Reluctance to Change

Lisa Taylor wrote in her blog this past Tuesday, when discussing the lack of compliance from various health records departments: “Change is hard, and the reluctance to change is real and daunting.”

Ain’t that the truth, and don’t we all know it!

I, for one, find it continually difficult to change my lifestyle, my diet, my work schedule, my negative attitude towards our current political climate, and a number of other unhealthy habits I’ve acquired over the course of 38 years on this planet. Sometimes I know I should eat a salad and drink water before bed, but instead I eat a whole pizza and drink an entire bottle of wine. Despite the undesirable effects I sometimes suffer as the result of my personal decisions, I would often rather endure the discomfort than exert the effort necessary to exact any real changes to my daily living.

Why? Because change is hard, and my reluctance to change is indeed real and daunting.

But the strength of my willpower to impart a positive influence on my personal life is very different than the legal requirement for a medical records office to comply with mandated regulations that have now been in place for some time. My individual choices don’t violate any laws or regulations (usually), and they only affect me. However, the lack of compliance with federal HIPAA regulations by hospitals across the country affects countless patients in need of their health information, many of whom are counting on that data for survival.

Change is indeed hard, and some hospitals appear to be reluctant to change their policies. But I say: tough shit!

When a hospital doesn’t honor a patient’s rightful request to access his or her health data within the required timeframe, for example, the patient is the one who suffers. As Lisa added: “If privacy officers remain immune to the plight of the people they are there to protect, and unwilling to take advantage of new systems and procedures that can eliminate these obstacles, then this pattern is destined to continue.”

In order to enact hard change, you must first understand that it’s needed. To prolong making changes is to be human. To be oblivious to needed change, however, is negligent.

-David Driscoll

Overcoming the Obstacles

Sitting in the office of Dr. Alexander Swistel at the New York-Presbyterian/Weill Cornell Medical Center, an internationally-recognized breast surgeon who has pioneered many of the newest advances in breast cancer treatments, I watched my 70 year old mother being examined after her third breast cancer diagnosis in 20 years. She was crestfallen. And I was confounded. Although we are still unraveling the mysteries of cancer - and why it happens to some people and not others - I couldn’t help but wonder how a woman who lives a five-star lifestyle, who maintains the ideal weight for her height, works out regularly, hasn’t touched dairy for over 20 years (heaven forbid sugar or gluten), and drinks water that has been perfectly PH-balanced via her $5000 counter-top machine, could possibly have cancer again?

Desperate for an answer, I blurted out; “It has to be genetic!” Carried away with my new powers of diagnosis, I forged ahead: “Is it possible she has BRCA?” Without missing a beat the reply was swift and curt. “No, she isn’t BRCA”. Clearly this information didn’t sit well with me. “How do you know that?” I retorted, quickly adding that she displayed all the markers. Dr. Swistel seemed to have already tired of my line of questioning. He stopped what he was doing and turned to me, his head cocked patronizingly to one side. “Would it make you feel better if I had her tested?”.

Although the wait would be over a month, I knew it then. She had it, I had it, my sister had it. But it turns out so does my brother and so do my nieces. So how was it that this simple blood test was overlooked for more than two decades? The answer is elementary: my mother’s medical records were incomplete. Had her full history been readily available, the doctor would have seen in a heartbeat that her previous diagnoses were overwhelmingly consistent with the profile of a BRCA1 carrier. And coupled with her Ashkenzi Jewish descent, he would also have known my family members were prime candidates.

And so began the inordinate struggle to get her test results shared among our family, a critical component of ensuring accurate genetic testing for us all. It was incredibly complicated. Selling my company to Disney was less involved than the process of obtaining and sharing health data. Yet, we are just another story in an endless stream of those who face inexplicable obstacles in attaining a patient’s medical records. Critical information that affects not just the patient’s outcome, but that of the family members as well.

