Unaware or Unwilling to Comply

Navigating the medical system alone can be intimidating, which is part of the reason many cancer patients turn to others for help - such as a close family member, or friend, or a patient advocacy organization. Getting copies of your medical records - even though it is the patient’s right - is also intimidating and time consuming. At Ciitizen, we help relieve cancer patients of this burden by doing the work of obtaining copies of their medical records and organizing it into a profile for the patient’s use. In this role, we are their medical record advocates. We make sure that the patient’s record requests get sent to the right providers, and we follow up to make sure those requests get fulfilled - which includes the records being sent directly to Ciitizen, per the patient’s specific request, so they can be populated in the patient’s Ciitizen profile.

As Deven stated in Tuesday’s blog: per HIPAA, patients can request that hospitals send their medical records to whomever they wish, such as an advocacy group or any other designated third party. Unfortunately, all too often, we see various hospital providers and labs either unaware or unwilling to acknowledge this right.

Let’s use a recent request we sent to a medical center on the west coast as an example. We spoke to the Health Information Management representative on three separate occasions, explaining that we work on behalf of cancer patients to help them obtain their records, and we sent them the patient’s request, with the patient’s signature, designating that the records were to be sent to Ciitizen. The institution simply would not agree to send the records, citing “privacy issues.” We escalated the matter to the hospital’s privacy officer, who proceeded to ignore all of our phone calls, as did the hospital’s director. We then called the head of legal matters, who decided to bypass us and contact the patient directly, telling her “they were uncomfortable sending an email to a third party and that law required them to mail out paper copies to the patient only.” However, as we’ve already made clear in Tuesday’s blog, this is absolutely untrue.

This hospital, all the way to the CEO, either did not understand the HIPAA regulations or simply did not want to comply. Either way, their lack of compliance both disturbed the patient and went against her request to have her records sent to the third party of her choice (and on top of that they sent her paper records after we had requested them digitally). Sometimes even with the help of an advocacy group, patients cannot have their needs met by the medical system, so can you imagine having to do all this alone?

At another prominent lab, a patient recently made a request that her medical records be sent to Ciitizen. We started by emailing the request, but apparently record requests could not be made via email. We then faxed the request, only to be told “the request asked for unencrypted email [which patient’s can choose, as a matter of convenience] and my legal counsel will only allow unencrypted emails to the patient only.” As Deven also explained, the right of the patient to have copies sent directly to a third party must be honored in the same way as if the patient had asked for the records to be sent directly to her. The failure of this institution to honor the patient’s request in this case - to send the records by unencrypted e-mail directly to Ciitizen - is out of compliance with the HIPAA Privacy Rule.

When a request is signed by a patient and directs that records be sent directly to a third party designee like Ciitizen, these are requests that, pursuant to the HIPAA regulations, must be honored. Cancer patients turn to advocacy organizations like Ciitizen to help them navigate the medical system and get the best possible care. Institutions who make the process more difficult for us need to realize that they are placing obstacles in the path of the patients who have come to us for help.

Third Party Rights Under HIPAA

The right for individuals to access and receive copies of their “protected health information” (PHI) has existed since the HIPAA Privacy Rule was first effective in 2003. In 2009, Congress improved this right in the Health Information Technology for Economic and Clinical Health Act (HITECH) by allowing individuals to use their right of access to have information from an "electronic health record" sent directly to a third party of their choice. To exercise this right, individuals merely needed to make sure that their choice of third party was “clear, conspicuous, and specific” (Section 13405(e)(1)).  

In the final Omnibus Rule, which was issued in January 2013, HHS used its broad authority under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to expand this right and enable individuals to use their right of access to send PHI from any source (not just from an “electronic health record”) to third party designees.  Individuals merely needed to make this request in writing (which could be electronic) and be clear about the destination. Hospitals, physician practices, and health plans were required to honor this designation and provide the PHI under the same terms and conditions as apply to PHI delivered to the individual (e.g., provided within 30 days, at low cost, in the form or format requested by the individual).

Before Congress and HHS established the right of individuals to have information sent directly to third parties, individuals had the right to access their PHI themselves. But to get that information to a third party, such as another doctor or a caregiver, the individual had to be an intermediary in the middle, personally obtaining the information and then sending it along to its destination.  

