Category: CC-HIPAA
POLICY & PROCEDURE
Subject:
Medical Records: Designated Record Set and Legal Health Record
Classification:
Management Approved
Policy Owner:
Vice President of Corporate Responsibility
Approved by:
SVP Ascension Health/Wisconsin
Ministry Market Executive
POLICY:
Wheaton Franciscan Healthcare (“WFH”) maintains a Designated Record Set that
is subject to patients’ rights as defined under the Federal Health Insurance
Portability and Accountability Act of 1996 (“HIPAA”).
RATIONALE:
Our Values of Respect and Integrity call us to protect patient privacy, respect
patient rights and follow regulations which govern health information.
SCOPE:
This policy applies to all healthcare organizations owned and/or managed by
WFH.
DEFINITIONS:
Effective: June 1, 2016
Administrative Data: As defined by the American Health Information
Management Association (“AHIMA”), are patient identifiable data used for
administrative, regulatory, health care operations and payment (financial)
purposes. Examples include: birth certificate worksheets and authorization forms
for release of information, correspondence concerning requests for records, vital
certificate worksheets, audit trails, copies of claims, incident or patient safety
reports, indices, logs, registries, patient identifiable data reviewed for quality
improvement, peer review or utilization management.
Derived Data: As defined by AHIMA, consists of information aggregated or
summarized from patient records so that there are no means to identify patients.
Derived data used for operational purposes of the organization include: audits
and audit results, statistical reports, peer review records, quality improvement,
utilization management, corporate compliance, and risk assessment records,
anonymous patient data for research purposes, transmission reports for MDS,
OASIS and IRF PAI, accreditation reports.
Designated Record Set (“DRS”): As defined in the Federal Privacy Rule 42
CFR §164.501 (HIPAA), is
1. A group of records maintained by or for a covered entity that is:
 The medical records and billing records about patients maintained by or
for a covered health care provider;
 The enrollment, payment, claims adjudication, and case or medical
management record systems maintained by or for a health plan; or
 Information used in whole or in part, by or for the covered entity to make
decisions about patients.
2. For purposes of this definition, the term “record” means any item, collection,
or grouping of information that include PHI and is maintained, collected, used,
or disseminated by or for a covered entity.
CC-HIPAA
Medical Records: Designated Record Set and Legal Health Record
Page 1 of 5
Legal Health Record (“LHR”): As defined by AHIMA October, 2001, is the
documentation (official business record) of the health care services provided to an
patient in any aspect of health care delivery by a health care provider
organization. The LHR is individually identifiable data, in any medium, collected
and directly used in and/or documenting healthcare or health status. The term
includes records of care in any health-related setting used by health care
professionals while providing patient care services, for reviewing patient data, or
documenting observations, actions, or instructions. The LHR for each
organization is outlined in Appendix A of this policy.
Patient Identifiable Source Data: As defined by AHIMA, are data from which
interpretation, summaries, notes, etc. are derived. Source data is an adjunct
component of the LHR and is often maintained in a separate location or database
and provided the same level of confidentiality as the LHR. Example: diagnostic
films and images.
Protected Health Information (PHI): As defined in the Federal Privacy Rule 42
CFR §164.501 is individually identifiable health information, whether oral or
recorded in any form or medium, that is created by or received by the
organization (health care provider, health plan, public health authority, employer,
life insurer, school or university, or health care clearinghouse) , including
demographic information, that identifies a person, or provides a reasonable basis
to believe the information can be used to identify a person, and relates to:
1. Past, present or future physical or mental health or condition of a personl.
2. The provision of health care to a person.
3. The past, present, or future payment for the provision of health care to a
person.
Psychotherapy Notes: As defined in the Federal Privacy Rule 42 CFR
§164.501, means notes recorded (in any medium) by a health care provider who
is a mental health professional documenting or analyzing the contents of
conversation during a private counseling session or a group, joint, or family
counseling session and are separated from the rest of the patient’s medical
record. Psychotherapy notes exclude medication prescription and monitoring,
counseling session start and stop times, the modalities and frequencies of
treatment furnished, results of clinical tests, and any summary of the following
items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and
progress to date.
PROCEDURE:
1. The following shall be maintained in a DRS:
 Billing Record: Content of the patient account file in a paper or computerbased record environment.
 Health Plan Records: The enrollment, payment, claims adjudication, and
case or medical management record maintained by or for a health plan.
 Medical Record: Information defined as the LHR in a paper or computerbased record environment.
 Other Records Used to Make Decisions About the Patient:
o Records created by another health care provider when used to make
decisions about the patient.
o Documents/reports generated by health care providers to support the
required documentation needs of the patient’s care being provided at
the organization (such as a hospital history and physical from the
physician’s office).
o Outside test results such as pathology report for tests ordered by the
physician and performed by another provider.
CC-HIPAA
Medical Records: Designated Record Set and Legal Health Record
Page 2 of 5

Personal Health Records: Copies of personal health records created,
owned, and managed by the patient and provided to the organization.
