PMWC Week: An Interview with Deven McGraw

With the Silicon Valley Precision Medicine World Conference in full swing this week, featuring three of our Ciitizen colleagues as guest speakers, today we’re posting an interview with our Chief Regulatory Officer Deven McGraw conducted by the team at PMWC (originally published here).

Prior to joining Ciitizen, Deven directed U.S. health privacy and security policy through her roles as Deputy Director for Health Information Privacy at the HHS Office for Civil Rights (the office that oversees HIPAA policy and enforcement) and Chief Privacy Officer (Acting) of the Office of the National Coordinator for Health IT. Deven also advised PCORNet (the Patient Centered Outcomes Research Network), as well as the federal All of Us Research Initiative, on HIPAA and patient-donated data research initiatives. Read her full bio at the PMWC site.

PMWC: Patient healthcare data aggregation and analysis is seen as both the panacea for tremendous breakthroughs in precision medicine and as one of its biggest challenges. Are both true and how so?

Deven: Yes, both are true. Achieving breakthroughs in precision medicine will require a lot of data – and yet it is often difficult for researchers to amass all of the data needed to advance precision medicine discoveries. Getting data from institutions can be a slog, due to multiple layers of review, lack of institutional incentives to share, and proprietary concerns. But individuals – particularly patients and their families – have great incentives to share data, to save themselves and to improve prospects for others like them. But the challenge is that individuals can face enormous obstacles in getting their data. They have a legal right to this data – but the institutions who hold this data still make it difficult for individuals to get their data.

PMWC: What are the biggest hurdles today in getting people to share their health data?

Deven: The biggest hurdle today in getting people to share their health data is that people can’t share what they don’t have. The obstacles to individuals getting all of their health data – so they can then share it to power discoveries – are far larger than the obstacles to sharing once individuals have dominion and control over their data. A second hurdle (which frankly will be far easier to solve) is providing people with trusted options for donating their data. It is a misnomer that people who are sick “don’t care” about their privacy – they do care, but they also want ways to liberally share their health information in order to try to help themselves and others like them.

PMWC: How can they be overcome? What is needed?

Deven: What is needed is for entities to more consistently comply with legal mandates to provide health data to patients. This is the law in the U.S. (HIPAA), and it is also the law in the EU (GDPR) and in other jurisdictions. U.S. law could also use some improvements, for example shorter timelines for release of data (30 days is way too long) and waiving of fees, particularly for patients who are sick.

PMWC: We have a long way to go with clinical trials enrolling at 2-3% today and that number falling. What type and level of shift in culture, laws, collection methods, or other areas is going to be needed to accomplish widespread data sharing?

Deven: Giving health information to patients – and letting them share data for clinical trial enrollment purposes – is a strategy that has been significantly underutilized. There are some restrictions that institutions face in allowing researchers to both examine data for potential clinical trial participants and then reach out to those individuals to enroll them. In addition, a single institution may not have all of the relevant data on a patient, because individuals – particularly those who are ill – are cared for in multiple settings. If patients are given dominion and control over all of their health information, they can actively seek out potential trials, or allow trial sponsors to examine their data to determine if they are eligible.

PMWC: Will there always be certain communities or populations that will not participate in research because of history or privacy issues?

Deven: Without a doubt there is work to do to earn the trust of individuals in communities with a deep distrust of research. But it is critical that we do this work, because those communities are significantly affected by disparities in health care – and data sharing will be key to eliminating those disparities. Building trust starts by giving control of health data to those individuals and communities – so that they are empowered to make decisions about with whom they will share this data.

PMWC: What role will personal technology play in scaling health data sharing and collection?

Deven: The patient, who has the right to all of their health information and the most interest in sharing it, should be the hub for data collection and sharing. But patients generate a great deal of health information – personal technology is key to enabling each patient to collect, aggregate and easily share his or her information. In addition, medical breakthroughs likely require amassing of large data sets – so personal technologies that enable patients to collectively share their data for medical breakthroughs will be essential.

