Navigating the medical system alone can be intimidating, which is part of the reason many cancer patients turn to others for help - such as a close family member, or friend, or a patient advocacy organization. Getting copies of your medical records - even though it is the patient’s right - is also intimidating and time consuming. At Ciitizen, we help relieve cancer patients of this burden by doing the work of obtaining copies of their medical records and organizing it into a profile for the patient’s use. In this role, we are their medical record advocates. We make sure that the patient’s record requests get sent to the right providers, and we follow up to make sure those requests get fulfilled - which includes the records being sent directly to Ciitizen, per the patient’s specific request, so they can be populated in the patient’s Ciitizen profile.
As Deven stated in Tuesday’s blog: per HIPAA, patients can request that hospitals send their medical records to whomever they wish, such as an advocacy group or any other designated third party. Unfortunately, all too often, we see various hospital providers and labs either unaware or unwilling to acknowledge this right.
Let’s use a recent request we sent to a medical center on the west coast as an example. We spoke to the Health Information Management representative on three separate occasions, explaining that we work on behalf of cancer patients to help them obtain their records, and we sent them the patient’s request, with the patient’s signature, designating that the records were to be sent to Ciitizen. The institution simply would not agree to send the records, citing “privacy issues.” We escalated the matter to the hospital’s privacy officer, who proceeded to ignore all of our phone calls, as did the hospital’s director. We then called the head of legal matters, who decided to bypass us and contact the patient directly, telling her “they were uncomfortable sending an email to a third party and that law required them to mail out paper copies to the patient only.” However, as we’ve already made clear in Tuesday’s blog, this is absolutely untrue.
This hospital, all the way to the CEO, either did not understand the HIPAA regulations or simply did not want to comply. Either way, their lack of compliance both disturbed the patient and went against her request to have her records sent to the third party of her choice (and on top of that they sent her paper records after we had requested them digitally). Sometimes even with the help of an advocacy group, patients cannot have their needs met by the medical system, so can you imagine having to do all this alone?
At another prominent lab, a patient recently made a request that her medical records be sent to Ciitizen. We started by emailing the request, but apparently record requests could not be made via email. We then faxed the request, only to be told “the request asked for unencrypted email [which patient’s can choose, as a matter of convenience] and my legal counsel will only allow unencrypted emails to the patient only.” As Deven also explained, the right of the patient to have copies sent directly to a third party must be honored in the same way as if the patient had asked for the records to be sent directly to her. The failure of this institution to honor the patient’s request in this case - to send the records by unencrypted e-mail directly to Ciitizen - is out of compliance with the HIPAA Privacy Rule.
When a request is signed by a patient and directs that records be sent directly to a third party designee like Ciitizen, these are requests that, pursuant to the HIPAA regulations, must be honored. Cancer patients turn to advocacy organizations like Ciitizen to help them navigate the medical system and get the best possible care. Institutions who make the process more difficult for us need to realize that they are placing obstacles in the path of the patients who have come to us for help.