HHS gave entities like hospitals and physician practices 60 days to get into compliance with this new rule; thus, for more than five years individuals should have enjoyed the right to have their health information sent directly to the third party of their choice.  

Yet, when I was the Deputy Director for Health Information Privacy at the HHS Office for Civil Rights, I heard many stories of individuals who faced obstacles in trying to get their health information from point A to point B and found it difficult to have it shared with a loved one, with another medical provider for treatment, or with an insurance provider in order to get a claim fully paid.

OCR issued comprehensive guidance in 2016 to entities covered by HIPAA to be more clear about the right of individuals to “get out of the middle” of routing their health information — to enable them to use the right of access to have information sent to the third party of their choice.  OCR also, jointly with the HHS Office of the National Coordinator for Health IT (ONC), issued fact sheets for consumers, and as well as some videos. The guidance makes clear that:

  • Individuals have the right to use the HIPAA right of access to send information to any third party they want, for any purpose.

  • All of the provisions of HIPAA that apply to the right of access also apply when the individual is asking to have their PHI sent to a designated third party — for example, the right to have information sent in the form or format the individual wants (including the right to get information digitally); the right to have information sent within 30 days in most circumstances; and the right to have that information at a reasonable-cost based fee (for the labor associated with making the requested copy and any necessary supplies)

At Ciitizen, our users seek their health information from all of their medical providers in order to have it aggregated and neatly organized in their Ciitizen profile, allowing them to share it for care coordination, donate it for research purposes, or use it for any other purpose that suits their needs. The individuals request their health information under the right of access and clearly, conspicuously, and specifically designate Ciitizen as the third party to receive those records, in accordance with HIPAA’s rules and guidelines.

In Thursday's blog you will hear more about our experiences in helping our users get their health information as our users’ third party designee.

-Deven McGraw

Stories of Non-Compliance: Fax & Email Requests

We sent a plethora of requests to a massive, well-known hospital chain on the west coast recently, and they responded by sending us this:

***Action Required*** Faxed/Emailed Requests No Longer Accepted - Please Mail Requests With Prepayment.

Let’s just forget for the moment that the email we received included an encrypted password just to access the notice that our request could not be faxed or emailed, creating yet another obstacle for our patient. As Deven’s blog post on Tuesday stated, per OCR guidelines, hospitals cannot force patients to mail in an access request, as this would unreasonably delay the covered entity’s receipt of the request and thus the individual’s access. Hospitals also cannot charge unreasonable fees, yet this particular hospital chain was demanding a prepayment—even though fees for digital copies of digital records would generate a low (if any) fee, and how do you know how much you are required to pay before you’ve even submitted a request?  

But this is the type of message we see all too often, if we’re lucky enough to receive any message at all.

We recently faxed another request to a provider listed as one of the “top 100 hospitals” in the US, part of a division of a leading hospital management company with 34 hospitals across 10 states. After not hearing anything for three days, we called the office to follow up. The medical records representative’s exact response to our Ciitizen request sheet was:

“You make life so complicated. What the heck? Your form confused the heck out of me. I just put it to the side.”

At Ciitizen, we use nothing more complicated than a standard form to request medical records. The fact that it confused this particular representative is highly unnerving, but even more concerning is that she chose to put it aside rather than follow-up on the request (we provide our contact information, of course). She then added that it would take her 15 days just to transfer the request to corporate. When we pushed back that this request was for a cancer patient needing continuity of care, she said:

“Well, I could expedite it. Do you want me to?”

Uh….for God’s sake: YES! We are helping cancer patients in need of treatment here, and fortunately we understand the rights that HIPAA provides them to access their health records. But what about those patients that are putting in requests on their own? Are they supposed to fight a two-front war against the disease on one side, and the hospital’s records department on the other?

Complying with the HIPAA Right of Access Requires HIPAA-Compliant Processes

Covered entities have an obligation under the HIPAA Rule to provide individuals with the right to access and receive copies of their health information. Last week we covered the scope of this right, which is all information that is part of the “designated record set,” including images and clinician notes.

