Stories of Non-Compliance: Fax & Email Requests

We sent a plethora of requests to a massive, well-known hospital chain on the west coast recently, and they responded by sending us this:

***Action Required*** Faxed/Emailed Requests No Longer Accepted - Please Mail Requests With Prepayment.

Let’s just forget for the moment that the email we received included an encrypted password just to access the notice that our request could not be faxed or emailed, creating yet another obstacle for our patient. As Deven’s blog post on Tuesday stated, per OCR guidelines, hospitals cannot force patients to mail in an access request, as this would unreasonably delay the covered entity’s receipt of the request and thus the individual’s access. Hospitals also cannot charge unreasonable fees, yet this particular hospital chain was demanding a prepayment—even though fees for digital copies of digital records would generate a low (if any) fee, and how do you know how much you are required to pay before you’ve even submitted a request?  

But this is the type of message we see all too often, if we’re lucky enough to receive any message at all.

We recently faxed another request to a provider listed as one of the “top 100 hospitals” in the US, part of a division of a leading hospital management company with 34 hospitals across 10 states. After not hearing anything for three days, we called the office to follow up. The medical records representative’s exact response to our Ciitizen request sheet was:

“You make life so complicated. What the heck? Your form confused the heck out of me. I just put it to the side.”

At Ciitizen, we use nothing more complicated than a standard form to request medical records. The fact that it confused this particular representative is highly unnerving, but even more concerning is that she chose to put it aside rather than follow-up on the request (we provide our contact information, of course). She then added that it would take her 15 days just to transfer the request to corporate. When we pushed back that this request was for a cancer patient needing continuity of care, she said:

“Well, I could expedite it. Do you want me to?”

Uh….for God’s sake: YES! We are helping cancer patients in need of treatment here, and fortunately we understand the rights that HIPAA provides them to access their health records. But what about those patients that are putting in requests on their own? Are they supposed to fight a two-front war against the disease on one side, and the hospital’s records department on the other?

Complying with the HIPAA Right of Access Requires HIPAA-Compliant Processes

Covered entities have an obligation under the HIPAA Rule to provide individuals with the right to access and receive copies of their health information. Last week we covered the scope of this right, which is all information that is part of the “designated record set,” including images and clinician notes.

This week we’re going to talk about covered entities’ obligations to adopt policies and procedures to assure that individuals can actually exercise this access right.  In other words, to both honor this right and handle the influx of requests, covered entities must establish processes to receive and service these requests in ways that are compliant with HIPAA (45 CFR 164.130(i)(1)).

OCR has made clear in guidance that these processes "may not impose unreasonable measures on an individual requesting access that serve as barriers to or unreasonably delay the individual from obtaining access.”

This is direct from OCR’s guidance on the right of access:

For example, a doctor may not require an individual:

  • Who wants a copy of her medical record mailed to her home address to physically come to the doctor’s office to request access and provide proof of identity in person.

  • To use a web portal for requesting access, as not all individuals will have ready access to the portal.

  • To mail an access request, as this would unreasonably delay the covered entity’s receipt of the request and thus the individual’s access.

While a covered entity may not require individuals to use mail, use a portal, or submit requests in person, entities may permit an individual to do so if desired. In general, covered entities are encouraged to offer individuals multiple options for requesting access in order to make it easier on the patient. At a minimum, covered entities must inform individuals that they have a right to access and get a copy of their health information in their Notice of Privacy Practices (which you are likely familiar with, as you should have been provided with a copy on your first visit to a new doctor or hospital, or when you enroll in a new health plan). Unfortunately, this notice only informs you of what your rights are, and typically information about how to exercise those rights is found elsewhere (such as on an institution’s website).

