Defining Record Sets

Download the RRS



Defining and Disclosing the Designated Record Set and the Legal Health Record

Defining and Disclosing the Designated Record Set and the Legal Health Record

For years, healthcare organizations have been struggling to define their legal health record and marry it with the HIPAA privacy requirement for a designated record set. Questions often arise about the differences between the two sets because both identify a set of information that must be disclosed upon request.


To further complicate the issue, the scope of health records is expanding and records are increasingly being maintained in multimedia formats. An individual’s record can consist of a facility’s record, outpatient diagnostic test results or therapies, pharmacy records, physician records, other care providers’ records, and the patient’s own personal health record. Administrative and financial documents and data are intermingled with clinical data. Source records such as diagnostic images, video, voice files, and e-mail may be included as well.


Additionally, there is now extensive metadata linked to electronic records. A provider must clearly define the specific documents and data elements that make up the subset of information included in the content of its legal health record.1

This practice brief identifies the purposes of the designated record set and the legal health record for healthcare organizations and provides guidelines for disclosing health records from each set.

What Record Goes Where

The legal health record serves to identify what information constitutes the official business record of an organization for evidentiary purposes. It is typically used when responding to formal requests for information for legal and legally permissible purposes.2

The designated record set, on the other hand, is used to clarify the access and amendment rights by individuals under the HIPAA standards. These standards provide that individuals have the right to inspect and obtain a copy and request amendment of medical and billing information used to make decisions about their care. The differences between the two sets of information are outlined in the table below.



Categorizing record types can assist in understanding the similarities and differences and help organizations develop policies for each. Some record types are found in both the designated record set and the legal health record, while others are specific to the designated record set. The table below provides examples of different types of records and shows the similarities and differences between the two sets of information.



External Records and Reports

The decision of which category external records and reports fall into is dependent upon:

  • The applicability of HIPAA privacy rules

  • The applicability of state law or regulation

  • The source of the request

  • The type of request


If external records and reports are used to make decisions about an individual, they become part of the designated record set. If those decisions are care decisions, in most cases those same records and reports will also be included in the provider’s legal health record, especially if they are created pursuant to a contract.


Examples of these “dual nature” record types include reports generated by a contracted service that are used by a hospital or physician practice, such as a reference lab or outsourced radiology services, and records generated by other providers that are used for planning patient care, such as records received in an Emergency Medical Treatment and Active Labor Act transfer between hospitals.


Personal Health Records

Personal health records (PHRs) provided by the individual and used to make healthcare decisions become part of the designated record set; however, they are not part of an organization’s official business records and so are not part of the legal health record.

An issue may arise when unsolicited copies of paper or electronic PHRs are provided and it becomes difficult to determine if they were used to make decisions about the individual. Organizations should develop policies and procedures to address the disposition of unsolicited PHRs.



Determining Source for Disclosures

The designated record set is the set of information from which disclosures to an individual will be drawn because it is usually broader than the legal health record. Uses of the information for business and legal purposes are usually, but not always, drawn from the legal health record. The most notable exceptions are those disclosures made for purposes of discovery or e-discovery in which any information requested under the court order must be provided.

Several states have laws or regulations that spell out the requirements and conditions under which health information from another healthcare organization or provider must be redisclosed. In the absence of more stringent state law, HIPAA privacy rules prevail. However, because any medical or billing information that was used to make decisions about the individual is included as part of the designated record set under HIPAA privacy rules, information must be disclosed or redisclosed if requested by the individual to whom it pertains, regardless of whether the information is external or internal.


Legal Requests

If the source of the request is a subpoena or court order, the terms of the subpoena or order dictate what information must be disclosed. External records and reports in the organization’s possession, regardless of whether they are part of the legal health record, must be disclosed if they are within the scope of the subpoena or court order.

However, the party in possession of external information ordinarily cannot attest to how those records originally were created. It is important to establish this when the court requests how the information was obtained. A possible exception to this may be the incorporation of external information (such as the reference laboratory result mentioned above) into the record of care that most likely would result in that record being “made and kept in the ordinary course of business” in accordance with the business record exception to the hearsay rule.

