Stories of HIPAA Non-Compliance

Back in July 2018, Ciitizen began collecting medical records to populate accounts for the initial users of its platform. I was excited to put my knowledge of the HIPAA right of access, and my experience in drafting HHS 2016 guidance to help improve compliance with that right, into practice. I suspected we would face some obstacles – after all, complaints about the inability to fully exercise the HIPAA access right has been in the top five of categories of complaints received by the HHS Office for Civil Rights (OCR) since the right went into effect. But I had no idea then just how frustrating – and frankly depressing and demoralizing – the experience of obtaining medical records would be.  

The story I’m telling today is but one of many, sadly.

On July 27, 2018, Ciitizen emailed a letter to a large hospital in Colorado, seeking all records included in our user’s “designated record set” (which is all information that individuals have a right to under HIPAA) between 1999-2004 (encompassing the time period when our user had received services in that hospital). According to its website, this hospital accepted patient requests for information via email, which we were pleased to see (it helps avoid the delays associated with having to send the requests by mail). Our letter cited HIPAA requirements and guidance, and was digitally signed by the user via Docusign (which is a digital signing service that is super convenient for users and that I have used in the past to legally sign home and stock purchase documents). The letter also indicated that the records should be emailed to Ciitizen. We pressed “send” on the email, anticipating that we would receive the requested records within the required 30-day timeframe (by August 25, 2018).

On August 16, 2018, we received via regular mail a letter from a records release vendor working for the Colorado hospital. The letter stated there was a “discrepancy” between the signature on the request letter and the “signature on file.”  It indicated we could provide a copy of the patient’s valid ID with an authorization signed by the patient, or we could have the signature notarized. Our user indicated that the least burdensome path for them would be to resign and scan the request letter and provide a driver’s license copy.

Of note: the letter also indicated that we were to re-submit this request for documentation by mail to the Colorado hospital. So much for the use of email to speed up the process! On August 21, 2018 (very close to the original 30 day deadline for release of records), we mailed to the indicated address the re-signed request, plus a copy of the user’s driver’s license.  

On August 29th, we received an email from yet another vendor to the Colorado hospital indicating they had “inadvertently received the attached documentation” (our user’s resubmitted records request, plus driver’s license copy), adding “which I believe was meant to be returned to you.” The email also stated “[i]n regards to this matter, please see the first page for instructions on sending it back to our retention center for processing.” Since we had re-submitted the request exactly as directed, on August 31 we emailed the re-submitted request – along with a cover email documenting each step of this wild goose chase – to the original email address the Colorado hospital had indicated on its website for patient requests.

Note that we are now more than a month past our original request, with much of the delay resulting from the use of mail to return the original request to us, along with inaccurate instructions on how to mail a request that would meet their specific criteria. Ciitizen’s initial users are all individuals who have – or have had – cancer, and the time spent to get records is therefore critical.

Finally, on October 19, 2018 we received a letter by mail (dated September 30, 2018!) from the Colorado hospital’s initial medical record vendor indicating “[w]e no longer have any information on this patient for the date(s) specified. The medical record has been purged, because we only hold records for ten years.” We reconfirmed this information by phone directly with the hospital’s medical records department. Our Ciitizen user was  disheartened, as the user believed information from care received at that hospital could be relevant to a later cancer diagnosis. This information is now forever lost to further inquiry.

Although it is understandable that records would not be kept by the hospital indefinitely, the hospital and its vendor could have checked this much earlier in the process. And the process was inexplicably and unnecessarily drawn out for almost three months due to a slow response  from the vendor, coupled with the use of mail by either the hospital or its vendor for most correspondence, despite being in possession of (and in some cases actually using) a Ciitizen email address. It is also a textbook example for why it is critical for patients to get copies of their information promptly after being in the hospital or seeing the doctor.

To add insult to injury, although we received no records, we did receive an invoice from this vendor for a $14.00 “basic fee,” plus tax – a total of $15.23 (HIPAA does not permit a charge of a “basic fee” for HIPAA patient right of access request). We have had to send further correspondence disputing these impermissible charges, as the vendor is still trying to collect.

This is a particularly frustrating example of the infuriating maze that people are often forced to navigate in trying to obtain their medical records. We think these stories need to be told, in an effort to motivate greater compliance with HIPAA’s access rights.

Stay tuned, as we intend to tell them.

-Deven McGraw

Happy Holidays from Ciitizen

We’re taking a break from blogging over the next two weeks as we wind down for the holidays here at the office, but rest assured our drive to put patients in control of their health data will continue into 2019.