In addition to establishing HIPAA-compliant processes for receiving individual requests, a covered entity must respond to that request in way that is compliant with the HIPAA Privacy Rule. For example:

  • Individuals can say how they would like to receive the information - such as wanting a digital copy and/or wanting the information to be e-mailed - and this request must be honored as long as the covered entity can “readily produce” the copy in the way the individual wants it. OCR has made clear in the above guidance that “readily producible” means the entity is capable of honoring the request (vs. what the entity would prefer). The records must honor the individual’s request regarding form and format of information as long as it is readily producible.

  • Covered entities cannot charge fees greater than a reasonable, cost-based fee for the labor costs associated with making the copy requested by the individual and any supplies necessary to fulfill the individual’s request.

  • Covered entities must send the information to an individual’s designated third party and must do so within 30 days in most circumstances.

Covered entities are also required to train staff on what HIPAA requires, including on the elements of the right of access (45 CFR 164.530(b)). Because the right of access is an individual right under the HIPAA Privacy Rule, OCR has maintained that covered entities are accountable to OCR for assuring they are in compliance with this right.  This means that if a covered entity hires a vendor to service patient access requests on its behalf, the covered entity is liable if that vendor is out of compliance with HIPAA. This helps make certain that everyone involved in the records supply chain is accountable.

All covered entities must also have the capability of obtaining the information requested by an individual that is maintained by a covered entity’s business associate; for example, information held by a provider electronic health record vendor or storage company that keeps historical records. Thus, there’s no HIPAA loophole for institutions who claim they do not have to provide records that are not onsite.

In a perfect world, these record request processes are easily accessible by consumers, and getting your health data is a simple, pain-free process. However, we’ve found that in our experience requesting records on behalf of our Ciitizen users, the reality in most cases is far from ideal.

See our blog post on Thursday for more examples of noncompliance.  

-Deven McGraw

Imaging Included

As Deven stated this past Tuesday, the “designated record set”—the data that we as patients have a right to—is an often misunderstood aspect of our rights under HIPAA. As an example, many patients don’t realize they have a right to copies of all of their imaging—every x-ray, CT scan, MRI, and even the photos from your colonoscopy!

Today we want to talk about our efforts at Ciitizen to obtain copies of images for our users.

When we first started asking for medical records on behalf of patients, we relied on hospital websites for guidelines on how to submit those requests. With each request we specifically stated that we were seeking images as part of the “designated record set.” Early on, we gave each institution the benefit of the doubt and waited to follow-up until we were close to the HIPAA 30-day deadline. (Of note: we have since learned that follow-up within 48 hours is necessary to avoid the request going into a black, bureaucratic hole.)

When we did call to check on these early requests, it surprised us to learn that, for many institutions, a separate imaging request had to be specifically submitted to the hospital’s radiology department. Needless to say, this tidbit of information was not included as part the website page of instructions on how patients should submit their requests; we actually learned this information when we called to check on the request. One institution even told us (confidentially, we presume!) that, when they received requests for radiology images, they ignored that aspect of the request, as the health information management (HIM) department was not authorized to release images to patients.

As we know, however, imaging is indeed part of the “designated record set.” Yet, when we call radiology departments to determine their processes for getting x-rays to patients (or their designees), we too often hear that the radiology department will not release images to patients—only to other medical professionals. In fact, roughly one out of every ten institutions we’ve queried seems to think imaging is not included under the HIPAA right of access.

First, if an institution wants radiology requests going directly to the radiology department, this needs to be communicated to patients up front. Secondly, the institution is still obligated under HIPAA to provide this information to patients, so if the radiology department isn’t properly trained on the HIPAA right of access (which seems to be the case at least 10% of the time), that’s a serious non-compliance issue.

In one particular instance, we sent a request to a community hospital for a “designated record set,” including images, on behalf of a cancer patient and had to follow up when we did not receive the information by the 30 day deadline. (Our request also had to be sent by mail—no other communication method was permitted—but we’ll take on that issue on in a future blog post.)