Ciitizen Raises $17M in Series A Financing

We’re very excited to share the following press release with the Voice of Ciitizens readers:

Ciitizen, a consumer health tech company working to build the leading platform that helps patients collect, organize, and share their medical records digitally, has closed $17M in new funding in a round led by Andreessen Horowitz and included Section 32 and Verily. The company will use the proceeds to accelerate platform development and expand commercial operations. As part of the financing, Vijay Pande, General Partner of Andreessen Horowitz's Bio fund, will join the Ciitizen board of directors. Michael Pellini, Managing Partner at Section 32, and Andy Harrison, Head of Business and Corporate Development at Verily, will join the board as observers.

"Ciitizen uniquely understands the challenges cancer patients face - including the intense friction patients experience when managing their medical records in our current healthcare system," said Pande. "Using their deep insights, the Ciitizen team have developed sophisticated technology and tools that remove this friction, putting the power back in the patients' hands and literally saving lives."

The Series A financing follows a Seed round led by Andreessen Horowitz in July of 2018.

"The continued support from Andreessen Horowitz reaffirms the rapid progress we have already made and further validates our potential to significantly impact healthcare globally. Adding Section 32 and Verily to our effort further enhances our ability to transform the way patients engage with their health data," said Anil Sethi, CEO and Founder of Ciitizen, whose former company Gliimpse was acquired by Apple for its Health Records business. "Vijay (Pande)continues to set the standard in health-tech investing. Michael (Pellini) is a proven operator and leader, first as President and COO of Clarient and then as CEO of Foundation Medicine. Together with Andy (Harrison), they share our commitment to working on behalf of patients— ciitizens—to advance healthcare."

With continued development of the Ciitizen platform, the company is poised to release products that will make an immediate impact in healthcare.

"We are aggressively hiring to support release of products in partnership with select healthcare stakeholders that will immediately benefit patients—all driven by obtaining and organizing a patient's health data," said Premal Shah, COO and Co-Founder of Ciitizen. "Contrary to what is happening today, we want to facilitate patients gaining maximum direct benefit from what is rightfully theirs: their personal healthcare data."

In addition to launching the platform less than a year from the company's founding, Ciitizen initiated a weekly blog, The Voice of Ciitizens, that offers opinions from healthcare thought leaders on ways to address some of healthcare's most pressing challenges.

"We will always work to change healthcare for the benefit of patients, and we will continue to work with thought leaders and patient advocates in healthcare to do so," said Sethi.

a16z Podcast: Dark Data in Health Care

This past December, Ciitizen CEO Anil Sethi and advisor Susannah Fox joined a16z’s Vijay Pande and Sonal Chokshi for a conversation about “dark data” in health care. The audio podcast went live on the a16z website yesterday and we’ve reposted it here on the Voice of Ciitizens.

The problem of “dark data” in healthcare isn’t just a feel-good empowerment thing, but a structural issue that leads to miscommunication and extra friction, different players in the entire healthcare system not being able to collaborate with each other, and just major missed opportunities all round. And yes, it also leads to lack of empowerment for patients, not to mention doctors too (who often have less than 30 minutes on site to do their jobs).

But we already know all that. What’s not clear is WHY and HOW is this the case, when the very point of HIPAA — the Health Insurance Portability and Accountability Act (of 1996!) — is to make data portable, not private. That is, IF patients know to ask for it… and can easily get it. So what if we could have a sort of permissioned “permissionless innovation” for healthcare data, not only bringing all that dark data to light, but more importantly — borrowing from the history of internet innovation — letting all sorts of expected and unexpected uses be built on top as a result? What happens when data and entities can talk to each other (à la APIs) through patients at the center of the circle of data?

From the Dr. Google problem (or opportunity!) to clinical trials and even the opioid crisis, we — Susannah Fox (former CTO of the U.S. Department of Health and Human Services); Anil Sethi (CEO and founder of Ciitizen); and a16z bio general partner Vijay Pande; in conversation with Sonal Chokshi — explore all this and more in this episode of the a16z Podcast. Let there be light!