From everyone here at Ciitizen, we wish you the very best for the holiday season and look forward to empowering more patients with their health information in the new year.

See you in January!

-The Ciitizen Team

HIPAA Compliance: 30 Days or Less

Continuing with our comparative analysis of Yale’s Assessment of US Hospital Compliance With Regulations for Patients’ Requests for Medical Records, today we’re going to look at the HIPAA requirement that all requests for patient data be fulfilled within 30 days. As my colleague Deven McGraw pointed out in her blog post about patient data rights under HIPAA, 30 days is already far too long to wait, unfairly burdening a number of patients who need faster access to their data. For a cancer patient in need of their health information to procure a treatment plan, second opinion, or access to a clinical trial, 30 days can be the difference between life and death, and yet many patients are made to wait longer.

The Yale study focused primarily on the processes for the release of information, rather than the actual release of the information itself. As much of their research was done via phone calls, the team gathered data about the various policies of hospital records departments but not necessarily the reality of those processes. Since there was no actual request for data being made, the statistics show how long it would take to process a request for patient records according to the hospital staff member on the phone. According to the study:

  • Among the telephone calls, 71 hospitals provided mean times of release for paper copies of records. A maximum time of release was provided by 10 hospitals, and 2 hospitals were unable to specify a mean or maximum time of release.

  • Of that hospitals that provided mean times of release…

    • 17 (21%) reported mean times of less than 7 days

    • 21 (25%) in 7 to 10 days

    • 26 (31%) in 11 to 20 days

    • 4 (5%) in 21 to 30 days

    • 3 (4%) in more than 30 days

Here at Ciitizen, where we’re currently working on behalf of numerous patients to help them collect their health records, we can shed a bit of light on how long it actually takes to process some of these requests. Between what we’re told on the phone and when we actually get the information in hand, the time periods vary quite dramatically.

  • Of the 60 most recent patient requests we’ve submitted…

    • 11 (18%) took 30 - 39 days to arrive

    • 8 (13%) took 40 - 49 days to arrive

    • 5 (8%) took 50 - 59 days to arrive

    • 1 took 85 days to arrive

  • That means 25 out of 60 requests (42%) took 30 days or longer to receive.

I should also add that, in general, getting these records required more than a single phone call. As we’ve reported before, getting the data required numerous calls and escalations to a hospital’s privacy officer before access was finally granted, in spite of the institution’s policy or stipulated time of release.

Ultimately, we’ve found that the reality of getting the data in hand is even more time consuming and frustrating than the quoted time frames our friends at Yale have documented.

-Nasha Fitter

An Interview with Susannah Fox


This past week we had the chance to sit down with Susannah Fox, one of our advisors here at Ciitizen, for a conversation about technology and health. Susannah is the former Chief Technology Officer for the U.S. Department of Health and Human Services, and she specializes in providing strategic advice related to research, health data, technology, and innovation, targeting areas of the healthcare system that need to work better for patients and caregivers. She was in town to participate in the Andreessen-Horowitz podcast, along with Ciitizen CEO Anil Sethi and a16z general partner Vijay Pande -- but we got her alone for a twenty minute one-on-one beforehand, discussing everything from mental health to social media usage among young adults. Our conversation is below:

Ciitizen: You’re a mainstay at a number of large health conferences these days, and you’re also an eloquent speaker. How did you get started in your career?

Susannah: I was a start-up kid in the early nineties and then worked in journalism, helping to start a website for a magazine. I then became a researcher, and I was trained to only ever speak publicly about a subject that I had personally researched, whether talking to a reporter or on stage speaking at an event. It’s really good training for being careful with your words, which is important when you work in government.

Ciitizen: What I really admire about your blog and your writing is that you focus on technology and health coming together, but with technology more as a medium for human interconnectivity. It’s not about replacing human interaction but rather enhancing it. How did you get started with peer-to-peer health, and why does that subject continue to drive you?

Susannah: This interest at the intersection of health and technology started when I was at the Pew Research Center’s Internet Project, which began in the year 2000 as a way to look at the social impact of the internet on American society. I often like to say that was back when dinosaurs ruled the internet because it was such early days. Only about 50% of American adults had access to the internet at that time, and the Pew Charitable Trusts tasked us with doing national surveys, talking to people about how they were using the internet in regard to their civic life, their education and their children’s education, and their health and health care. Rebecca Rimel, the head of the Pew Charitable Trusts, was sitting in a conference one day where people were talking about the social impact of the internet as opposed to the business impact and no one had any data to show. She thought we should be talking about this important cultural phenomenon with data, so she allocated money to start the Pew Internet Project.

