample Designated Record Set Template

Editor's note: this appendix contains work previously published by AHIMA.

Designated Record Set Template

Policy Name: Designated Record Set Policy

Effective Date:

Departments Affected: HIM, Information Systems, Legal Services, [any additional departments affected]

Purpose: The purpose of this policy is to establish guidelines for the definition and content of the [organization] designated record set in accordance with the Health Insurance Portability and Assurance Act (HIPAA) of 1996.

Scope: This policy applies to all uses and disclosures of the health record. It encompasses records that may be kept in a variety of media including, but not limited to, electronic, paper, digital images, video, and audio. It excludes those health records not normally made and kept in the regular course of the business of [organization].

Note: The determining factor in whether a document is considered part of the designated record set is not where the information resides or its format, but rather how the information is used and whether it is reasonable to expect the information to be routinely released when a request from the individual to inspect, copy or request an amendment. The designated record set excludes health records that are not official business records of a healthcare provider. Organizations should seek legal counsel when deciding what constitutes the organization's designated record set.

Policy: To define the specific information or records that patient's may access and amend under the Health Insurance Portability and Accountability Act (HIPAA) and state privacy laws. The standards provide that individuals have the right to inspect and obtain a copy and request amendment of medical information used to make decisions about their care and billing information.

Definitions:

Designated Record Set: A group of records maintained by or for [organization] that includes the medical records and billing records about individuals that is used in whole or part by or for [organization] to make decisions about individuals. The term record is defined as any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for [organization].

Includes:

Legal medical record (refer to your organization's Legal Health Record Policy)
Patient-specific claim information such as encounter forms, claims submitted, account balances, payment agreements, ABN letters, notice of noncoverage letters, etc.
Outside facility or provider records used in whole or in part by [organization] to make decisions about individuals
Patient-submitted documentation and referral letters
Other patient-specific information such as consents and authorizations

Excludes:

Administrative data, which is patient-identifiable and used for administrative, regulatory, or other healthcare operations, such as event history/audit trails, data used for quality assurance or utilization management, data prepared in anticipation of legal action, etc.
Derived data stored in aggregate or summarized which is not patient-identifiable, such as data used for accreditation reports, research data, statistical reports, best practice guidelines, etc.
Psychotherapy notes maintained separate from the rest of the patient's medical record
Patient information created as part of a research study to which the patient has temporarily waived right to access
Records that have been destroyed because they have exceeded their required retention period or because they have been rendered unusable due to fire, flood, or other circumstances
Information that is subject to a legal privilege such as peer review or attorney/client privilege

Excluded from designated record set but may be disclosed with appropriate authorization:

Source data such as radiology films, videos, photographs, slides, EKG strips, fetal monitor strips, etc., when available.

Responsibilities

Maintain a matrix or other document that tracks the source, location, and media of each component of the health record [reference an addendum or other source where the health record information is found]
Identify any content that may be used in decision making and care of the patient that may be external to the organization (outside records and reports, PHRs, e-mail, etc.) that is not included as part of the legal record because it was not made or kept in the regular course of business
Develop, coordinate, and administer a plan that manages all information content, regardless of location or form that comprises the legal health record of [organization]
Develop, coordinate, and administer the process of inspecting, copying, and amending health information
Develop and administer a health record retention schedule that complies with applicable regulatory and business requirements
Ensure appropriate access to information systems containing components of the health record
Execute the archiving and retention schedule pursuant to the established retention schedule
[Other responsibilities]

[Additional responsibilities for other individuals or departments]

References

AHIMA. "Guidance for Clinical Documentation Improvement Programs." Journal of AHIMA 81, no. 5 (May 2010): expanded Web version. Available online in the AHIMA Body of Knowledge at www.ahima.org.

Centers for Medicare and Medicaid Services, Department of Health and Human Services. Title 42-Public Health. Chapter IV, Subchapter G-Standards and Certification. Part 482-Conditions of Participation for Hospitals, Subpart C-Basic Hospital Functions. Section 482.24-Condition of Participation: Medical Record Services. Available online at http://cfr.vlex.com/vid/482-condition-participation-record-19811382#ixzz13345288z.

Department of Health and Human Services. "Standards for Privacy of Individually Identifiable Health Information; Final Rule." 45 CFR Parts 160 and 164. Federal Register 67, no. 157 (Aug. 14, 2002). Available online at http://aspe.hhs.gov/admnsimp/final/pvcguide1.htm.

Joint Commission. "The Joint Commission Standards." Available online at www.jointcommission.org/Standards.

NCHICA Designated Record Sets Work Group and Privacy and Confidentiality Focus Group. "Guidance for Identifying Designated Record Sets under HIPAA." August 16, 2002. Available online at www.nchica.org/HIPAA Resources/Samples/DesRecSets.pdf.

Servais, Cheryl E. The Legal Health Record. Chicago, IL: AHIMA, 2008.

Warner, Diana. "Evaluating Alerts and Triggers: Determining Whether Alerts and Triggers are Part of the Legal Health Record." Journal of AHIMA 81, no. 3 (Mar. 2010): 40-41. Available online in the AHIMA Body of Knowledge at www.ahima.org.

Prepared by

Mary Beth Haugen, MS, RHIA
Anne Tegen, MHA, RHIA, HRM
Diana Warner, MS, RHIA, CHPS

Acknowledgments

Cecilia Backman, MBA, RHIA, CPHQ
Angela Dinh, MHA, RHIA, CHPS
Denise Dunyak, MS, RHIA
Suzy Johnson, MS, RHIA
Nicole Miller, RHIA
Mary Stanfill, MBI, RHIA, CCS, CCS-P, FAHIMA
Allison Viola, MBA, RHIA
Lou Ann Wiedemann, MS, RHIA, FAHIMA, CPEHR

The information contained in this practice brief reflects the consensus opinion of the professionals who developed it. It has not been validated through scientific research.

†Indicates an AHIMA best practice. Best practices are available in the AHIMA Compendium, http://compendium.ahima.org.

Article citation:
AHIMA. "Fundamentals of the Legal Health Record and Designated Record Set." Journal of AHIMA 82, no.2 (February 2011): expanded online version.