Stories of HIPAA Non-Compliance

Back in July 2018, Ciitizen began collecting medical records to populate accounts for the initial users of its platform. I was excited to put my knowledge of the HIPAA right of access, and my experience in drafting HHS 2016 guidance to help improve compliance with that right, into practice. I suspected we would face some obstacles – after all, complaints about the inability to fully exercise the HIPAA access right has been in the top five of categories of complaints received by the HHS Office for Civil Rights (OCR) since the right went into effect. But I had no idea then just how frustrating – and frankly depressing and demoralizing – the experience of obtaining medical records would be.  

The story I’m telling today is but one of many, sadly.

On July 27, 2018, Ciitizen emailed a letter to a large hospital in Colorado, seeking all records included in our user’s “designated record set” (which is all information that individuals have a right to under HIPAA) between 1999-2004 (encompassing the time period when our user had received services in that hospital). According to its website, this hospital accepted patient requests for information via email, which we were pleased to see (it helps avoid the delays associated with having to send the requests by mail). Our letter cited HIPAA requirements and guidance, and was digitally signed by the user via Docusign (which is a digital signing service that is super convenient for users and that I have used in the past to legally sign home and stock purchase documents). The letter also indicated that the records should be emailed to Ciitizen. We pressed “send” on the email, anticipating that we would receive the requested records within the required 30-day timeframe (by August 25, 2018).

On August 16, 2018, we received via regular mail a letter from a records release vendor working for the Colorado hospital. The letter stated there was a “discrepancy” between the signature on the request letter and the “signature on file.”  It indicated we could provide a copy of the patient’s valid ID with an authorization signed by the patient, or we could have the signature notarized. Our user indicated that the least burdensome path for them would be to resign and scan the request letter and provide a driver’s license copy.

Of note: the letter also indicated that we were to re-submit this request for documentation by mail to the Colorado hospital. So much for the use of email to speed up the process! On August 21, 2018 (very close to the original 30 day deadline for release of records), we mailed to the indicated address the re-signed request, plus a copy of the user’s driver’s license.  

On August 29th, we received an email from yet another vendor to the Colorado hospital indicating they had “inadvertently received the attached documentation” (our user’s resubmitted records request, plus driver’s license copy), adding “which I believe was meant to be returned to you.” The email also stated “[i]n regards to this matter, please see the first page for instructions on sending it back to our retention center for processing.” Since we had re-submitted the request exactly as directed, on August 31 we emailed the re-submitted request – along with a cover email documenting each step of this wild goose chase – to the original email address the Colorado hospital had indicated on its website for patient requests.

Note that we are now more than a month past our original request, with much of the delay resulting from the use of mail to return the original request to us, along with inaccurate instructions on how to mail a request that would meet their specific criteria. Ciitizen’s initial users are all individuals who have – or have had – cancer, and the time spent to get records is therefore critical.

Finally, on October 19, 2018 we received a letter by mail (dated September 30, 2018!) from the Colorado hospital’s initial medical record vendor indicating “[w]e no longer have any information on this patient for the date(s) specified. The medical record has been purged, because we only hold records for ten years.” We reconfirmed this information by phone directly with the hospital’s medical records department. Our Ciitizen user was  disheartened, as the user believed information from care received at that hospital could be relevant to a later cancer diagnosis. This information is now forever lost to further inquiry.

Although it is understandable that records would not be kept by the hospital indefinitely, the hospital and its vendor could have checked this much earlier in the process. And the process was inexplicably and unnecessarily drawn out for almost three months due to a slow response  from the vendor, coupled with the use of mail by either the hospital or its vendor for most correspondence, despite being in possession of (and in some cases actually using) a Ciitizen email address. It is also a textbook example for why it is critical for patients to get copies of their information promptly after being in the hospital or seeing the doctor.

To add insult to injury, although we received no records, we did receive an invoice from this vendor for a $14.00 “basic fee,” plus tax – a total of $15.23 (HIPAA does not permit a charge of a “basic fee” for HIPAA patient right of access request). We have had to send further correspondence disputing these impermissible charges, as the vendor is still trying to collect.