Because of the overwhelming frustration, the fragmented and laborious process of medical records retrieval is too much to handle for so many. But not for me. Like all good things in life, timing is everything. As luck would have it, I was brought on as a consultant at Ciitiizen to help better understand the issues surrounding this retrieval process, and to help implement measures to correct it.

From my experience, the solution is surprisingly clear: health information management departments do not understand patients’ rights.

On top of that, privacy officers are not implementing revised processes to bring these departments into compliance. Why? Because change is hard, and the reluctance to change is real and daunting. If privacy officers remain immune to the plight of the people they are there to protect, and unwilling to take advantage of new systems and procedures that can eliminate these obstacles, then this pattern—one that has directly affected me and my family—is destined to continue. Change is what Ciitizen is fighting for. For you, for your families, and for the future of the personal healthcare industry.

-Lisa Taylor

Lisa Taylor is an Emmy nominated filmmaker and was the COO and co-founder of Real Savvy Media before selling the company to the Disney Interactive Media Group in 2010. She is currently a part of Ciitizen’s data retrieval team, helping patients obtain their health records via the HIPAA right of access.

The Evolution of Customer Service

In all the professional roles I’ve played throughout my eclectic career, I can say with certainty that customer service was the most challenging; especially when the customer knows more than you do, as is becoming more and more the norm.

Before the internet, we turned to customer service representatives for professional expertise, relying on their guidance when in need of assistance. Today, however, customers come in armed with mountains of data, consumer reviews, and various other tidbits of information that they’ve spent hours, if not days, poring over in anticipation of their transaction. As someone who worked retail customer service from 2007 to 2018, I’ve seen the evolution firsthand. Content experts are less relevant than ever. Strong interpersonal skills are far more valuable.

Customer service today is less about advising and more about helping people along to where they’ve already decided to go. However, as my colleague Nasha pointed out in her blog from Tuesday, a number of hospitals haven’t yet received that memo. Records departments still think they can dictate the release of information to patients, despite that more patients every day know their HIPAA rights.

When following regulatory HIPAA guidelines to rightfully request health information on behalf of her daughter and others, Nasha has found that she often has to educate the record departments on the legal requirements. That’s after the six or seven phone calls needed just to get any kind of straight answer. As she stated, “It’s not only a lack of (HIPAA) compliance, it’s a bad customer experience.”

I can tell you from my experience: the only thing more demoralizing than dealing with an angry customer over the phone is dealing with that angry customer when you’re completely in the wrong. Not only do you feel anxious and under attack, you begin to feel animosity towards your employer for putting you in that awful situation to begin with. Now imagine that the customers are actually sick patients in dire need of their health data, and you can imagine how much worse it feels.

Simply put, hospitals and health institutions need to make sure their records department personnel are not in the terrible position of knowing less about HIPAA than the patients they’re supposed to be helping. As more citizens learn about their HIPAA right of access and begin to exercise this right—in all of its glorious (but sometimes confusing) details—it’s going to be a nightmare for any records department professional caught in the path of resistance. It’s time to make HIPAA right of access compliance a priority—both for the patients’ sake and the mental health of the medical records professionals.

-David Driscoll

A Bad Customer Experience

Sometimes it’s so exhausting to track down my daughter’s medical records that I want to give up and say forget it. She has a rare neurological condition called FOXG1, and has therefore been seen at multiple institutions for various testing and procedures. Thinking recently about having her information sent to a specialist out of state for another opinion, I realized I had no idea how I would make that happen.

I was able to reach the records department at her current hospital. They said they could not send her MRI data to me, but I could come to the office in person to retrieve her imaging. So I did. I waited there for over three hours to get her data on a CD-ROM, and even then the records were incomplete and not at all easy to access.