2. The following shall not be maintained as part of the DRS:
 Administrative Data: (See definition above) including birth certificate
worksheets and authorization forms for release of information,
correspondence concerning requests for records, vital certificate
worksheets, audit trails, copies of claims, incident or patient safety
reports, indices, logs, registries, patient identifiable data reviewed for
quality improvement, peer review or utilization management.
 CLIA Documents: Information not subject to disclosure under the Clinical
Laboratory Improvements Amendments of 1988 (CLIA) or other federal or
state laws.
 Derived Data (See definition above) including: audits and audit results,
statistical reports, peer review records, quality improvement, utilization
management, corporate compliance, and risk assessment records,
anonymous patient data for research purposes, transmission reports for
MDS, OASIS and IRF PAI, accreditation reports.
 Education records covered by the Family Educational Right and Privacy
Act, as amended, 20 U.S.C. 1232g(a)(4)(B)(iv) such as immunization
records.
 Employer Records held by a health plan or health care provider in its role
as employer, such as pre-employment physicals, workers’ compensation
related documentation, results of HIV and TB tests.
 Health information that is not used to make decisions about the patient
such as data collected and maintained for research, peer review, or
performance improvement purposes; appointment and surgery schedules,
birth and death registers, and surgery registers.
 Information compiled in reasonable anticipation of, or for use in, a civil,
criminal, or administrative action or other legal proceeding.
 Other Documents such as guardianship documents and adoption
documents that include identifying information of birth parents.
 Psychotherapy Notes (See definition above)
 Source Data that is interpreted or summarized in the patient’s medical
record. Examples include films, videos, slides, tracings, raw test data,
etc. unless interpretations, summarizations or transcriptions are not
available.
 Working Records such as notes or other source documentation only if the
information is available elsewhere in the medical or billing record.
Examples include: raw test data, audiotapes, videos/photographs used
for educational purposes, telemedicine records, coding/UR worksheets,
billing/accounts payable working notes regarding claim status, patient
conversations, claim reviews, etc.
3. Access to Source Data
When a patient specifically requests access to source data in addition to the
DRS, the patient will be provided with access to or a copy of the source data
when such access is possible; would not violate state or federal laws or
regulations and would not endanger the privacy, health or safety of the patient
or another person.
4. Records Held by a Business Associate
Records held by a business associate of WFH that meet the definition of DRS
are part of the WFH organization’s DRS.
CC-HIPAA
Medical Records: Designated Record Set and Legal Health Record
Page 3 of 5
REFERENCES
AHIMA e-HIM Work Group on Legal Health Record. “Update: Guidelines for
Defining Legal Health Record for Disclosure Purposes.” Journal of AHIMA 76, No.
8 (September 2005): 64A-G.
AHIMA e-HIM Work Group on Legal Health Record. “Update: Maintaining a Legal
Sound Health Record – Paper and Electronic.” Journal of AHIMA 76, No. 10
(November-December 2005): 64A-L.
Amatayakul, Margret et al. “Practice Brief: Definition of the Health Record for
Legal Purposes.” Journal of AHIMA 72, no. 9 (2001).
Hughes, Gwen. “Practice Brief: Defining the Designated Record Set.” Journal of
AHIMA 74, no.1 (2003).
NCHICA Designated Record Sets Word Group and Privacy and Confidentiality
Focus Group. “Guidance for Identifying Designated Record Sets under HIPAA.”
Version 2. February 3, 2003.
Privacy Act of 1974. 5 USC, Section 552A.
“Standards for Privacy of Individually Identifiable Health Information ; Final Rule.”
45 CFR Parts 160 and 164. Federal Register 67, no. 157 (August 14, 2002).
Replaces:
Cross reference:
Uses and Disclosure of Health Information policy
Review Period:
Two (2) years
Original Policy Date:
Dates Updated:
December 14, 2009; May 15, 2012; June 1, 2016
CC-HIPAA
Medical Records: Designated Record Set and Legal Health Record
Page 4 of 5
Appendix A – Legal Health Record
WFH-All Saints,
WFH-St. Francis,
WFH-Franklin,
Wheaton
Franciscan
Wheaton
Franciscan Home
Health and
Hospice
The Terrace at St.
Francis,
Franciscan
Woods, Lake
Shore Manor
Wheaton
Franciscan
Medical Group,
Metro Physicians
Legal Health Record
The paper record maintained by Health Information Management,
Horizon Patient Folder or EPIC (or similar electronic medical
record) if implemented. A matrix will be maintained by Health
Information Management to indicate the Electronic Health Record
implementation by date and practice.
The paper record maintained by Health Information Management
and the Electronic Health Record.
The combination of the paper record maintained by Health
Information Management and the EHR if implemented.
The paper record maintained by Health Information Management
or EPIC (or similar electronic medical record) if implemented. A
matrix will be maintained by Health Information Management to
indicate the EHR implementation by date and practice.
CC-HIPAA
Medical Records: Designated Record Set and Legal Health Record
Page 5 of 5