Our request clearly indicated that the patient wanted designated record set information to be sent to Ciitizen by email (with acknowledgements of the security risks of unsecure email, as required by HIPAA), and that the institution could mail a CD with images if they were too large to be e-mailed. Nevertheless, we received a CD by mail of medical records over a month and a half later—accompanied by a letter indicating that the radiology images needed to be requested directly from the radiology department. We had already had phone conversations with the community hospital’s HIM department when the records were in danger of being post-30 days, and at no point did the HIM staff tell us we needed to send a separate request to radiology. Not until we received the letter well past the compliance deadline did we learn of this necessity.

As a result of this all-too-frequent scenario, we now call all facilities ahead of time to find out directly from hospital administrative staff about the specific processes for filing requests, including for images, and we hear from far too many radiology departments that images “cannot” be released to patients as they are not part of the “designated record set” (yet, we know from Deven’s blog post this is incorrect!).

It is not unusual for us to hear different policies regarding the release of radiology images (will they or won’t they release to patients) from different locations of the same hospital system. That some large hospital systems don’t standardize their policies isn’t necessarily shocking, but the fact that they’re non-compliant with HIPAA is entirely unacceptable.

The Designated Record Set

The right of individuals to access their health information under HIPAA is one of the most frequently misunderstood provisions of the HIPAA Privacy Rule. Patients frequently underestimate this right and think they cannot access or receive copies of some or all of the information in their records. Why? Because the information they are provided about the right of access, from the very entities required to comply with this right, is often inaccurate.

One purpose of the #myhealthmydata campaign is to gather and share our stories - as well as stories from patients and their caregivers -  of the effort it takes to collect one’s health information using the HIPAA right of access. But we also want to educate patients - and the public - about  HIPAA’s requirements, so that the next time you ask for copies of your health information (which we encourage you to do), you’ll know when not to take “no” for an answer.  

This week’s lesson is about the “designated record set.”  

One common way that health care entities push back on patients requesting their records is to claim that certain categories of information “cannot be shared” with patients. Images - such as xrays and MRIs - are often denied to patients, and progress notes from physicians or other medical professionals - often a rich source of information about a patient’s diagnosis and treatment -  are another category of information some providers are hesitant to reluctant to share directly with patients.

Under the HIPAA Privacy Rule, patients have the right to access and obtain copies of all of their identifiable health information (called protected health information or PHI) that is part of a “designated record set.” (45 CFR 164.524(a)(1)) clearly explains that the he “designated record set” is more than just what an entity decides is part of a patient’s “medical record.” It is all records held by a health care provider or health plan that are:

(i) The medical records and billing records about individuals maintained by or for a covered health care provider;

(ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or

(iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals. (45 CFR 164.501)

Psychotherapy notes that are kept separate from other information in a patient’s record are not part of the designated record set (and therefore not subject to the patient’s right of access), but this exception is limited to psychotherapy notes, which are notes recorded by a mental health professional as part of a psychotherapy session. This exception does not extend to notes from other professionals.  (Information compiled for the purpose of a civil, criminal or administration action or proceeding is also excepted from this right.) But the breadth of this definition - and that there are only a couple of narrow exceptions - means patients are entitled to most health information that is generated about them and held by a health care provider or a health plan.

The agency that enforces HIPAA - the HHS Office for Civil Rights (OCR) - has made clear in guidance that the “designated record set” includes x-rays and other images, and also includes provider notes. You can see where OCR could not be more clear that patients have a right to receive copies of their X-rays. OCR does note image files can be quite large, so often there needs to be some negotiation between the provider and the patient (or a vendor or service like Ciitizen working on the patient’s behalf) about how best to convey the copy of the image for the patient,  but at no point does OCR question whether individuals should be able to get copies of x-rays directly pursuant to the HIPAA right of access.

As for provider notes, OCR has also made it clear  that patients have a right to obtain of copy of provider notes. This guidance also reinforces the right of patients to get copies of their x-rays.

You can’t get more clear guidance than what is in those two links. Why patients are still getting misinformation about their rights to this information is … well, let’s just say it’s a head scratcher. It’s also a violation of the HIPAA right of access to deny individuals copies of their health information based on misinformation about HIPAA. Just like in the movies, “ignorance of the law is no excuse.”

