In Search of EHR's Designated Record Set

By Mary Butler

When Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, broke her elbow while attending an AHIMA event in Baltimore threeyears ago, she soldiered on through the event but summoned her primary care physician for a telemedicine encounter to determine her treatment. Later, when collecting paperwork for her worker’s compensation claim, she went back to her physician, who had not started or maintained a note documenting the video conference.

“The doctor said, ‘That was a video,’ and I said, ‘You responded, so you’ve got to provide a record of the encounter,’” Bowen says, adding that the physician had to go back and write an account of the video appointment after the fact so that she had something to submit with her claim.

For as long as telemedicine has been a viable and reimbursable avenue of providing healthcare, health information management (HIM) professionals and others have been trying to figure out where documentation of telemedicine encounters belongs. Bowen, who is vice president, privacy, compliance, and HIM policy at MRO, says there’s still more regulations needed to ensure telemedicine is properly coded, classified, and reimbursed.

However, telemedicine’s entry into the medical record, and the electronic health record (EHR) in particular, helps illustrate the way technology is challenging long-held notions about what types of health data constitute the legal health record (LHR) and the designated record set (DRS) in the age of EHRs.

Though it has been years since most providers implemented an EHR system, there is still confusion and a lack of consensus on what constitutes the DRS as required by the HIPAA Privacy Rule, as well as what records should make up a LHR. The LHR is a term that was developed by AHIMA to help providers identify what information constitutes the official business record of an organization for evidentiary purposes. It is also used to document services provided as legal testimony regarding a patient’s illness or injury, response to treatment, and caregiver decisions.1 However, even among HIM professionals, confusion exists about the difference between the DRS and LHR. There is even a debate as to whether the LHR is an outdated term.

“I just think that, historically, the issue has been that some people use the terms designated record set and legal health record interchangeably—and sometimes some people are very distinct about which one they mean. Often, I hear people swap around the definition,” says Lori Richter, MA, RHIA, CHPS, CPHIT, CPEHR, Onecare EHR compliance director at Catholic Health Initiatives.

Further complicating the matter, the US Department of Health and Human Services (HHS) has rightfully been expanding patient rights to their information, including the DRS, putting more pressure on healthcare organizations to respond to release of information (ROI) requests compliantly.

Additionally, the recent information blocking proposed rule, issued by the HHS Office of the National Coordinator for Health IT (ONC), which was required by the 21st Century Cures Act, provides a new, nebulous definition for “electronic health information” (EHI) that dictates health data that must be accessible to patients. The scope of EHI defined by the proposed rule is much larger than that defined for providers by HIPAA.

As regulation and technology shift the legal terminology around the DRS and LHR, HIM professionals still must make decisions in the best interest of their patients and their organizations based on these terms.

Designating the Designated Record Set

The best place to start when differentiating between the DRS and the LHR is to look at how they are used. Under the HIPAA Privacy Rule, the DRS designation 45 C.F.R. § 164.524 refers to an individual’s request for access. “The covered entity must permit an individual to request access to inspect or to obtain a copy of the protected health information about the individual that is maintained in a designated record set,” the regulation states.

Functionally, this includes data that includes patient medical and billing records; the enrollment, payment, claims, adjudication, and cases or medical management record systems maintained by or for a health plan; or information used in whole or in part to make care-related decisions.

The existence of EHRs makes it harder for facilities to determine what goes in their DRS for several reasons. For example, content used for decision-making and care of the patient may be external to the organization, such as outside records, diagnostic reports, and patient email exchanges. Organizations also frequently struggle with metadata, since in some provider organizations, it’s the responsibility of the information systems department to retrieve metadata when requested to do so, according to Judy Hoffman, BCRT, CHPS, CHP, CHSS, Regional Privacy Officer – Northwest, Catholic Health Initiatives.

Her organization chooses to produce and disclose relevant information and records in compliance with applicable laws, court procedures, and agreements made during the litigation process.

“The IT department will provide assistance to HIM and data owners in the search and retrieval process for various systems and data sources. IT representatives will decide the format in which the information will be disclosed, such as paper, ASCII, PDF, TIF, screen shot, mirror copy of data file, or review of material online,” Hoffman says.

Wes Morris, CHPS, CIPM, HCISPP, managing principal consultant for Clearwater Compliance, takes a similar tack.

“I, and many others I have consulted with, take the position that if you’ve included external documents in your record and they are used as part of the clinical decision-making, then they are now a part of your DRS, regardless of the provenance of the original documents,” Morris says.

According to the experts, facilities need to resist the simpler and somewhat blanket approach “that everything housed in the EHR now is part of the DRS,” which some organizations opt to do for simplicity’s sake.

“We have certain communications that are stored in our EHR that do not meet the definition of a DRS,” says Dana DeMasters, MN, RN, CHPS, privacy and security officer at Liberty Hospital, in Liberty, MO. “We do not collect and store a separate formal DRS, for example, we pull information from the EHR based on our DRS policy.

