Designated Record Set
Definition
A designated record set is a HIPAA-specific concept that refers to the group of records a covered entity uses to make decisions about an individual’s care, coverage, payment, benefits, or related rights. It can include medical records, billing records, enrollment records, claims records, case notes, care management files, and other information maintained by or for a covered entity when those records are used to make decisions about a person. The concept is important because individuals may have rights to access, inspect, request corrections to, or receive copies of information in the designated record set. In practice, organizations need to know which systems, departments, vendors, and workflows hold these records so they can respond consistently to access requests, apply retention rules, protect sensitive information, and maintain audit-ready evidence. Similar concepts appear in other privacy and data protection frameworks through rights of access, correction, portability, and accountable recordkeeping, although terminology and scope may differ.
Real-World Examples
Patient Portal Records
A digital health startup maintains patient visit summaries, lab results, care plans, and messages in a patient portal that may form part of the designated record set.
Claims and Billing Files
A health plan keeps enrollment, eligibility, claims, payment, and appeal records that are used to decide coverage and reimbursement for members.
Enterprise Health System Inventory
A large hospital maps electronic health record systems, imaging repositories, billing tools, and archived records to determine where designated record set data resides.
Vendor-Hosted Care Records
A care management platform stores assessments and case notes on behalf of a provider, requiring clear ownership, access, and retrieval procedures.
A designated record set is the collection of records that a HIPAA-covered entity uses to make decisions about an individual. It can include care, billing, enrollment, claims, and other records maintained by or for the covered entity when they affect a person’s rights, benefits, treatment, or payment.
A designated record set may include medical records, billing records, enrollment files, claims data, care management notes, payment information, appeal records, and similar files used to make decisions about an individual. The exact scope depends on how the organization creates, receives, maintains, and uses the records.
It is important because it determines which records may be subject to individual access, amendment, retention, and disclosure processes. Without a clear inventory of designated record set data, organizations may miss records, respond inconsistently to requests, or fail to protect sensitive information appropriately.
Organizations identify a designated record set by reviewing business processes, systems, departments, vendors, and record types that are used to make decisions about individuals. This usually involves mapping data flows, interviewing record owners, documenting systems of record, and distinguishing decision-making records from temporary, duplicate, or administrative files.
A designated record set focuses on records used to make decisions about an individual, while a legal record is often the organization’s official record for legal, operational, or evidentiary purposes. Some records may fit both concepts, but the two terms are not always identical in scope or purpose.
Yes. Electronic records can be part of a designated record set when they are used to make decisions about an individual. This can include electronic health record entries, portal data, claims files, billing records, scanned documents, structured database fields, and vendor-hosted records.
Responsibility is usually shared across privacy, compliance, legal, health information management, IT, security, and business process owners. Each group may manage different aspects, such as defining scope, securing systems, responding to requests, maintaining retention schedules, or overseeing vendors.
Access requests should be handled through a documented process that verifies the requester, identifies the relevant records, applies permitted limitations, tracks deadlines, and provides records in an appropriate format. Organizations should also keep evidence of the request, review, fulfillment, and any denial or correction decision.
Useful controls include access management, role-based permissions, encryption, audit logging, retention schedules, data classification, vendor oversight, secure transmission, backup procedures, and incident response processes. These controls help ensure that sensitive records remain accurate, available, and protected from unauthorized access.
Information Security & GRC requirements usually include maintaining an inventory of relevant record systems, assigning ownership, documenting access and amendment procedures, applying security controls, monitoring vendor involvement, enforcing retention rules, and keeping evidence that the organization can respond to individual rights requests consistently.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-07 | WatchDog GRC Team | Initial publication |