We also want to give a shout out to ePatient Dave and to the Open Notes Program - both of whom have been among the many steadfast advocates for the right of patients to access their health information.

ePatient Dave (Dave deBronkart) wrote a great blog post last year to counter the argument that patients won’t want their images because they won’t be able to read or understand them. If there’s one thing we should never doubt in the internet age, it’s the ability for consumers to educate themselves and become experts in their own right. As we’ve learned here at Ciitizen, nothing motivates a patient to seek out and understand their medical records more than a cancer diagnosis.  

The Open Notes program has been steadfastly working to encourage health care providers to voluntarily make notes affirmatively available to patients, such as through patient portals.  Yes, notes are already required to be made accessible to patients when they ask for them, but OpenNotes advocates for providers to make this information accessible to patients without the patients having to specifically ask for them.  The more information made affirmatively available to patients, the easier it will be for them to collect their comprehensive health histories with minimum hassle. And I think we’ve made it clear over the last few months as to what a hassle it can be.

And now you know your rights in the midst of such a hassle. Yes, you have the right to get copies of all of your health information, including the images, and copies of the notes. They are indeed part of the “designated record set.”

-Deven McGraw

Documenting a Records Request

As we continue to advocate for patients and help them get their records, we wanted to give the world an inside view into what can be a thankless, endless, and often fruitless process.

These are medical records which already exist in their entirety.

Records that are a patient’s lifeline to continuity of care.

Records that can provide access to life-saving clinical trials.

And lest we forget - records which are a patient’s right to have and to hold in 30 days or less.

Let’s take a peek at the timeline of a real request by Ciitizen for records on behalf of a real cancer patient. Brace yourselves.

August 20th, 2018 - Ciitizen submits a faxed patient access request form to a leading medical institution in New York. The request asks for all health records on file. Upon receiving no response to this rather urgent request, Ciitizen calls to check on the progress. On this first call Ciitizen is advised that the request has been outsourced to a records copy service and Ciitizen must follow up with them directly.

September 17th, 2018: Ciitizen calls the copy service company. The wait time to reach a customer service representative is over 15 minutes. The patient’s date of birth and name is given - the passport for receiving any information about a request - and Ciitizen is advised that there is no request on file for these records.

Ciitizen reaffirms that the medical institution confirmed the faxed request had been received and duly passed along. The copy service is unmoved by this information. They have nothing on file. Ciitizen is asked to re-fax the request. A new fax number is given.

Ciitizen re-faxes the request. Ciitizen places a second call to the copy service to confirm receipt of said fax. The copy service, citing their procedural policy advises Ciitizen that they will have to wait another 15 days to confirm receipt of the request form, let alone fulfill it.  

In order to bypass this unacceptable delay, Ciitizen places a third call to the copy service; this time to the supervisor’s department with the goal of explaining that proof of the first fax could be provided, and to remind said copy service that the records in question belong to that of a cancer patient, to whom any additional wait would be extraordinary and life-threatening. A third fax number is provided and Ciitizen is once again asked to refax. This time Ciitizen is promised a call back to confirm receipt and to advance an expedited timeline for sending the data, given the amount of days that have already passed.

At 12.41 pm EST an agent calls Ciitizen. Shockingly the agent is both aggravated and annoyed at having to place this call, talking over our patient advocate and raising her voice in sheer frustration of our persistence. Dismayed by the agents tone, our patient advocate vehemently voices discontent at the sheer lack of professionalism, only to be hung up on!

Understandably furious, our Ciitizen employee reaches out to yet another supervisor; this time a gentleman in all senses of the word. He is horrified by the account and very much motivated to help us with our cause. He states he is now going to help with the records retrieval process moving forward, and requests a short time to review our original request.  At 4.45 PM, Ciitizen receives a call back confirming the record request and a corresponding transaction number.