This week we’re going to talk about covered entities’ obligations to adopt policies and procedures to assure that individuals can actually exercise this access right.  In other words, to both honor this right and handle the influx of requests, covered entities must establish processes to receive and service these requests in ways that are compliant with HIPAA (45 CFR 164.130(i)(1)).

OCR has made clear in guidance that these processes "may not impose unreasonable measures on an individual requesting access that serve as barriers to or unreasonably delay the individual from obtaining access.”

This is direct from OCR’s guidance on the right of access:

For example, a doctor may not require an individual:

  • Who wants a copy of her medical record mailed to her home address to physically come to the doctor’s office to request access and provide proof of identity in person.

  • To use a web portal for requesting access, as not all individuals will have ready access to the portal.

  • To mail an access request, as this would unreasonably delay the covered entity’s receipt of the request and thus the individual’s access.

While a covered entity may not require individuals to use mail, use a portal, or submit requests in person, entities may permit an individual to do so if desired. In general, covered entities are encouraged to offer individuals multiple options for requesting access in order to make it easier on the patient. At a minimum, covered entities must inform individuals that they have a right to access and get a copy of their health information in their Notice of Privacy Practices (which you are likely familiar with, as you should have been provided with a copy on your first visit to a new doctor or hospital, or when you enroll in a new health plan). Unfortunately, this notice only informs you of what your rights are, and typically information about how to exercise those rights is found elsewhere (such as on an institution’s website).

In addition to establishing HIPAA-compliant processes for receiving individual requests, a covered entity must respond to that request in way that is compliant with the HIPAA Privacy Rule. For example:

  • Individuals can say how they would like to receive the information - such as wanting a digital copy and/or wanting the information to be e-mailed - and this request must be honored as long as the covered entity can “readily produce” the copy in the way the individual wants it. OCR has made clear in the above guidance that “readily producible” means the entity is capable of honoring the request (vs. what the entity would prefer). The records must honor the individual’s request regarding form and format of information as long as it is readily producible.

  • Covered entities cannot charge fees greater than a reasonable, cost-based fee for the labor costs associated with making the copy requested by the individual and any supplies necessary to fulfill the individual’s request.

  • Covered entities must send the information to an individual’s designated third party and must do so within 30 days in most circumstances.

Covered entities are also required to train staff on what HIPAA requires, including on the elements of the right of access (45 CFR 164.530(b)). Because the right of access is an individual right under the HIPAA Privacy Rule, OCR has maintained that covered entities are accountable to OCR for assuring they are in compliance with this right.  This means that if a covered entity hires a vendor to service patient access requests on its behalf, the covered entity is liable if that vendor is out of compliance with HIPAA. This helps make certain that everyone involved in the records supply chain is accountable.

All covered entities must also have the capability of obtaining the information requested by an individual that is maintained by a covered entity’s business associate; for example, information held by a provider electronic health record vendor or storage company that keeps historical records. Thus, there’s no HIPAA loophole for institutions who claim they do not have to provide records that are not onsite.

In a perfect world, these record request processes are easily accessible by consumers, and getting your health data is a simple, pain-free process. However, we’ve found that in our experience requesting records on behalf of our Ciitizen users, the reality in most cases is far from ideal.

See our blog post on Thursday for more examples of noncompliance.  

-Deven McGraw

Imaging Included

As Deven stated this past Tuesday, the “designated record set”—the data that we as patients have a right to—is an often misunderstood aspect of our rights under HIPAA. As an example, many patients don’t realize they have a right to copies of all of their imaging—every x-ray, CT scan, MRI, and even the photos from your colonoscopy!

Today we want to talk about our efforts at Ciitizen to obtain copies of images for our users.

When we first started asking for medical records on behalf of patients, we relied on hospital websites for guidelines on how to submit those requests. With each request we specifically stated that we were seeking images as part of the “designated record set.” Early on, we gave each institution the benefit of the doubt and waited to follow-up until we were close to the HIPAA 30-day deadline. (Of note: we have since learned that follow-up within 48 hours is necessary to avoid the request going into a black, bureaucratic hole.)

