Follow Ciitizen and Deven on Medium

The Voice of Ciitizens is getting an upgrade, as we look to make an even bigger impact on patients getting and controlling their health data.   We’re joining thousands of brilliant writers on Medium with our new Medium page written by our Chief Regulatory Officer, Deven McGraw. 

This page will include all of the posts that you will find on our Medium page - plus Deven’s speaking calendar and more, but to continue to receive updates, please follow us on Medium.

As the former Deputy Director for Health Information Privacy at the Office for Civil Rights of the U.S. Department of Health and Human Services, Deven was responsible for enforcing HIPAA and issuing guidance on how to comply with its rules. Deven spent more than two years with the U.S. government working on behalf of patients regarding their rights to their health information. 

Now, as the Chief Regulatory Officer at Ciitizen, Deven is dedicated to furthering that mission.  

Deven’s Medium page will continue to dive deep into the landscape of patients’ access to medical records, including how providers handle the HIPAA Right of Access - and she will make sure patients know their health information rights.  Deven’s role at Ciitizen includes reducing the friction patients experience in getting their records - and she’ll be keeping you updated on all her work on her Medium page. Please go here to stay connected. 

As Marshall McLuhan famously stated, “the medium is the message.” 

Well, the content of this new Medium page will certainly be our message, our passion and our mission. 

Our goal is to help providers take the pain out of accessing records so that patients can take care of their medical needs.

-The Ciitizen team

The Value of Health Data – Clinical Trials

Last year, when we first began helping cancer patients collect their medical records, I had a conversation with the wife of a cancer patient to gage her interest in having her husband’s cancer records. He was just getting ready to begin chemotherapy for liver cancer, and she was coordinating his care. I asked if she was interested in having us help gather his medical records.

Her initial reaction was lukewarm. He was getting care “at the good local hospital” where he had been diagnosed, and where they had both received care in the past, she said. This hospital’s electronic medical records system had a portal where she could view relevant parts of her husband’s medical records, she told me; and why would they need to have all of his information anyway?

But, when the chemotherapy regimen was not as effective as they had hoped, she realized how valuable it would be to have her husband’s records at her fingertips, where she could quickly and easily share it to explore more options – to potentially find a treatment that was more effective or at least less toxic, or to determine eligibility for a clinical trial testing a novel treatment.  

Our next several blog posts are going to explore the value to patients (and their caregivers) of having your health information available when you need it. And one potential value to a cancer patient of having your medical information is to help identify clinical trials for which you may be eligible.

Recently in Medium, my friend Martin Naley published a great three-part post on cancer clinical trials. Martin is working with the Biden Cancer Initiative, leading their effort to double clinical trial enrollment nationally. As he poignantly explains in the first post, cancer clinical trials are “in crisis”:

  • While 25% of patients could qualify for clinical trials, less than 5% of adult cancer patients actually participate.  There is room to enroll over 250,000 additional patients into trials…. 80% of cancer clinical trials do not meet their enrollment timelines, and this slows the broad introduction of new treatments to all cancer patients.  

Martin lays out, in detail, some of the reasons why the rate of enrollment in cancer clinical trials is so abysmal. Among the problems are that publicly available information about clinical trials is hard to find and sift through, and even once you find a clinical trial that appears to be a match, the criteria for inclusion or exclusion are inaccurate or incomplete. Further, trials testing the most innovative treatments often are not available outside of elite academic medical centers. To change this dynamic, the Biden Cancer Initiative is seeking collaborators ( to “create, validate, and deploy new strategies for patient enrollment in cancer clinical trials.”

Count us in.

Assuring that cancer patients have their complete, organized cancer medical histories at their fingertips will not fix all of the problems with cancer clinical trials. But having your data at the ready is an essential first step to finding a trial that could extend or even save your life.

-Deven McGraw

Re: How Many Calls to Get to the Center?

And the answer is …… 329!  

For just 95 records requests it took 329 calls to get to someone who would agree to send the records the patients were requesting.  And 128 of these calls were escalations to privacy officers.

If you think that this was because we were dealing with very small doctors’ offices or medical centers in remote areas, think again. In fact, of the 27 institutions to whom record requests were sent, only four were small physician offices, and none were in remote areas.