This is a particularly frustrating example of the infuriating maze that people are often forced to navigate in trying to obtain their medical records. We think these stories need to be told, in an effort to motivate greater compliance with HIPAA’s access rights.

Stay tuned, as we intend to tell them.

-Deven McGraw

Happy Holidays from Ciitizen

We’re taking a break from blogging over the next two weeks as we wind down for the holidays here at the office, but rest assured our drive to put patients in control of their health data will continue into 2019.

From everyone here at Ciitizen, we wish you the very best for the holiday season and look forward to empowering more patients with their health information in the new year.

See you in January!

-The Ciitizen Team

HIPAA Compliance: 30 Days or Less

Continuing with our comparative analysis of Yale’s Assessment of US Hospital Compliance With Regulations for Patients’ Requests for Medical Records, today we’re going to look at the HIPAA requirement that all requests for patient data be fulfilled within 30 days. As my colleague Deven McGraw pointed out in her blog post about patient data rights under HIPAA, 30 days is already far too long to wait, unfairly burdening a number of patients who need faster access to their data. For a cancer patient in need of their health information to procure a treatment plan, second opinion, or access to a clinical trial, 30 days can be the difference between life and death, and yet many patients are made to wait longer.

The Yale study focused primarily on the processes for the release of information, rather than the actual release of the information itself. As much of their research was done via phone calls, the team gathered data about the various policies of hospital records departments but not necessarily the reality of those processes. Since there was no actual request for data being made, the statistics show how long it would take to process a request for patient records according to the hospital staff member on the phone. According to the study:

  • Among the telephone calls, 71 hospitals provided mean times of release for paper copies of records. A maximum time of release was provided by 10 hospitals, and 2 hospitals were unable to specify a mean or maximum time of release.

  • Of that hospitals that provided mean times of release…

    • 17 (21%) reported mean times of less than 7 days

    • 21 (25%) in 7 to 10 days

    • 26 (31%) in 11 to 20 days

    • 4 (5%) in 21 to 30 days

    • 3 (4%) in more than 30 days

Here at Ciitizen, where we’re currently working on behalf of numerous patients to help them collect their health records, we can shed a bit of light on how long it actually takes to process some of these requests. Between what we’re told on the phone and when we actually get the information in hand, the time periods vary quite dramatically.

  • Of the 60 most recent patient requests we’ve submitted…

    • 11 (18%) took 30 - 39 days to arrive

    • 8 (13%) took 40 - 49 days to arrive

    • 5 (8%) took 50 - 59 days to arrive

    • 1 took 85 days to arrive

  • That means 25 out of 60 requests (42%) took 30 days or longer to receive.

I should also add that, in general, getting these records required more than a single phone call. As we’ve reported before, getting the data required numerous calls and escalations to a hospital’s privacy officer before access was finally granted, in spite of the institution’s policy or stipulated time of release.

Ultimately, we’ve found that the reality of getting the data in hand is even more time consuming and frustrating than the quoted time frames our friends at Yale have documented.

-Nasha Fitter

An Interview with Susannah Fox


This past week we had the chance to sit down with Susannah Fox, one of our advisors here at Ciitizen, for a conversation about technology and health. Susannah is the former Chief Technology Officer for the U.S. Department of Health and Human Services, and she specializes in providing strategic advice related to research, health data, technology, and innovation, targeting areas of the healthcare system that need to work better for patients and caregivers. She was in town to participate in the Andreessen-Horowitz podcast, along with Ciitizen CEO Anil Sethi and a16z general partner Vijay Pande -- but we got her alone for a twenty minute one-on-one beforehand, discussing everything from mental health to social media usage among young adults. Our conversation is below:

Ciitizen: You’re a mainstay at a number of large health conferences these days, and you’re also an eloquent speaker. How did you get started in your career?

Susannah: I was a start-up kid in the early nineties and then worked in journalism, helping to start a website for a magazine. I then became a researcher, and I was trained to only ever speak publicly about a subject that I had personally researched, whether talking to a reporter or on stage speaking at an event. It’s really good training for being careful with your words, which is important when you work in government.