There is a school of thought that these external records cannot and should not become part of the legal health record because of the inability to attest to how they were originally created. To include them as part of the legal health record may result in implied liability for any inaccuracies the external records contain. An opposing view is that if the external records were relied upon to make care decisions they should be included as part of the legal record.

However, including external records as part of the designated record set and making them available in all appropriate disclosures, including disclosures in response to a subpoena, may accomplish the same purpose. The organization’s legal counsel should be consulted prior to determining policy regarding the inclusion of external records as part of the legal health record.

Ultimately, the admissibility of the requested information in court is not the concern of the party producing the information. Compliance with the terms of the subpoena or order is required.


Nonlegal Third-Party Requests

If the source of the request is a third party (not the individual and not a court of law) and there are no applicable state laws or regulations, redisclosure of external records and reports should be determined by organizational policy after consulting with legal counsel. The matrix “Which Data Set Determines Redisclosure,” above, outlines whether the designated record set, the legal health record, or state laws and regulations determine rediclosure of the different types of requests.



Healthcare organizations can take some basic steps to help clear up the confusion around the legal health record and the designated record set and the disclosure of information from both:

  • Develop and maintain an inventory of documents and data that comprise the legal health record. Consider whether other types of information that are not document-based are part of the legal health record (e.g., e-mail, electronic fetal monitoring strips, diagnostic images, digital photography, and video).

  • Develop a detailed inventory of items that comprise the designated record set if a policy exists that identifies the general types of information used to make decisions about an individual.

  • Declare the official legal health record and designated record set in organizational policy.

  • Consider the use of records management software that supports the records declaration process and records lifecycle management, particularly for messaging records (such as e-mail or instant messages that are considered part of the legal health record or designated record set).

  • Collaborate with clinicians to develop procedures for identifying external information that has been used in patient care. This may entail somehow marking the information, special delivery provisions, or other methods that help clearly indicate that external information was used. Once identified as such, provisions should be made for including this in the patient’s record, whether paper or electronic. Within the record, consideration should be given to filing or indexing the external information under a separate tab or section of the electronic or paper record developed for this purpose.

  • Promptly return to the patient (if feasible) or dispose of (in accordance with the organization’s destruction procedures) any health information that is not used or not solicited.

  • Consider developing policies and procedures that confine the ability to request health information from external sources and to place such information in the patient’s record to specified staff or personnel.

  • Develop written policies and procedures as well as staff training for clinical users that address the use of external information. HIM staff should also be trained on procedures related to redisclosure of health information.



  1. Servais, Cheryl E. The Legal Health Record. Chicago, IL: AHIMA, 2008.

  2. Ibid.



AHIMA e-HIM Work Group on the Legal Health Record. “Update: Guidelines for Defining the Legal Health Record for Disclosure Purposes.” Journal of AHIMA 76, no. 8 (Sept. 2005): 64A–G.

Hughes, Gwen. “Defining the Designated Record Set.” Journal of AHIMA 74, no. 1 (Jan. 2003): 64A–D.

Jedd, Marcia. “Declaring Records.” eDocMagazine. November/December 2007. Available online at


Prepared by

Michelle Dougherty, MA, RHIA, CHP

Lydia Washington, MS, RHIA, CPHIMS



Jill Callahan Dennis, JD, RHIA

Barry Herrin, JD, FACHE

Keith Olenik, MA, RHIA, CHP

Cheryl Servais, MPH, RHIA


Article citation:
Dougherty, Michelle; Washington, Lydia. "Defining and Disclosing the Designated Record Set and the Legal Health Record." Journal of AHIMA 79, no.4 (April 2008): 65-68.


Copyright ©2008 American Health Information Management Association. All rights reserved. All contents, including images and graphics, on this Web site are copyrighted by AHIMA unless otherwise noted. You must obtain permission to reproduce any information, graphics, or images from this site. You do not need to obtain permission to cite, reference, or briefly quote this material as long as proper citation of the source of the information is made. Please contact Publications at to obtain permission. Please include the title and URL of the content you wish to reprint in your request.