As Deven pointed out in her 4/9 post, this averages out to nearly four phone calls per request. Who has time for that? Er…. no one! And most definitely not a patient struggling with a serious health issue. And so to the question that I know is on all your lips: why does it take so much effort?

Here’s one answer: a large number of HIM departments are simply not up to speed with regard to HIPAA. When I call a HIM department and ask simple, straightforward questions such as:

  • “Can I fax this patient access request over?” or…

  • “Can you release records electronically?” or…

  • “How much, if anything, will you charge for this?”

I cannot even count how many times I am told, “I don’t know.”

Really? There are only a handful of legally accurate answers to the same questions that get asked over and over again.

At the risk of sounding like a broken record, a patient has the right to request their full medical record set be sent to anyone, anywhere, at any time, and for any reason, without having to spend an unreasonable amount of time, or  money, to make this happen. Without the need for intervention.

Not wishing to do myself out of a job, it really is as simple as that.  

So how do we get there? Well, that’s the much harder part.

  • We get there by escalating records retrieval issues to the highest possible level, most often Chief Privacy Officers or Chief Compliance Officers, making sure they are aware that their HIM Department employees (or contractors) need a HIPAA refresher.

  • We get there by advocating for patients to ensure they get what they are entitled to.

  • We get there by educating patients nationwide so that they know their rights.

  • We get there by campaigning for what is right, what is lawful, and what is fair.  

It is time to fix what is broken. All we need is for every HIM department out there to be both familiar and compliant with HIPAA in order for that to happen. That’s not unreasonable, is it?

-Lisa Taylor

How Many Phone Calls to Get to the Center of the HIM Department?


Under the HIPAA Privacy Rule, covered entities – including hospitals, doctors, and health plans – must have processes in place to assure that individuals can exercise their rights, including the HIPAA Right of Access.  We first blogged about this obligation back on February 12th.

When we first started sending patient requests for their records, we painstakingly looked up the process for each institution and medical practice, followed their instructions to the letter, and set ourselves a reminder for when the request was close to approaching the 30 day deadline.

We learned a lot that first month.  

As we got closer to the deadline, we decided to check on these requests – and found that in a number of cases, the entities claimed they had never received it (even though we had faxed, e-mailed or even mailed it per their instructions). So we decided that with our next batch of requests, we would follow up within 24 hours of sending the request to make sure it was received and was in process. (Of note – there were some Ciitizen employee requests in our first batch – and we did not follow up on these, and as a result, most of them were never fulfilled.)

Making these calls improved our response rate – but also introduced us to Medical Records (or Health Information Management (HIM) Department) phone call hell.  Getting someone to answer the phone – or return a call – is frequently a challenge. And when you get someone on the phone, too often they lack knowledge of what HIPAA requires, telling us the patient needs to come in person, or cannot have records e-mailed, or must first pay a per-page fee even for digital copies. So more phone calls are required in order to get someone on the phone (usually the privacy officer) who actually knows the HIPAA Right of Access and will assure the request is processed.  

On average, it takes 3-4 phone calls to get a single medical records request filled in compliance with HIPAA.   

We devote resources to getting these requests fulfilled, even if it means multiple phone calls. But most individuals have neither the knowledge nor the time to engage in these battles. Recently the head of HIPAA – Office for Civil Rights (OCR) Director Roger Severino – talked about his efforts to get copies of his records in compliance with HIPAA, and he gave up after the process proved too time consuming.

Director Severino then announced he would be focusing on greater enforcement of the Right of Access.

How many phone calls does it take to reach the center of the HIM Department? The answer should be: none.  

-Deven McGraw

Knowledge of Your HIPAA Rights is Power

I sincerely hope that everyone on this planet has read and imbibed Deven’s post Empowering Patients: Know your rights!

Her valuable HIPAA lesson will help you fully understand your rights as a patient to better navigate the roadblocks that often stand between you and your health data. Even with this information the road is often difficult, but that shouldn’t come as any great surprise to anyone who has been following our posts for some months now.

Because of the difficulties patients often face when requesting their records, some patients will seek help from others. As an example, Ciitizen is the designated third-party of choice for a number of cancer patients looking to collect, organize, and share their health information in an easy to use format. By law, any HIPAA-covered entity has the right to reach out directly to any of these patients in order to verify the validity of that third-party request. Yet, even with our understanding of patients’ rights under HIPAA, we still face hurdles on a daily basis.