Ciitizen: What type of data did you ultimately find?

Susannah: When we started looking at various aspects of American society and how the internet was affecting it, health care emerged very clearly and early in our research as a part of the world that was deeply affected by the internet and technology, but we were coming at it from the consumer point of view. There were already researchers who were looking at it from the pharmaceutical companies’ point of view or from the doctors’ point of view. So much of the conversation in the late nineties and early 2000s surrounding the internet was about the stock market and how the web was changing business. Instead, we started by talking with regular people about how they used the technology and that got me interested in the patient perspective and the caregiver perspective.

Ciitizen: Did you start down that path on your own, or were there others that helped guide you?

Susannah: Early on I was very lucky to be taken under the wing of Tom Ferguson, who was an amazing MD and the first medical editor of the Whole Earth catalog. He was an early internet pioneer and someone who believed from the beginning of his medical training that the most important thing health care can do is to push as much knowledge and power as possible to the patients so that they can solve their own problems. That’s actually where health and well being lives: at home, not in the clinic. He encouraged me to start doing field work. I studied anthropology in college and he encouraged me to use that background to ask questions. More importantly, ask questions that people want to answer.

Ciitizen: What do you mean by “questions that people want to answer?”

Susannah: This past year I did a survey where we looked at how teenagers and young adults are using social media, especially in regard to their emotional well being. There’s a lot of public conversation about the rise in depression, anxiety, and suicidality in this age group, and it’s very concerning. It also happens to coincide with the rise of social media, so there has been some blame. The adults think if their kids could just put down their phones, they would feel better. Hopelab and Well Being Trust, who are the sponsors of this research, asked me and my co-author Vicky Rideout to take a look at this. We did a survey where we asked some questions that are clinically-validated scales for depression. What’s really important is that we asked the teens and young adults to tell us, in their own words, how they use social media when they’re feeling blue. No one had ever done that before, giving the power to the respondent in the survey, and we were almost overwhelmed by the response. We had over 600 responses to one open-ended question. It was almost as if teens and young adults had been waiting to answer it!

Ciitizen: They say you can always learn more by listening.

Susannah: Yes, and that’s what you want to do when you’re going into a new or emerging field. You need to have humility, and you want to listen first before you ask these questions. You want to think from the perspective of the respondent, or user of the product. How can I put myself in their shoes? How can I better understand their perspective? Well…how about we just ask them? What we found is that teens and young adults use social media in a number of different ways, and they’re pretty savvy about it. They actually curate their feeds so that when they’re feeling sad, and when they’re feeling depressive symptoms, they specifically go to Instagram because they’ve curated their feed to include funny cat videos, or inspiring biblical passages—whatever they’re into.

Ciitizen: So would you say you specialize in understanding how people use technology surrounding their health?

Susannah: My friend Paul Tarini gave me my favorite description of what I do: he said you’re an internet geologist, meaning I study the patterns in the landscape, and I can give advice to companies, organizations, and individuals about the patterns that I see. I can make some predictions. I can sort of look and say there’s going to be an earthquake, but I don’t make a lot of judgments because I come from a researcher’s point of view. The one area where I really feel motivated to have a stronger point of view is when it comes to peer-to-peer health.

Ciitizen: I heard Anil talking to you earlier about the fact that we don’t have enough doctors in the world to treat everyone who needs help, so you have to ask: are there a number of problems we can help patients with that don’t require them to see a doctor? Could they instead reach out to a network of health professionals or trusted individuals?

Susannah: Exactly, if you think about the problems that we have in life, a lot of the challenges that we have with our health or well being, whether they’re physical or mental, are actually taken care of at home. The decisions we make about the food that we eat, whether we’re going to exercise today or not, how we’re going to curate our Instagram feed—these are all decisions that we are making without consultation. We naturally turn to peers for things that we know peers have information about. I’ve done some research that shows—and this is very reassuring to a lot of people in health care—people are still more likely to turn to a clinician when it’s something serious. So when they need a diagnosis, or they’re figuring out a treatment plan, people still turn to their doctor. But if it’s something everyday they’re just as likely to turn to a friend or a peer.

Ciitizen: What about for rare diseases or odd symptoms?