My own personal experience of trying to collect her health history has been frustrating, to say the least, which is why I decided to join Ciitizen and lend a hand to patients in similar situations. Luckily, my daughter’s condition isn’t life threatening. But she can’t walk or talk, and seizures are an issue, so having her health data is important. However, when I think about these same obstacles being presented to patients with cancer and other serious illnesses, I get nauseous. Patients in dire need of their data should be able to get their information immediately.

Having started making record requests on behalf of Ciitizen’s beta users, my frustration has not subsided. In response to the rightful inquiries sent by these patients, we’ve received responses like:

  • Due to security/encryption purposes, the records cannot be sent by email, as this is a HIPAA violation

  • We cannot accept electronic signatures (in response to an electronic request form!!)

  • Imaging cannot ever be sent to a patient, it must be picked up in person by the patient with a valid ID

As I’ve come to learn, however, none of these rejections are valid. HIPAA does allow records to be sent by email, digital signatures are just as lawful as written ones, and imaging can indeed be sent directly to the patient. Some of the medical records clerks I talk with don’t seem to know any better, and it doesn’t seem like hospitals spend much time training their records departments about HIPAA requirements.

On top of that, we’ve had to call some of these hospitals six or seven times on behalf of our cancer patients before we even get a straight answer. It’s not only a lack of compliance, it’s a bad customer experience. What other industry would allow this?

No other business could survive these market dynamics given the competition out there today. Unfortunately, as patients often have few options for care, the hospitals get away with it. That’s why we need to incentivize hospitals to both comply with HIPAA regulations and improve their customer service protocols. If the hospitals themselves aren’t able to allocate resources towards bettering their compliance, we at Ciitizen will be happy to make ourselves available—gratis—as a training resource.

Give us a call. We’ll be happy to run through exactly what HIPAA does and doesn’t allow in terms of the patient’s right of access.

-Nasha Fitter

Nasha Fitter is the head of Ciitizen’s data retrieval team and the co-founder of FOXG1 Research Group, an organization dedicated to find a cure for FOXG1 Syndrome, and potentially most brain-related disorders.

Dinosaur Technology

Stacey Tinianov, one of the most passionate advocates for cancer awareness I’ve ever met, wrote in her blog this week:

“It is NOT hyperbole to say health data portability will save lives.”

I think the inverse is also true. It is NOT hyperbole to say that a lack of health data portability will continue to cost lives. I hear about it all the time.

Failing to release pertinent health data in a timely fashion to a patient in need is inexcusable. But failing to provide it in a format that can actually be used can be just as bad. This past week on Twitter, CNBC journalist Chrissy Farr wrote that it’s “just amazing to be talking to physicians” who need to “keep around the CD-ROM drive so they can upload their patients’ imaging.” She then invited healthcare companies to upload any “dinosaur tech” they keep around the office for similar reasons.

I sent her this:

When lives are on the line and important health data is still being provided via antiquated methods like CD-ROM, people get fired up. We saw a litany of fiery responses worth sharing here:

It is indeed “embarrassing for healthcare” that patients have to deal with this type of “burden” in 2018.

But as Stacey also wrote: “There are too many egos and six and seven figure salaries involved to expect that electronic data systems, academic research facilities and healthcare systems are suddenly going to share information freely for the purposes of research” and make things easier for patients.

We can’t wait for the industry to figure this out. It’s time we exercise our HIPAA right of access, take matters into our own hands, and come up with our own solutions.

-David Driscoll

From Awareness to Action: Access with Urgency

As with any hard problem, awareness is a necessary first step toward resolution. But awareness, in and of itself, doesn’t change outcomes. As an example, despite the fact that an entire month is dedicated to Breast Cancer Awareness, metastatic breast cancer still took the lives of almost 3,500 people in October.

And lung cancer took the lives of over 13,000 men and women in the same month.

In fact, by the numbers, cancer will kill 1670 people in the next 24 hours, well on the way of taking the lives of 609,640 people by the end of 2018.