Despite our knowledge and experience, we have stood helplessly by as medical institutions have ignored patient requests and questioned our validity as a third party recipient. Instead, they send stacks of paper records directly to the patients themselves (or worse, require a fatigued cancer patient to physically drive to the records department to pick them up in person), claiming that personal health information can only be shared with the patient directly.

Shocked? Well don’t be.

It’s easy to underestimate just how compelling and convincing a story you may hear from a medical records representative as to why your records cannot be sent to a third party (or why they may not be sent electronically, or why you may be required, by law, to show up in person to retrieve your records!) Trust us: we’ve seen it happen time and again. And let us not forget that patients who are dealing with a major health diagnosis simply don’t have the time, energy or inclination to spare on arguing with records department staff.

Sometimes it’s because our patients are simply too nice. “She just seemed a little irritated that I didn’t understand that they would be sending the records to my home address and not uploading them. I didn’t want to argue, as I’m definitely not the type of person to get anyone in trouble,” stated one of our current patient users after her encounter with a records official.

Knowledge is power, however; and having the power to navigate these records department interactions with confidence, clarity, and certainty is what we want for all patients requesting their records, including when they want them sent directly to a designated third-party of choice. It’s vital that you know your HIPAA rights to ensure that you get your records in the form and format you requested, within a legal timeframe, and with as little effort as humanly possible.

That’s the mission. That’s the goal. And at Ciitizen we are here to support you EVERY step of the way.

-Lisa Taylor

Empowering Patients: Know Your Rights

At Ciitizen, we’re here to make sure you know your HIPAA rights regarding your health information. If you’ve ever tried to get a copy of your health records, you’ve probably hit a lot of roadblocks. Myths about HIPAA and your right to get your health information are rampant.

Here are the facts:

  • You have the right to all the health information generated as part of a visit to the doctor or a stay in the hospital.

    • For example, you have the right to copies of your lab tests. You have the right to the results and underlying data from your genome sequence. You have a right to your x-rays, CT scans, and MRIs, too.

  • You have the right to it within 30 days (in most circumstances), in the format you want it (so long as the entity can produce it that way). If you want that information digitally, you have the right to have it digitally.

  • You have the right to a copy of all your health information for no more than the reasonable cost of making that copy. For copies delivered electronically, the allowable costs may be zero.

  • You have the right to have that information emailed to you if that’s most convenient. The institution at hand may have some security concerns, but if they provide you with a light warning of that risk and you agree to it, it’s your right to have it emailed.

    • If you do have concerns about using your secure email, then you have the right to get that information in a secure way.

  • Every bit of medical information that is generated about you is your right. It’s also your right to request a correction to it. Information that is incomplete may also be wrong, so you have the right to request additional information be added if you think there’s something missing.

  • You have the right to have any institution send your health data to any third party that you want. If you want that info sent to another physician, that is your right. If you want it sent to your spouse, that’s your right. You have the right to decide.

Your complete health information is yours by right. At Ciitizen, we want to help you get the most out of it. When you can easily collect, organize, and securely share your health data, you have more options as a patient.

For additional detail on your rights, you may also visit:

-Deven McGraw

Family History is Key in Cancer, Yet Still Patients Wait

This week Deven talked about the difficulties people face when seeking access to a family member’s medical records, and it struck a nerve with me. In my blog post from November 13, 2018, I talked about my mother’s positive BRCA test result. This sequel involves sharing that test result with family members so they could determine what their next steps should be.

BRCA, as we soon learned, comes in two forms: BRCA 1 and 2. Eligibility for genetic testing of additional family members (or at least to have it paid for by health insurance) is predicated on which type of BRCA mutation was found in the initial positive test. So we all needed a copy of my mother’s results.

My mother requested that her test results be shared with family members. A flurry of urgent calls, texts, and emails ensued. We wanted to know where records of her requested test results would ultimately be shared. Days passed, and then another week, but still no date was given. My mum had received her first cancer diagnosis on her 50th birthday, and I was filled with dread, as my 50th birthday was just around the corner. The clock was ticking daily, and yet we seemed to be no closer to actually getting the records.

“Why is this so hard,” I kept hearing from my sister.  “Don’t they have a fax or email? Have they heard of Fed-Ex? What on earth is going on?” Good question! And not one that was easily answered.