HIPAA requires that the DRS be organized and defined, so healthcare facilities need to create a formal policy around what is included. But determining just what gets included in the DRS can be a challenge—especially in the digital world, where there is more information than ever.

Lorraine Fernandes, RHIA, principal and founder of Fernandes Healthcare Insights, sees this as a major concern for providers—data is created and stored in many different places for data analytics purposes and population health.

“I hear people talking about, we need common data dictionaries and business glossaries and common definitions, and common definitions deserves a designated record set to ensure that as data is more broadly used, it is used and interpreted in the right context. So that we’re all singing from the same sheet of music, in so many words,” Fernandes says.

One way to do this is to create a matrix where all these DRS documents live—what the names of the documents are, and retention and disposition limits. Catholic Health Initiatives’ Richter says it’s not unheard of to get a records request and to have to go to four or five different EHRs or systems to retrieve all the requested data. Having a matrix that can serve as a table of contents to where records live can be a key to unlocking the data siloes, Richter says.

Pending Regulations and the Designated Record Set

The HHS Office of the National Coordinator (ONC)’s much-anticipated information blocking rule, which was required by the 21st Century Cures Act, has drawn concern from AHIMA and other health IT stakeholders due to its lack of clarity and predictability around the definition of “electronic health information” (EHI) as currently proposed.

In comments submitted by AHIMA to ONC, AHIMA stated that “… EHI as currently defined adds an additional layer of complexity in complying with existing definitions in current law, including individually identifiable health information (IIHI), protected health information (PHI), and electronic protected health information (ePHI) as well as state laws that define medical information.”

Lauren Riplinger, JD, vice president of policy and government affairs for AHIMA, says that the new EHI definition dramatically expands the scope of what providers could need to include as part of their DRS.

“Here’s the problem with the DRS. Institutions themselves define what is and what is not considered part of DRS,” Riplinger says. “When you have institutions defining it on an individual basis, that creates variability in terms of patient expectation of what should be there when they request their records. And so as part of our comments, we said, not only should you constrain it [the EHI definition] to the US Core Data Set for Interoperability (USCDI), but create a crosswalk from EHI to the DRS.”

AHIMA is saying, essentially, that the information blocking rule’s definition of EHI is somewhat in conflict with how HIPAA currently defines what a patient has access to.

“It affects it in the sense of the definition of EHI as it currently stands. I think that’s where the challenge is going to be. Are HIM professionals going to be so focused on compliance with DRS that they don’t send everything to the patient [required under the EHI definition]? If we assume that DRS is smaller than EHI and I’m an HIM professional, [what if] someone comes in and requests their record? I do what’s legally required by HIPAA and send them what they requested. Then that patient could go to ONC and say, ‘They didn’t provide me with everything that’s my legal health information—ONC, you need to investigate [instances of information blocking].’ That creates a crazy enforcement challenge, right?” Riplinger says.

The good news for providers is that the regulatory process will take a couple months since ONC will need to consider thousands of comments from AHIMA and other organizations that were unhappy with the rule as it was written. In the meantime, AHIMA is working with the American Medical Informatics Association to encourage policymakers to create a universal definition of a designated record set so there’s predictability for providers, systems, and vendors about what elements should be included.

Legal Health Record Revisited

As the term itself suggests, the LHR’s job is to serve as a healthcare organization’s business and legal record, and as noted previously, document the services provided as legal testimony regarding the patient’s illness or injury, response to treatment, and caregiver decisions. Several of the organizations queried for this article define their own LHRs based on AHIMA Practice Briefs and guidance on the topic, including DeMasters.

“I think there needs to be a basic definition so there is an understanding of the DRS versus the legal health record and examples of each—I would refer to AHIMA documents [including Practice Briefs],” DeMasters says. “To write a policy to capture all things pertaining to the legal health record is daunting.”

It is also crucial.

At MRO, a release-of-information vendor, Bowen works closely with providers to make sure they know the difference between the DRS and the LHR because of the massive file size and volume of data that must be released.

“I’m just surprised at the number of facilities who don’t understand the difference between what the DRS should be and contain—some simply say they [DRS and LHR] are one and the same—and they are not one and the same,” Bowen says.

She adds that the only time information should be released from the DRS is if it’s to the patient or a patient-directed request. For any other general ROI purpose, it’s going to come from the LHR, in Bowen’s view. If an organization decides that everything in a patient’s EHR is part of the LHR, they may have to release a radiology image to a patient who doesn’t know how to read an X-ray or an MRI image.

If a facility’s LHR policy has too much overlap with the DRS, they may be stuck releasing all sorts of images the average patient is unable to interpret.


  1. AHIMA. “Fundamentals of the Legal Health Record and Designated Record Set.” Journal of AHIMA 82, no.2 (February 2011): expanded online version.

Mary Butler ( is associate editor at the Journal of AHIMA.

Article citation:
Butler, Mary. "In Search of EHR's Designated Record Set" Journal of AHIMA 90, no.8 (August 2019): 12-15.