National Breast Cancer Awareness Month (NBCAM) was established in 1985, and, for the past 33 years, we have collectively become aware of the prevalence of breast cancer. And yet, in the past three decades, the incidence of the disease has not decreased.

We take some comfort in the fabulous statistics on 5-year and 10-year survival rates but, let’s be honest, when someone is diagnosed at age 30, a 5 or 10-year survival curve isn’t adequate.

According to the National Institute of Health (NIH), the most common type of cancer is breast cancer, with 268,670 new cases expected in the United States alone in 2018. The next most common cancers are lung cancer and prostate cancer, with 234,030 and 164,690 new cases predicted in 2018 respectively, with far worse long-term survival rates.

It’s a big problem.

It’s a hard problem.

We need to focus on not only improving treatment options and outcomes for individuals already diagnosed but also on identifying causal relationships and reducing risk factors across the general populous. We need to move from reactive to proactive.

We need data.

The lack of comprehensive data on cancer stymies our collective ability to understand it – and take concrete steps to eradicate it. 

If only we had data.

Data could look something like the 1.7 MILLION new cases of cancer diagnosed in this country alone that could be queried for patterns. 

Data could look like the health, treatment and responses of over 16 MILLION cancer survivors living in the United States that could be analyzed. 

The real tragedy is that this data already EXISTS – but it is locked behind firewalls and false pretense.

Interoperability, in my lifetime, is not a likely option.

There are too many egos and six and seven figure salaries involved to expect that electronic data systems, academic research facilities and healthcare systems are suddenly going to share, what is if them, revenue generating information freely for the purposes of research.

But it is NOT hyperbole to say health data portability will save lives.

Individuals already have the right to access their own health data, but removing barriers to access is key. Once each person has control over their comprehensive and complete health data, they are then able to easily donate to research organizations focused on accelerating discoveries.

The true value of personal health data is often in the story it tells or foretells. With access to our own story, we can not only direct our personal health care but also add another piece to the collective cancer puzzle. In my mind, solving this puzzle is the equivalent of a Cancer Takedown.

I hope you enjoyed your month of awareness. Next month, consider painting your world “pearl” for the lung cancer awareness or purple for pancreatic cancer awareness. But really, it may be time to put on all the ribbons and move on to more concrete steps. Regardless of the color of ribbon you don, you now know that cancer will kill over 1,600 people in the next 24 hours.

In other words, it’s way past time to move on from awareness to action and urgency is key.

-Stacey Tinianov

Stacey Tinianov is a breast cancer survivor and cancer community advocate. Despite following all the "cancer prevention" rules, Stacey was diagnosed with breast cancer six weeks after celebrating her 40th birthday and four months after her mother's breast cancer diagnosis. Since her diagnosis and treatment, she has become a vocal advocate for patient empowerment via health data access, shared decision making, collaborative education and community building. She is an active member of NCCS Cancer Policy Advocacy Team, board member of Bay Area Young Survivors, advisor for Camp Kesem SCU and President's Cancer Panel participant. She lives in Santa Clara, CA with her husband and two teenagers and can always be found on Twitter as @coffeemommy.

Make Everything Available (Just In Case)

This past Tuesday, former CTO of HHS Susannah Fox ended her blog with an incredibly important point:

“The elephant in the room is that most people don’t WANT to engage in their health, much less with their health data.”

Nevertheless, she still believes...

“...we should all be working toward freeing the data and letting people decide whether to engage with it, building the infrastructure and tools that allows someone to wake up one day (maybe because of a life-changing diagnosis) and say, “Yes, I’m ready. Now, how do I get my data?”


Most industries today already understand this modern expectation. Regardless of its popularity or demand, between Comcast, Netflix, and Amazon I can watch pretty much any movie ever made, whenever I want to. For example, I don’t think many people out there are interested in rewatching the 1985 cult horror film Ghoulies, nor the span of low-budget sequels that followed, but nevertheless those movies are available for me to stream instantly (which I did this past weekend to the chagrin of my wife). Media companies learned long ago that it’s better to make everything available, just in case. The more digital content accessible, the happier their consumers.