According to the hospital holding the records (a major New York based cancer specialist), it was “a HIPAA violation” for my mother to request that her BRCA diagnosis records be sent to each of her family members. Really? Actually, it’s a HIPAA violation NOT to send records to anyone the patient requests.

We began to investigate the situation. Multiple escalations via all forms of communication known to man ensued. Bosses and bosses’ bosses were asked to intervene. Weeks passed by and finally - two and a half months later - approval was given for my mum to designate where the records needed to go. Our very own Mount Everest scaled!

So just how isolated an incident was this? Well after spending the last 6 months retrieving records for Ciitizen users and speaking to over 2000 HIM departments at major hospitals and medical centers across the United States to better understand their medical records release processes, I can categorically say: not isolated at all!

If I had a dime for every time I have heard medical records staff say they are so sorry, but that a patient really must come in person to retrieve medical records; or a dime for every time I have been told by staff that they will not even release basic information about the process for obtaining records like the fax number for an access request form to be sent to, this blog would have been written aboard my yacht in the Mediterranean, with an invitation for all to join!

And so the battle rages on within this archaic, outdated, frustrating, and ineffective system. But patients everywhere can sleep a little easier tonight knowing that Ciitizen is dedicated to transforming the industry by demanding what is right, what is legal, and by accepting no less than any patient, anywhere, deserves.

-Lisa Taylor, Health Records Retrieval Representative for Ciitizen

Asking For A Friend

Can a patient have someone else obtain their records?

I often get asked whether a close friend or family member can ask for another individual’s medical records. The very sick often have little energy to devote to obtaining their records, a time and energy-consuming process, so friends and family members frequently act as caregivers, and they are eager to assist in any way that they can. Sometimes that help involves managing important health data on behalf of the patient.

Under the HIPAA Right of Individual Access, health care providers and health plans covered by HIPAA are required to respond when copies of health information are requested by (1) the individual (the subject of the information) and/or (2) the individual’s personal representative.  

Some Limitations

Can an individual just declare that a caregiver (friend or family member) is his or her “personal representative”?

The answer is: no. A personal representative is not just someone named by the patient.  

To qualify as a “personal representative,” you must be authorized by law to make health care decisions on behalf of an individual. (45 CFR 164.502(g).)  An example of a personal representative is someone with a health care power of attorney, a court-appointed legal guardian, or a parent with respect to a minor child (as long as that parent has the legal authority to make medical decisions for the minor). If someone is deceased, the personal representative is a person with legal authority to make any decisions (not just health care decisions) for the person who is deceased or that person’s estate.

If someone only has authority to make certain medical decisions on behalf of an individual (i.e., some but not all medical decisions), then their right as a “personal representative” to request health records under the HIPAA Right of Access is limited to information that is relevant to their decision-making authority.  

In addition, a healthcare provider or health plan can refuse to release records even to someone who is a legitimate “personal representative” if a licensed healthcare professional, exercising professional judgement, determines that providing access to an individual’s personal representative is “reasonably likely to cause substantial harm to the individual or another person” (45 CFR 164.524(a)(3)(iii)). However, the personal representative can appeal this decision (and entities are required to establish appeals processes to review such decisions) (45 CFR 164.524(a)(4)).

How Can Information Get to Caregivers?

Is a caregiver then powerless to help a friend or family member manage his or her health information? No, not entirely. A patient can share his or her health information with anyone they choose. For example, a patient can use his or her HIPAA Right of Access to have health information sent directly to a caregiver. In other words, the patient must make the request, but they don’t have to play middleman in order to route that information directly to a caregiver. In addition, once the patient has their information in an online account—such as in a Ciitizen profile—the patient can grant access to that information to anyone they choose.  

Health care providers under HIPAA, along with health plans, also are permitted by HIPAA to share information with friends and family members who are involved in caring for an individual (or paying for that individual’s care), to the extent the information being shared is relevant to the friend or family member’s involvement (45 CFR 164.510(b)).

How We Help at Ciitizen

At Ciitizen, we make it as easy as possible for our cancer patient users to initiate requests for their medical records - and we do all of the follow-up to make sure those requests are successful.

Once the information is in the Ciitizen profile, patients can easily grant access to caregivers and share it with anyone they choose.  

-Deven McGraw