When we did call to check on these early requests, it surprised us to learn that, for many institutions, a separate imaging request had to be specifically submitted to the hospital’s radiology department. Needless to say, this tidbit of information was not included as part the website page of instructions on how patients should submit their requests; we actually learned this information when we called to check on the request. One institution even told us (confidentially, we presume!) that, when they received requests for radiology images, they ignored that aspect of the request, as the health information management (HIM) department was not authorized to release images to patients.

As we know, however, imaging is indeed part of the “designated record set.” Yet, when we call radiology departments to determine their processes for getting x-rays to patients (or their designees), we too often hear that the radiology department will not release images to patients—only to other medical professionals. In fact, roughly one out of every ten institutions we’ve queried seems to think imaging is not included under the HIPAA right of access.

First, if an institution wants radiology requests going directly to the radiology department, this needs to be communicated to patients up front. Secondly, the institution is still obligated under HIPAA to provide this information to patients, so if the radiology department isn’t properly trained on the HIPAA right of access (which seems to be the case at least 10% of the time), that’s a serious non-compliance issue.

In one particular instance, we sent a request to a community hospital for a “designated record set,” including images, on behalf of a cancer patient and had to follow up when we did not receive the information by the 30 day deadline. (Our request also had to be sent by mail—no other communication method was permitted—but we’ll take on that issue on in a future blog post.)

Our request clearly indicated that the patient wanted designated record set information to be sent to Ciitizen by email (with acknowledgements of the security risks of unsecure email, as required by HIPAA), and that the institution could mail a CD with images if they were too large to be e-mailed. Nevertheless, we received a CD by mail of medical records over a month and a half later—accompanied by a letter indicating that the radiology images needed to be requested directly from the radiology department. We had already had phone conversations with the community hospital’s HIM department when the records were in danger of being post-30 days, and at no point did the HIM staff tell us we needed to send a separate request to radiology. Not until we received the letter well past the compliance deadline did we learn of this necessity.

As a result of this all-too-frequent scenario, we now call all facilities ahead of time to find out directly from hospital administrative staff about the specific processes for filing requests, including for images, and we hear from far too many radiology departments that images “cannot” be released to patients as they are not part of the “designated record set” (yet, we know from Deven’s blog post this is incorrect!).

It is not unusual for us to hear different policies regarding the release of radiology images (will they or won’t they release to patients) from different locations of the same hospital system. That some large hospital systems don’t standardize their policies isn’t necessarily shocking, but the fact that they’re non-compliant with HIPAA is entirely unacceptable.

The Designated Record Set

The right of individuals to access their health information under HIPAA is one of the most frequently misunderstood provisions of the HIPAA Privacy Rule. Patients frequently underestimate this right and think they cannot access or receive copies of some or all of the information in their records. Why? Because the information they are provided about the right of access, from the very entities required to comply with this right, is often inaccurate.

One purpose of the #myhealthmydata campaign is to gather and share our stories - as well as stories from patients and their caregivers -  of the effort it takes to collect one’s health information using the HIPAA right of access. But we also want to educate patients - and the public - about  HIPAA’s requirements, so that the next time you ask for copies of your health information (which we encourage you to do), you’ll know when not to take “no” for an answer.  

This week’s lesson is about the “designated record set.”  

One common way that health care entities push back on patients requesting their records is to claim that certain categories of information “cannot be shared” with patients. Images - such as xrays and MRIs - are often denied to patients, and progress notes from physicians or other medical professionals - often a rich source of information about a patient’s diagnosis and treatment -  are another category of information some providers are hesitant to reluctant to share directly with patients.

Under the HIPAA Privacy Rule, patients have the right to access and obtain copies of all of their identifiable health information (called protected health information or PHI) that is part of a “designated record set.” (45 CFR 164.524(a)(1)) clearly explains that the he “designated record set” is more than just what an entity decides is part of a patient’s “medical record.” It is all records held by a health care provider or health plan that are:

(i) The medical records and billing records about individuals maintained by or for a covered health care provider;

(ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or

(iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals. (45 CFR 164.501)

Psychotherapy notes that are kept separate from other information in a patient’s record are not part of the designated record set (and therefore not subject to the patient’s right of access), but this exception is limited to psychotherapy notes, which are notes recorded by a mental health professional as part of a psychotherapy session. This exception does not extend to notes from other professionals.  (Information compiled for the purpose of a civil, criminal or administration action or proceeding is also excepted from this right.) But the breadth of this definition - and that there are only a couple of narrow exceptions - means patients are entitled to most health information that is generated about them and held by a health care provider or a health plan.