What’s frustrating about healthcare is that not only is there no infrastructure in place to release all of our personal health data, there are few institutions even interested in providing these tools for patients. As I’ve mentioned in previous blog posts, the reason hospitals and other HIPAA-covered entities can get away with such an outdated model is because “most people don’t WANT to engage in their health, much less their health data.” There’s no pressure on them to comply with current regulations, or provide a customer experience in line with modern expectations.

But what would happen if a million people woke up tomorrow and decided they did want it? Hospitals across the country would be woefully unprepared to handle the volume. That day is coming, however, so it’s up to all of us to make sure our health institutions are up to the task by putting pressure on them now. Our data needs to be easily accessible, just in case we do want it someday.

-David Driscoll

Data as an Engine of Disruption in Health Care

My essential message is that patients and caregivers should be as much a part of the disruption conversation as any other stakeholder.

All of us, no matter what role we play in the health care ecosystem, should focus on giving individuals access to their own data and work up from there. And when I say data I mean everything: medical records, device data (such as pacemakers and continuous glucose monitors), and their personal tracking of symptoms. We should also encourage the marketplace for apps and other ways to help people make sense of their data.

The Blue Button initiative, which started in the Obama Administration and continues today, is an example of what people in the industry call “consumer-directed exchange” (CDEx) of health data. As I wrote in my recent post about how consumer access is Blue Button’s North Star: “We had to start somewhere and we started with patients.” Anil Sethi recently wrote on this blog: “Make the data available to patients and it becomes instantly portable.” If you want to learn more, the CARIN Alliance explains the CDEx model well.

Another positive development: Nationwide, 30 million patients now have online access to the notes that their clinicians write in their medical records (according to OpenNotes). Research shows that an increase in transparency is associated with an increase in shared decision-making — that is, the more access patients have to data about their health condition, the more likely they are to engage in treatment and problem-solving (that is positive disruption in my view).

More broadly, both the Obama and Trump Administration’s health officials are working on “seamless exchange” of health data among stakeholders, including individuals. As Centers for Medicare and Medicaid Services Administrator Seema Verma recently wrote on Twitter: “Patients deserve electronic access to their health data, doctors should be able to seamlessly exchange data between EHRs, & EHRs should allow third-party applications to leverage that data in innovative ways for the benefit of all.”

But in reality, many people have not been able to gather their own medical records. A clutch of recent articles has documented their struggles.

If you haven’t read it yet, click through on “Paper Trails: Living and Dying with Fragmented Medical Records.” As Lisa Bari, Health IT Lead of the Seamless Care Models Group at Center for Medicare & Medicaid Innovation, wrote on Twitter:

“I’ve already shared this excellent article a few times, but I need to get a rant off my chest really quickly. This fragmentation, lack of interoperability HARMS patients. Every single day. Even if you want to believe that providers aren’t actively trying to harm patients, what happens when you go to see a specialist, get tests that would result in the need for an immediate intervention, but there’s no follow up? The data lives in a silo, no one is alerted. This is a trivial issue, based on the technology. The simplest thing, barring a national [health information exchange], would just be for the specialist to send a direct message to the [primary care physician (PCP)] with the information, as well as the patient. But it rarely, if ever, happens. Of course the specialist is on EHR 1, the PCP on EHR 2 (instance 1), the urgent care clinic on EHR 2 (instance 2), and none of these systems are exchanging data. This experience x 1000000 every single day.”

Another article’s authors deployed a “mystery shopper” technique to test how easy or hard it is to get a complete medical record for an individual. See:

Assessment of US Hospital Compliance With Regulations for Patients’ Requests for Medical Records, by Carolyn T. Lye, BA; Howard P. Forman, MD, MBA; Ruiyi Gao, BS; Jodi G. Daniel, JD, MPH; Allen L. Hsiao, MD; Marilyn K. Mann, JD; Dave deBronkart, BS Hugo O. Campos; Harlan M. Krumholz, MD, SM (JAMA, Oct. 5, 2018).

