In the proposed rule, we defined designated record set as "a group of records under the control of a covered entity from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual and which is used by the covered entity to make decisions about the individual." We defined a "record" as "any item, collection, or grouping of protected health information maintained, collected, used, or disseminated by a covered entity."
In the final rule, we modify the definition of designated record set to specify certain records maintained by or for a covered entity that are always part of a covered entity's designated record sets and to include other records that are used to make decisions about individuals. We do not use the means of retrieval of a record as a defining criteria.
For health plans, designated record sets include, at a minimum, the enrollment, payment, claims adjudication, and case or medical management record systems of the plan. For covered health care providers, designated record sets include, at a minimum, the medical record and billing record about individuals maintained by or for the provider. In addition to these records, designated record sets include any other group of records that are used, in whole or in part, by or for a covered entity to make decisions about individuals. We note that records that otherwise meet the definition of designated record set and which are held by a business associate of the covered entity are part of the covered entity's designated record sets. Although we do not specify particular types of records that are always included in the designated record sets of clearinghouses when they are not acting as business associates, this definition includes a group of records that such a clearinghouse uses, in whole or in part, to make decisions about individuals.
For the most part we retain, with slight modifications, the definition of "record," defining it as any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated.