NRPM: Standards for Privacy of Individually Identifiable Health Information. i. Information available for inspection and copying.

11/03/1999

In § 164.514(a), we are proposing to give the individual a right of access to information that is maintained in a designated record set. We intend to provide a means for individuals to have access to any protected health information that is used to affect their rights and interests. This would include, for example, information that would be used to make health care decisions or information that would be used in determining whether an insurance claim would be paid. Covered plans or providers often incorporate the same protected health information that is used to make these types of decisions into a variety of different data systems. Not all of those data systems will be utilized to make determinations about specific individuals. For example, information systems that are used for quality control analyses are not usually used to make determinations about a specific patient. We would not require access to these other systems.

In order to ensure that individuals have access to the protected health information that is used, we are introducing the concept of a “designated record set.” In using the term “designated record set,” we are drawing on the concept of a “system of records” that is used in the Privacy Act. Under the Privacy Act, federal agencies must provide an individual with access to "information pertaining to him which is contained in [a system of records]." 5 U.S.C. 552a(d)(1). A “system of records” is defined as "a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual." 5 U.S.C. 552a(a)(5). Under this rule, a “designated record set” would be "a group of any records under the control of any covered entity from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual." See discussion in section II.B.

Files used to backup a primary data system or the sequential files created to transmit a batch of claims to a clearinghouse are clear examples of data files which do not fall under this definition. We rejected requiring individual access to all records in which she or he was identifiable because of the extreme burden it would place on covered plans or providers without providing additional information or protection for the individual. We also rejected using the subset of such records which were accessed directly by individual identifiers because of the redundancy of information involved and the increasing use of database management systems to replace legacy systems that do sequential processing. These would be accessed by individual identifier but would contain redundant data and be used for routine processing that did not directly affect the individual. We concluded that access to only such record sets that were actually accessed by individual identifier and that were used to make substantive decisions that affect individuals would provide the desired information with a minimum of burden for the covered plans or providers.

We note that the standard would apply to records that are “retrieved” by an identifier and not records that are only “retrievable” by an identifier. In many cases, technology will permit sorting and retrieving by a variety of fields and therefore the “retrievable” standard would be relatively meaningless. We intend to limit access to those sets of records actually used to affect the interests of the individual.

We believe that by providing access to protected health information maintained in a designated record set, we would be ensuring that individuals will be able to inspect or copy relevant and appropriate information without placing too significant of a burden on covered plans or providers. We are soliciting comment on whether limiting access to information maintained in a designated record set is an appropriate standard when applied to covered plans and providers and their business partners.