A quote from the Key Points:

Question  Are US hospitals compliant with federal and state regulations in their medical records request processes?

Findings  This cross-sectional study of 83 US hospitals revealed that there was noncompliance with federal regulations for formats of release and state regulations for request processing times. In addition, there was discordance between information provided on medical records release authorization forms and that obtained directly from medical records departments regarding the medical records request processes.

Meaning  Discrepancies in information provided to patients regarding medical records request processes and noncompliance with regulations appear to indicate the need for stricter enforcement of policies relating to patients’ access to their protected health information.

Another perspective worth attention comes from Lucia Savage, a former colleague of mine at HHS and now Omada Health’s Chief Privacy and Regulatory Officer. She spoke with Jessica Davis of HealthCare IT News:

There are many issues when it comes to data sharing, including contractual data blocking by vendors. It’s understudied, but Savage explained that it’s likely more prevalent than imagined. Health data is like “intellectual oil” powering an “idea economy.”

“So the person who has the data feels like they have something special. And there are a lot of pieces on how that gets played out,” she said. For example, an EHR vendor may take a blood sugar reading and how they display it is their intellectual property.

“But what your blood sugar was, is what your blood sugar was: It’s just PHI,” she continued. “We don’t have very refined rules for separating those things out. … People are sort of asserting a property or proprietary interest over data that comes from the natural process of being a human being.”

Another issue is the way ideas and inventions interact within healthcare, such as a device. Savage explained devices aren’t necessarily covered by HIPAA, so the manufacturer isn’t directly subject to those rules that “let you get your own data.”

Only once the data has flowed into the EHR can the patient get it, she explained. “But the device manufacturer just is collecting data and analyzing it on their servers. And it literally is physically and legally their property.”

Another of my former HHS colleagues, Deven McGraw, wrote a great health data rights explainer here on the Ciitizen blog, (full disclosure, I’m advising for Ciitizen). For example:

  • With a few exceptions (that so rarely occur they probably don’t apply to you), you have the right to all of your health information from your medical providers and your health plans. Doesn’t matter how old it is, or where it originated – if they have the information you’re requesting, you have a right to it.

  • You have the right to an electronic copy of any information that is maintained electronically (such as in an electronic medical record) – and you even have the right to have paper copies scanned into an electronic format (such as pdf) if the institution or organization has scanning capabilities.

  • You have the right to get your health information sent to you by e-mail – even if your e-mail isn’t secure, as long as you acknowledge that you are comfortable with receiving your health information this way.

We know that when people gain access to the internet, they dive in quickly to health information searches. Recent surveys show that we’re now at near-universal internet access in the U.S. and most people say they go online to look up all kinds of information. What’s particularly intriguing to me are those who look online for someone who shares the same health condition or concern — the just-in-time someone-like-me who can give them peer advice tailored to their needs. How might we leverage that instinct for connection? How might data play a role? How might we grow people’s appetite for health engagement?

The elephant in the room is that most people don’t WANT to engage in their health, much less with their health data. Highly motivated patients and caregivers are the tip of the spear, the pioneers who will push for access and help create the tools that the rest of the population will gratefully use if they ever need them. I still believe we should all be working toward freeing the data and letting people decide whether to engage with it, building the infrastructure and tools that allows someone to wake up one day (maybe because of a life-changing diagnosis) and say, “Yes, I’m ready. Now, how do I get my data?”

-Susannah Fox

Susannah Fox is the former Chief Technology Officer for the U.S. Department of Health and Human Services. She specializes in providing strategic advice related to research, health data, technology, and innovation, targeting areas of the health care system that need to work better for patients and caregivers. This blog was first published on her website