The agency that enforces HIPAA - the HHS Office for Civil Rights (OCR) - has made clear in guidance that the “designated record set” includes x-rays and other images, and also includes provider notes. You can see where OCR could not be more clear that patients have a right to receive copies of their X-rays. OCR does note image files can be quite large, so often there needs to be some negotiation between the provider and the patient (or a vendor or service like Ciitizen working on the patient’s behalf) about how best to convey the copy of the image for the patient,  but at no point does OCR question whether individuals should be able to get copies of x-rays directly pursuant to the HIPAA right of access.

As for provider notes, OCR has also made it clear  that patients have a right to obtain of copy of provider notes. This guidance also reinforces the right of patients to get copies of their x-rays.

You can’t get more clear guidance than what is in those two links. Why patients are still getting misinformation about their rights to this information is … well, let’s just say it’s a head scratcher. It’s also a violation of the HIPAA right of access to deny individuals copies of their health information based on misinformation about HIPAA. Just like in the movies, “ignorance of the law is no excuse.”

We also want to give a shout out to ePatient Dave and to the Open Notes Program - both of whom have been among the many steadfast advocates for the right of patients to access their health information.

ePatient Dave (Dave deBronkart) wrote a great blog post last year to counter the argument that patients won’t want their images because they won’t be able to read or understand them. If there’s one thing we should never doubt in the internet age, it’s the ability for consumers to educate themselves and become experts in their own right. As we’ve learned here at Ciitizen, nothing motivates a patient to seek out and understand their medical records more than a cancer diagnosis.  

The Open Notes program has been steadfastly working to encourage health care providers to voluntarily make notes affirmatively available to patients, such as through patient portals.  Yes, notes are already required to be made accessible to patients when they ask for them, but OpenNotes advocates for providers to make this information accessible to patients without the patients having to specifically ask for them.  The more information made affirmatively available to patients, the easier it will be for them to collect their comprehensive health histories with minimum hassle. And I think we’ve made it clear over the last few months as to what a hassle it can be.

And now you know your rights in the midst of such a hassle. Yes, you have the right to get copies of all of your health information, including the images, and copies of the notes. They are indeed part of the “designated record set.”

-Deven McGraw

Documenting a Records Request

As we continue to advocate for patients and help them get their records, we wanted to give the world an inside view into what can be a thankless, endless, and often fruitless process.

These are medical records which already exist in their entirety.

Records that are a patient’s lifeline to continuity of care.

Records that can provide access to life-saving clinical trials.

And lest we forget - records which are a patient’s right to have and to hold in 30 days or less.

Let’s take a peek at the timeline of a real request by Ciitizen for records on behalf of a real cancer patient. Brace yourselves.

August 20th, 2018 - Ciitizen submits a faxed patient access request form to a leading medical institution in New York. The request asks for all health records on file. Upon receiving no response to this rather urgent request, Ciitizen calls to check on the progress. On this first call Ciitizen is advised that the request has been outsourced to a records copy service and Ciitizen must follow up with them directly.

September 17th, 2018: Ciitizen calls the copy service company. The wait time to reach a customer service representative is over 15 minutes. The patient’s date of birth and name is given - the passport for receiving any information about a request - and Ciitizen is advised that there is no request on file for these records.

Ciitizen reaffirms that the medical institution confirmed the faxed request had been received and duly passed along. The copy service is unmoved by this information. They have nothing on file. Ciitizen is asked to re-fax the request. A new fax number is given.

Ciitizen re-faxes the request. Ciitizen places a second call to the copy service to confirm receipt of said fax. The copy service, citing their procedural policy advises Ciitizen that they will have to wait another 15 days to confirm receipt of the request form, let alone fulfill it.  