Susannah: What I saw in my field work was that people were more likely to go online in these instances because they might not have anyone in their social circle that could answer that question. Looking at this emotional well-being survey, we asked questions about gender identity and how someone identifies in terms of their sexual orientation, and the LBTGQ kids were much more likely to go online for their health information because they feel alone or rare. But here’s the really important thing to know: we all feel rare when we have a new diagnosis, which is why the power of peer-to-peer health is so important. We’re never going to have enough nurses, doctors, and clinicians to answer all these questions or quell these anxieties.

Ciitizen: That’s when people start talking about Dr. Google as a solution.

Susannah: Right, we’ve got Dr. Google now as the de facto second opinion, but that’s not good enough.

Ciitizen: What are some of the tech-related products you’ve seen out there that might offer support for patients? Besides Ciitizen, of course.

Susannah: I’m all about pushing power out to the edges of the network where humanity lives. I want to do whatever I can to increase people’s access to information, data, and the tools that they need to solve their own problems. In the clinical setting, I’m seeing some very interesting work at Cincinnati Children’s Hospital with their pediatric IBD and ulcerative colitis practice. They are part of a network of doctors who are sharing best practices all across the country, and they also have a parallel network of families because there’s a lot of home care when it comes to caring for kids with ulcerative colitis. They’re creating a platform that creates a sharing of knowledge between these two networks, between clinicians and patient families.

Ciitizen: It sounds like they recognize the power of patient knowledge.

Susannah: Any time people recognize the power of peer and patient knowledge, it’s a good thing. When a newly diagnosed woman with breast cancer is offered the opportunity to have—in addition to a clinical consult—the opportunity to talk with someone who has been through a similar process at the same hospital, that’s really valuable. Just somebody to talk to who’s ahead of them on the path who can provide advice. I’ve also seen some great work being done in recovery. The opioid crisis is something we’re dealing with in this country where we don’t have enough treatment centers, clinicians, and response to handle the problem. It’s a wonderful thing to see Mass General, where patients are going through withdrawal and recovery, matching patients with someone who can be a peer mentor when they get out. How might we scale that, however? How might this be a program that happens everywhere rather than just at this one hospital?

Ciitizen: When health services don’t offer enough support, patients then turn to technology to solve these issues for themselves, right?

Susannah: In a parallel world, so much is happening online without clinicians knowing about it. There are thousands of groups, whether they’re on old school listservs or Facebook, where patients are gathering together and sharing notes, and that’s where Ciitizen can really help to empower these communities. Right now people are sharing notes in a bespoke, handwritten way, carrying around notebooks with printouts of their records. How might we empower them with the industrial strength data that their clinicians have available to them? How might we make sure that those expert patient groups are really empowered with the information that they need?

Ciitizen: It’s interesting how often professionals underestimate consumers, in terms of their ability to figure out, understand, or educate themselves on very complex subjects. That, too, requires humility.

Susannah: I remember someone pointing out to me that the patient sitting alone in the exam room is actually surrounded by invisible loved ones who are waiting for the news at home. That patient may not fully understand what’s happening, but they might have a niece who is a nurse and who is waiting to get the information so that they can help recommend care. It reminds me of the idea of the long tail. There may only be a few people out there who are as geeky about a topic as we are, but you don’t know what they might create that other people may find useful. How can we free the data and give these people the ability to access the information when they want it? Most people don’t want to think about their health information until they have to. However, the minute they get that diagnosis, all of a sudden they want that data.

Ciitizen: Is technology the answer?

Susannah: What’s great is that the internet has created an expectation around access to data and giving feedback, so now people are more likely to write a review. That can be uncomfortable, until we realize that feedback can be a gift to the greater community. So how might we figure out how to receive these gifts? How might we allow someone who’s just been through a cancer treatment to tell the next person in line: “Remember to bring a blanket because it’s really cold when you wait for that MRI.” That’s not treatment advice. That’s just get-through-the-day advice.

Ciitizen: Thank you so much for taking the time to talk with us! I can’t wait to hear the a16z podcast with Anil and Vijay after the holidays.

HIPAA Compliance: Data By Email

Today we’re going to take a look at two particular rights you have as a patient when requesting your personal records from a medical institution. I’m going to copy and paste them directly from my colleague Deven McGraw’s blog post outlining patient health data rights under HIPAA:

  1. You have the right to an electronic copy of any information that is maintained electronically (such as in an electronic medical records) — and you even have the right to have paper copies scanned into an electronic format (such as PDF) if the institution or organization has scanning capabilities.