Ciitizen: What I really admire about your blog and your writing is that you focus on technology and health coming together, but with technology more as a medium for human interconnectivity. It’s not about replacing human interaction but rather enhancing it. How did you get started with peer-to-peer health, and why does that subject continue to drive you?

Susannah: This interest at the intersection of health and technology started when I was at the Pew Research Center’s Internet Project, which began in the year 2000 as a way to look at the social impact of the internet on American society. I often like to say that was back when dinosaurs ruled the internet because it was such early days. Only about 50% of American adults had access to the internet at that time, and the Pew Charitable Trusts tasked us with doing national surveys, talking to people about how they were using the internet in regard to their civic life, their education and their children’s education, and their health and health care. Rebecca Rimel, the head of the Pew Charitable Trusts, was sitting in a conference one day where people were talking about the social impact of the internet as opposed to the business impact and no one had any data to show. She thought we should be talking about this important cultural phenomenon with data, so she allocated money to start the Pew Internet Project.

Ciitizen: What type of data did you ultimately find?

Susannah: When we started looking at various aspects of American society and how the internet was affecting it, health care emerged very clearly and early in our research as a part of the world that was deeply affected by the internet and technology, but we were coming at it from the consumer point of view. There were already researchers who were looking at it from the pharmaceutical companies’ point of view or from the doctors’ point of view. So much of the conversation in the late nineties and early 2000s surrounding the internet was about the stock market and how the web was changing business. Instead, we started by talking with regular people about how they used the technology and that got me interested in the patient perspective and the caregiver perspective.

Ciitizen: Did you start down that path on your own, or were there others that helped guide you?

Susannah: Early on I was very lucky to be taken under the wing of Tom Ferguson, who was an amazing MD and the first medical editor of the Whole Earth catalog. He was an early internet pioneer and someone who believed from the beginning of his medical training that the most important thing health care can do is to push as much knowledge and power as possible to the patients so that they can solve their own problems. That’s actually where health and well being lives: at home, not in the clinic. He encouraged me to start doing field work. I studied anthropology in college and he encouraged me to use that background to ask questions. More importantly, ask questions that people want to answer.

Ciitizen: What do you mean by “questions that people want to answer?”

Susannah: This past year I did a survey where we looked at how teenagers and young adults are using social media, especially in regard to their emotional well being. There’s a lot of public conversation about the rise in depression, anxiety, and suicidality in this age group, and it’s very concerning. It also happens to coincide with the rise of social media, so there has been some blame. The adults think if their kids could just put down their phones, they would feel better. Hopelab and Well Being Trust, who are the sponsors of this research, asked me and my co-author Vicky Rideout to take a look at this. We did a survey where we asked some questions that are clinically-validated scales for depression. What’s really important is that we asked the teens and young adults to tell us, in their own words, how they use social media when they’re feeling blue. No one had ever done that before, giving the power to the respondent in the survey, and we were almost overwhelmed by the response. We had over 600 responses to one open-ended question. It was almost as if teens and young adults had been waiting to answer it!

Ciitizen: They say you can always learn more by listening.

Susannah: Yes, and that’s what you want to do when you’re going into a new or emerging field. You need to have humility, and you want to listen first before you ask these questions. You want to think from the perspective of the respondent, or user of the product. How can I put myself in their shoes? How can I better understand their perspective? Well…how about we just ask them? What we found is that teens and young adults use social media in a number of different ways, and they’re pretty savvy about it. They actually curate their feeds so that when they’re feeling sad, and when they’re feeling depressive symptoms, they specifically go to Instagram because they’ve curated their feed to include funny cat videos, or inspiring biblical passages—whatever they’re into.

Ciitizen: So would you say you specialize in understanding how people use technology surrounding their health?