In order to bypass this unacceptable delay, Ciitizen places a third call to the copy service; this time to the supervisor’s department with the goal of explaining that proof of the first fax could be provided, and to remind said copy service that the records in question belong to that of a cancer patient, to whom any additional wait would be extraordinary and life-threatening. A third fax number is provided and Ciitizen is once again asked to refax. This time Ciitizen is promised a call back to confirm receipt and to advance an expedited timeline for sending the data, given the amount of days that have already passed.

At 12.41 pm EST an agent calls Ciitizen. Shockingly the agent is both aggravated and annoyed at having to place this call, talking over our patient advocate and raising her voice in sheer frustration of our persistence. Dismayed by the agents tone, our patient advocate vehemently voices discontent at the sheer lack of professionalism, only to be hung up on!

Understandably furious, our Ciitizen employee reaches out to yet another supervisor; this time a gentleman in all senses of the word. He is horrified by the account and very much motivated to help us with our cause. He states he is now going to help with the records retrieval process moving forward, and requests a short time to review our original request.  At 4.45 PM, Ciitizen receives a call back confirming the record request and a corresponding transaction number.

September 18th, 2018: The new supervisor calls our Ciitizen employee to confirm that the records will now be sent out. By mail. He supplies a transaction number advising that we could reasonably expect records within a week. He also offers that if we were to provide and pay for an overnight service then records could be expedited.

Given that the request form clearly, concisely, and specifically requests the records be sent electronically - i.e. by email - our patient advocate questions why such a request cannot be fulfilled. We’re told that records cannot be sent in such a manner due to encryption reasons, as this would be a HIPAA violation. (Side note - it is a HIPAA violation NOT to send them this way since the request asks for them in this format.) Our patient advocate politely points out that our form addresses that issue in the full context of the HIPAA law, therefore rendering the electronic release HIPAA compliant.

And then we’re put on hold. Five minutes later, the supervisor returns to the call with “great news.” An electronic link to Ciitizen is offered where Ciitizen can download the patient’s information with an access code. A link that provides immediate access to said records. Finally!

September 26th, 2018: Ciitizen receives an invoice from the company for the processing fees of these ready-to-go electronic records. Ciitizen pays the fee immediately.

September 27th, 2018: On day 37, seven days after the required 30 day time period for compliance, the link arrives.

So to sum this unsavory experience up:

7 phone calls

3 faxes

2 escalations

…and almost 2 hours of phone time to retrieve ready-to-go electronic records that are sitting waiting to be emailed out. And finally records are retrieved.

Now imagine that this responsibility befalls the patient - a cancer patient dealing with health issues that many of us can only imagine. It’s utterly inexcusable.

But in reality, this is what transpires every day at a mind boggling number of major hospitals and medical centers across the USA. Change has to happen and it has to happen now. This needed change is what Ciitizen is fighting for. For you, your families, and for patients across America.

#myhealthmydata Stories

Since starting the Voice of Ciitizens blog back in the summer of 2018, we’ve spent most of our time defining, documenting, and denouncing the myriad of roadblocks that stand between patients and their personal health data, from the lack of compliance with federal HIPAA regulations to the “dinosaur technology” still in use. Now that 2019 is upon us and the problem is clear, the question has become: what can we do to try to fix it?

While helping patients obtain their health data from hospitals all over the country, we’ve found that a number of hospitals either don’t understand the patient’s right of access under HIPAA or (in worse cases) are indifferent to it. For months, we’ve been asking ourselves at the Ciitizen office how we can help well-meaning institutions improve their medical record release procedures and become HIPAA compliant, while simultaneously motivating the stragglers to follow suit.

That internal question led to an idea, which culminated in the #myhealthmydata campaign.  

What if we took our experiences in trying to obtain medical records for our Ciitizen users and objectively evaluated those experiences based on what the HIPAA Privacy Rule requires?  And what if we made those stories public - both our general experiences as well as instances with specific institutions - perhaps by name - that we have contacted, openly sharing it online for the world to see?  Could stories of hospital responses to our record requests help both shine a light on what seems to us to be a serious noncompliance problem and also be a catalyst for change? And might we surprise ourselves with stories of people who are actually doing this right?

We think the answer to these questions is yes. What exactly would this all of that look like? Follow #myhealthmydata and we’ll show you.  

-The Ciitizen Team