  2. You have the right to get your health information sent to you by email — even if your email isn’t secure, as long as you acknowledge that you are comfortable with receiving your health information this way.

In short: all hospitals today should be able to send you your health information via email. Hospitals still communicate medical information - both with patients and with doctors and other hospitals - by fax; most likely use electronic, cloud-based fax services, which also offer e-mail as an option. Hospitals who have this capability must deploy it to send records to a patient if that’s consistent with the patient’s request.

Continuing with our comparison of the statistics quoted in Yale’s Assessment of US Hospital Compliance With Regulations for Patients’ Requests for Medical Records, let’s take a look at what that team uncovered in terms of compliance with these two rights:

  • All hospitals stated in telephone calls and on the forms that they could release information via mail.

  • Hospitals unable to provide records by fax stated that they could fax records  - but only to physicians.

  • Two hospitals reported not being able to release records electronically if the records were originally in a paper format.

Regular mail compliance not a problem, and—if you’re lucky—you might potentially get your data via fax, but what about our HIPAA right as patients to have our data sent via email? Of the 83 hospitals surveyed as part of the study, here’s a look at the breakdown of options provided (so long as you could get them on the phone, as the options offered on the form were far worse):

  • 69 of them offered in-person pick up

  • 55 would provide the information via CD-ROM

  • Yet, only 39 out of 83 hospitals (47%) were able to email patient records upon request.

That means roughly half of the hospitals in the Yale report are likely non-compliant with HIPAA regulations allowing patients to have their health record sent to them via email. Our numbers were surprisingly a bit better at Ciitizen.

  • 68% of the institutions we’ve worked with on behalf of patients were able to provide the data digitally via email, yet that still means roughly a third of the hospitals did not.

  • 16% could only provide digital records via CD-ROM (sent via mail) and another 16% only allowed for paper records.

  • And while 68% were willing to use e-mail, that willingness occurred only after escalating the request to a supervisor or someone in the hospital’s HIPAA compliance office.

Of course, we already know that simply getting access to your medical records in ANY format already requires multiple phone calls, most of which require escalations up the food chain to privacy officers. It should therefore come as no surprise to find so many institutions out of HIPAA compliance with other aspects of their data release procedures as well.

-Nasha Fitter

HIPAA Compliance: Form vs. Phone

One of the most frustrating aspects of requesting your health information from a hospital is the actual requesting itself. While many institutions provide submission forms—both written and electronic—to handle the queries, you’re likely going to end up on the phone with a records department agent no matter what because of the discrepancies between the options available on these forms and the reality of your needs. Yale’s Assessment of US Hospital Compliance With Regulations for Patients’ Requests for Medical Records found that, “among the 83 top-ranked US hospitals representing 29 states, there was discordance between information provided on authorization forms and that obtained from the simulated patient telephone calls in terms of requestable information, formats of release, and costs.”

Looking at the stats, we can see exactly how those discrepancies break down:

  • As few as 9 hospitals (11%) provided the option of selecting the desired categories of information on the request form

  • Only 44 hospitals (53%) provided patients the option to acquire their entire medical record

  • On telephone calls, all 83 hospitals stated that they were able to release entire medical records to patients

At Ciitizen, helping patients request their health records is a daily office activity, and we’ve seen similar levels of discordance, not only with the discrepancies between what’s available on the form versus the phone, but also the amount of effort it takes to get someone on the phone who understands HIPAA’s right of access! On average, our team has found that:

  • A minimum of 3 escalations are often necessary in order to obtain reports

  • 50% of the time an escalation to the hospital’s chief privacy officer was necessary in order to get information released

  • Therefore, 50% of the hospitals we contacted—HALF!—were not compliant with HIPAA regulations right off the bat, requiring us to go up the food chain in order to exercise the right of access

Most of the time an escalation to a privacy officer was needed because our request via the form was denied, but as the Yale report supports: all hospitals are ultimately compliant if you can get them on the phone. Yet, while HIPAA requires hospitals to comply with patient requests for their health data, it doesn’t mandate how the requests themselves must be facilitated, but the the process shouldn’t be burdensome for patients.

So I have to ask: are incomplete data request forms that require patients to follow-up with multiple phone calls, often requiring escalation to the hospital’s privacy officer, considered “burdensome” under HIPAA?

Let’s not forget the Yale report also found that “three hospitals were unreachable, two of which provided no option to leave a voice message or reach a department representative.