Susannah: My friend Paul Tarini gave me my favorite description of what I do: he said you’re an internet geologist, meaning I study the patterns in the landscape, and I can give advice to companies, organizations, and individuals about the patterns that I see. I can make some predictions. I can sort of look and say there’s going to be an earthquake, but I don’t make a lot of judgments because I come from a researcher’s point of view. The one area where I really feel motivated to have a stronger point of view is when it comes to peer-to-peer health.

Ciitizen: I heard Anil talking to you earlier about the fact that we don’t have enough doctors in the world to treat everyone who needs help, so you have to ask: are there a number of problems we can help patients with that don’t require them to see a doctor? Could they instead reach out to a network of health professionals or trusted individuals?

Susannah: Exactly, if you think about the problems that we have in life, a lot of the challenges that we have with our health or well being, whether they’re physical or mental, are actually taken care of at home. The decisions we make about the food that we eat, whether we’re going to exercise today or not, how we’re going to curate our Instagram feed—these are all decisions that we are making without consultation. We naturally turn to peers for things that we know peers have information about. I’ve done some research that shows—and this is very reassuring to a lot of people in health care—people are still more likely to turn to a clinician when it’s something serious. So when they need a diagnosis, or they’re figuring out a treatment plan, people still turn to their doctor. But if it’s something everyday they’re just as likely to turn to a friend or a peer.

Ciitizen: What about for rare diseases or odd symptoms?

Susannah: What I saw in my field work was that people were more likely to go online in these instances because they might not have anyone in their social circle that could answer that question. Looking at this emotional well-being survey, we asked questions about gender identity and how someone identifies in terms of their sexual orientation, and the LBTGQ kids were much more likely to go online for their health information because they feel alone or rare. But here’s the really important thing to know: we all feel rare when we have a new diagnosis, which is why the power of peer-to-peer health is so important. We’re never going to have enough nurses, doctors, and clinicians to answer all these questions or quell these anxieties.

Ciitizen: That’s when people start talking about Dr. Google as a solution.

Susannah: Right, we’ve got Dr. Google now as the de facto second opinion, but that’s not good enough.

Ciitizen: What are some of the tech-related products you’ve seen out there that might offer support for patients? Besides Ciitizen, of course.

Susannah: I’m all about pushing power out to the edges of the network where humanity lives. I want to do whatever I can to increase people’s access to information, data, and the tools that they need to solve their own problems. In the clinical setting, I’m seeing some very interesting work at Cincinnati Children’s Hospital with their pediatric IBD and ulcerative colitis practice. They are part of a network of doctors who are sharing best practices all across the country, and they also have a parallel network of families because there’s a lot of home care when it comes to caring for kids with ulcerative colitis. They’re creating a platform that creates a sharing of knowledge between these two networks, between clinicians and patient families.

Ciitizen: It sounds like they recognize the power of patient knowledge.

Susannah: Any time people recognize the power of peer and patient knowledge, it’s a good thing. When a newly diagnosed woman with breast cancer is offered the opportunity to have—in addition to a clinical consult—the opportunity to talk with someone who has been through a similar process at the same hospital, that’s really valuable. Just somebody to talk to who’s ahead of them on the path who can provide advice. I’ve also seen some great work being done in recovery. The opioid crisis is something we’re dealing with in this country where we don’t have enough treatment centers, clinicians, and response to handle the problem. It’s a wonderful thing to see Mass General, where patients are going through withdrawal and recovery, matching patients with someone who can be a peer mentor when they get out. How might we scale that, however? How might this be a program that happens everywhere rather than just at this one hospital?

Ciitizen: When health services don’t offer enough support, patients then turn to technology to solve these issues for themselves, right?

Susannah: In a parallel world, so much is happening online without clinicians knowing about it. There are thousands of groups, whether they’re on old school listservs or Facebook, where patients are gathering together and sharing notes, and that’s where Ciitizen can really help to empower these communities. Right now people are sharing notes in a bespoke, handwritten way, carrying around notebooks with printouts of their records. How might we empower them with the industrial strength data that their clinicians have available to them? How might we make sure that those expert patient groups are really empowered with the information that they need?

