Cures Act

It is the policy of XRHealth to maintain and define a HIPAA designated record set. In accordance with applicable law, XRHealth permits patients to have access (inspection or copies) of their protected health information as defined under HIPAA.  However, this applies only to information that is stored in designated record sets.  Designated record sets are records that contain Protected Health Information (“PHI”) and that are used to make decisions about patients or other HIPAA subject individuals.  This policy describes the designated record sets maintained in both electronic and non-electronic formats.

The designated record set at XRHealth that is maintained electronically shall be considered the Electronic Health Information for purposes of providing access and not engaging in information blocking as defined in the 21st Century CURES Act. 


This policy applies to all XRHealth workforce members including, but not limited to full-time employees, part-time employees, trainees, volunteers, contractors, and temporary workers who provide access to PHI.



Actions To Be Taken to Develop Designated Record Sets

  1. The Privacy and Security Officials are responsible for defining the Designated Record Set.
  2. HIPAA Designated Record Sets are based on the following HIPAA Privacy Rule definition:

A group of records maintained by or for a covered entity that is:

I. The medical records and billing records about individuals maintained by or for a covered health care provider;
II. The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
III. Used, in whole or in part, by or for the covered entity to make decisions about individuals.

For purposes of the above, the term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.

I. The procedure for defining the Designated Record Set shall include analysis of PHI inventories and other data classification and asset inventories.

II. These inventories will be evaluated to establish electronic and paper PHI classes.

III. Inventories will be reviewed to include PHI created, stored, maintained, or transmitted by Business Associates.

IV. The resulting inventory will be analyzed to classify by billing (revenue cycle), clinical, or other categories and data classification/PHI inventories stored internally or by a BA.

  1. The classified inventories will be further categorized into representative Designated Record Sets. The decision process can consider duplicative PHI data elements, as well as workflows that may make it difficult to provide access, and determine these will not be for example:

    I. A remittance advice that is duplicative of a payment advice the patient receives from their health insurance carrier.
    II. Designated Record Set definitions will be reviewed and updated annually, or whenever new PHI systems are implemented, or existing systems changed or terminated.


  1. HIPAA: 45 CFR §165.501, 164.530, 170.401-402, 171


Inventory List Designated Record Sets


Designated Record Set Examples
Electronic Health Record (EHR): paper records, and superbills.
  • Progress notes
  • History and physicals, review of systems, allergies
  • Medication and diagnostic results
  • Records from other providers
  • All other data part of the US Core Data for Interoperability or a Continuity of Card Document
Billing Records
  • Patient accounting ledgers showing charges, payments, and adjustment transactions
  • Excluding EOB’s, remittance advices
Other Records Used to Make Decisions About the Individual
  • Copies of reports generated by other providers and used to make decisions about the individual, even when such records are kept in a separate file location or file folder.
  • Patient E-mail communications that include PHI that an organization stores online and hasn’t printed out in its otherwise paper-based health record.

Outside the Designated Record Set

Health Information generated, collected, or Maintained for Purposes That Do Not Include
Decision Making About the Individual

§ Internal chat messages

§ Sign in sheets

§ Data collected and maintained for peer review and/or risk management purposes.

§ Data collected and maintained for performance improvement purposes.

§ HIPAA breach investigation and compliance issue documentation.

§ Appointment schedules.

§ Birth and death registers.

§ Surgery registers.

§ Diagnostic or operative indexes or reports.

§ Duplicate copies of information that can also be located in the individual’s medical or billing record.

§ Data collected and maintained for research.

Psychotherapy Notes The notes of a mental health professional about counseling sessions that are maintained separate and apart from the regular health record.
Information Compiled in Reasonable Anticipation of or For Use in a Civil, Criminal, or
Administrative Action or Proceeding
Notes taken by a covered entity during a meeting with the covered entity’s attorney about a pending lawsuit
Employer Records of employees who are also patients

§   Pre-employment physicals maintained in human resource files.

§   The results of HIV, or other infectious disease testing or drug tests on employee patients injured or exposed at work

Miscellaneous Records

§  Adoption Records

§  Guardianship Papers

Quality Improvement/Peer Review Records §  Medical Staff Case Reviews
Registry Information

§  Birth Registers

§  Death Registers

§  Cancer Registers

Research Records §  Records Maintained for Research Purposes
Risk Management Records §  Incident/Variance Reports
Schedules §  Appointment Schedules
Revenue cycle- EOB’s, remittance advices, health plan correspondence §  Eligibility and benefits data from a health plan portal or by correspondence
Working Records – Only if the Information is Available Elsewhere in the Medical/Healthcare Record and/or Billing Record of the Individual (e.g., Summarized in Notes or Reports).

§  Raw test data

§  Audiotapes

§  Videos/photographs used for educational purposes.

§  Coding/UR worksheets

§  Billing/Accounts Payable staff working notes regarding claim status, patient conversations, claim reviews, etc.