If that’s not burdensome, what would fit that definition?

-David Driscoll

We Know There's A Problem

On October 5th, a group of researchers at Yale University, under the supervision of the renowned Dr. Harlan Krumholz, released a somewhat damning article titled Assessment of US Hospital Compliance With Regulations for Patients’ Requests for Medical Records. However, at Ciitizen, we simply call it: “the Yale report.” The study begins with a single question:

“Are US hospitals compliant with federal and state regulations in their medical records requests processes?”

The rest of the report is a lengthy analysis revealing the answer to that query, one we’ve already known for quite some time in our experience helping patients access their health data:

There are “inconsistencies in the information provided by medical records authorization forms and by medical departments in select US hospitals, as well as potentially unaffordable costs and processing times not compliant with federal regulations.”

In short, you cannot depend on a hospital to give you access to your rightful health data whatsoever, let alone in the stipulated time frame. Of course, if you’ve been reading this blog over the last few months, you already knew that. We’ve been sharing horror stories from patients, doctors, health advocates, and other professional voices within the industry since September, hoping to shed some light on the burden our health system unfairly puts onto patients. What the Yale report has now given us is academic proof of that conjecture. Despite the patient’s right of access under HIPAA, the regulations that require hospitals to comply, it’s still not easy for patients to request their health data. Let’s look at some of the numbers.

“Among the 83 top-ranked US hospitals representing 29 states, there was discordance between information provided on authorization forms and that obtained from the simulated patient telephone calls in terms of requestable information, formats of release, and costs,” the article states. According to the statistics only 11% of the hospital forms offered patients the option to select categories of desired information, and only 53% provided patients with the option of acquiring their entire record.

How can hospitals expect to provide patients with their requested health data when there’s no option to specify the data they’re looking to request? Interestingly enough, when contacted by phone, 100% of the “reachable” hospitals said they could provide the complete record. It wasn’t that they couldn’t, you just had to call them directly. Isn’t that why we say “operator” or “representative” immediately when dealing with automated customer service? Because we know that getting a live customer service rep is often the only way to get anything done. But that’s if you can get access to someone directly. Three hospitals in the study were deemed unreachable, and two offered no customer service option whatsoever

There’s a lot to chew on in the Yale study. Too much for one blog post. Over the next few weeks, we’re going to delve deeper into some of the findings and compare the results with some of our experiences here at Ciitizen. Stay tuned.

-David Driscoll


Back in early October, we posted a blog called “Let’s ALL Start Asking For Our Health Data,” encouraging everyone out there—healthy or ill—to request their complete medical records from anywhere they’ve received care as a patient. The goal was to put pressure on hospitals to update their information release processes, many of which are not HIPAA compliant and put an unnecessary burden on patients in need of their health data.

At the end of that blog, we invited anyone who experienced pushback or a lack of compliance as a result of that request to share their story with us, as we wanted to shine a light on some of those encounters here at the Voice of Ciitizens. The responses came in swiftly, many folks obviously eager to get the frustration they experienced off their chests. One woman actually wrote us an email while she was on the phone with her health system! She vented:

“OMG, I am ready to blow a fuse. It has taken me over an hour to source one radiology department at my hospital system. They say they are centralized but have zero clue what that word means! They are under one umbrella (more likely for tax reasons than anything else) but appear to operate as individual groups. I have made over ten calls to ascertain where I can find my radiology imaging and they just can’t answer the question.”

There were many stories like this.

In early November, we followed up with a piece called “Dinosaur Technology,” referencing a series of Tweets we sent to CNBC journalist Chrissy Farr in response to the outdated formats used to share health data. The thread unleashed more responses from frustrated patients, many of whom found it easier to share quick snippets of their experiences on social media than write a personalized email about their story.

That got us thinking: if we came up with a specific hashtag for patients to use when sharing these frustrations online, these stories could be categorized and easily accessible for the public, shining an even greater spotlight on what’s happening around the country.

In the words of the late Justice Louis Brandeis, a champion of individual rights, sunlight is the best disinfectant — and it’s clear from what we’re witnessing that a number of health records departments need to clean up their data release processes. Starting today, we’re encouraging everyone out there to share their stories using the hashtag #myhealthmydata, so that we can continue to put pressure on health systems to improve their HIPAA compliance.

At Ciitizen, our belief is we can do more, together. Let’s start by sharing our health data stories in order to raise greater awareness for a problem that isn’t getting any better.

-David Driscoll