Ciitizen: It’s interesting how often professionals underestimate consumers, in terms of their ability to figure out, understand, or educate themselves on very complex subjects. That, too, requires humility.

Susannah: I remember someone pointing out to me that the patient sitting alone in the exam room is actually surrounded by invisible loved ones who are waiting for the news at home. That patient may not fully understand what’s happening, but they might have a niece who is a nurse and who is waiting to get the information so that they can help recommend care. It reminds me of the idea of the long tail. There may only be a few people out there who are as geeky about a topic as we are, but you don’t know what they might create that other people may find useful. How can we free the data and give these people the ability to access the information when they want it? Most people don’t want to think about their health information until they have to. However, the minute they get that diagnosis, all of a sudden they want that data.

Ciitizen: Is technology the answer?

Susannah: What’s great is that the internet has created an expectation around access to data and giving feedback, so now people are more likely to write a review. That can be uncomfortable, until we realize that feedback can be a gift to the greater community. So how might we figure out how to receive these gifts? How might we allow someone who’s just been through a cancer treatment to tell the next person in line: “Remember to bring a blanket because it’s really cold when you wait for that MRI.” That’s not treatment advice. That’s just get-through-the-day advice.

Ciitizen: Thank you so much for taking the time to talk with us! I can’t wait to hear the a16z podcast with Anil and Vijay after the holidays.

HIPAA Compliance: Data By Email

Today we’re going to take a look at two particular rights you have as a patient when requesting your personal records from a medical institution. I’m going to copy and paste them directly from my colleague Deven McGraw’s blog post outlining patient health data rights under HIPAA:

  1. You have the right to an electronic copy of any information that is maintained electronically (such as in an electronic medical records) — and you even have the right to have paper copies scanned into an electronic format (such as PDF) if the institution or organization has scanning capabilities.

  2. You have the right to get your health information sent to you by email — even if your email isn’t secure, as long as you acknowledge that you are comfortable with receiving your health information this way.

In short: all hospitals today should be able to send you your health information via email. Hospitals still communicate medical information - both with patients and with doctors and other hospitals - by fax; most likely use electronic, cloud-based fax services, which also offer e-mail as an option. Hospitals who have this capability must deploy it to send records to a patient if that’s consistent with the patient’s request.

Continuing with our comparison of the statistics quoted in Yale’s Assessment of US Hospital Compliance With Regulations for Patients’ Requests for Medical Records, let’s take a look at what that team uncovered in terms of compliance with these two rights:

  • All hospitals stated in telephone calls and on the forms that they could release information via mail.

  • Hospitals unable to provide records by fax stated that they could fax records  - but only to physicians.

  • Two hospitals reported not being able to release records electronically if the records were originally in a paper format.

Regular mail compliance not a problem, and—if you’re lucky—you might potentially get your data via fax, but what about our HIPAA right as patients to have our data sent via email? Of the 83 hospitals surveyed as part of the study, here’s a look at the breakdown of options provided (so long as you could get them on the phone, as the options offered on the form were far worse):

  • 69 of them offered in-person pick up

  • 55 would provide the information via CD-ROM

  • Yet, only 39 out of 83 hospitals (47%) were able to email patient records upon request.

That means roughly half of the hospitals in the Yale report are likely non-compliant with HIPAA regulations allowing patients to have their health record sent to them via email. Our numbers were surprisingly a bit better at Ciitizen.

  • 68% of the institutions we’ve worked with on behalf of patients were able to provide the data digitally via email, yet that still means roughly a third of the hospitals did not.

  • 16% could only provide digital records via CD-ROM (sent via mail) and another 16% only allowed for paper records.

  • And while 68% were willing to use e-mail, that willingness occurred only after escalating the request to a supervisor or someone in the hospital’s HIPAA compliance office.

Of course, we already know that simply getting access to your medical records in ANY format already requires multiple phone calls, most of which require escalations up the food chain to privacy officers. It should therefore come as no surprise to find so many institutions out of HIPAA compliance with other aspects of their data release procedures as well.

-Nasha Fitter