September 18th, 2018: The new supervisor calls our Ciitizen employee to confirm that the records will now be sent out. By mail. He supplies a transaction number advising that we could reasonably expect records within a week. He also offers that if we were to provide and pay for an overnight service then records could be expedited.

Given that the request form clearly, concisely, and specifically requests the records be sent electronically - i.e. by email - our patient advocate questions why such a request cannot be fulfilled. We’re told that records cannot be sent in such a manner due to encryption reasons, as this would be a HIPAA violation. (Side note - it is a HIPAA violation NOT to send them this way since the request asks for them in this format.) Our patient advocate politely points out that our form addresses that issue in the full context of the HIPAA law, therefore rendering the electronic release HIPAA compliant.

And then we’re put on hold. Five minutes later, the supervisor returns to the call with “great news.” An electronic link to Ciitizen is offered where Ciitizen can download the patient’s information with an access code. A link that provides immediate access to said records. Finally!

September 26th, 2018: Ciitizen receives an invoice from the company for the processing fees of these ready-to-go electronic records. Ciitizen pays the fee immediately.

September 27th, 2018: On day 37, seven days after the required 30 day time period for compliance, the link arrives.

So to sum this unsavory experience up:

7 phone calls

3 faxes

2 escalations

…and almost 2 hours of phone time to retrieve ready-to-go electronic records that are sitting waiting to be emailed out. And finally records are retrieved.

Now imagine that this responsibility befalls the patient - a cancer patient dealing with health issues that many of us can only imagine. It’s utterly inexcusable.

But in reality, this is what transpires every day at a mind boggling number of major hospitals and medical centers across the USA. Change has to happen and it has to happen now. This needed change is what Ciitizen is fighting for. For you, your families, and for patients across America.

#myhealthmydata Stories

Since starting the Voice of Ciitizens blog back in the summer of 2018, we’ve spent most of our time defining, documenting, and denouncing the myriad of roadblocks that stand between patients and their personal health data, from the lack of compliance with federal HIPAA regulations to the “dinosaur technology” still in use. Now that 2019 is upon us and the problem is clear, the question has become: what can we do to try to fix it?

While helping patients obtain their health data from hospitals all over the country, we’ve found that a number of hospitals either don’t understand the patient’s right of access under HIPAA or (in worse cases) are indifferent to it. For months, we’ve been asking ourselves at the Ciitizen office how we can help well-meaning institutions improve their medical record release procedures and become HIPAA compliant, while simultaneously motivating the stragglers to follow suit.

That internal question led to an idea, which culminated in the #myhealthmydata campaign.  

What if we took our experiences in trying to obtain medical records for our Ciitizen users and objectively evaluated those experiences based on what the HIPAA Privacy Rule requires?  And what if we made those stories public - both our general experiences as well as instances with specific institutions - perhaps by name - that we have contacted, openly sharing it online for the world to see?  Could stories of hospital responses to our record requests help both shine a light on what seems to us to be a serious noncompliance problem and also be a catalyst for change? And might we surprise ourselves with stories of people who are actually doing this right?

We think the answer to these questions is yes. What exactly would this all of that look like? Follow #myhealthmydata and we’ll show you.  

-The Ciitizen Team

PMWC Week: An Interview with Deven McGraw

With the Silicon Valley Precision Medicine World Conference in full swing this week, featuring three of our Ciitizen colleagues as guest speakers, today we’re posting an interview with our Chief Regulatory Officer Deven McGraw conducted by the team at PMWC (originally published here).

Prior to joining Ciitizen, Deven directed U.S. health privacy and security policy through her roles as Deputy Director for Health Information Privacy at the HHS Office for Civil Rights (the office that oversees HIPAA policy and enforcement) and Chief Privacy Officer (Acting) of the Office of the National Coordinator for Health IT. Deven also advised PCORNet (the Patient Centered Outcomes Research Network), as well as the federal All of Us Research Initiative, on HIPAA and patient-donated data research initiatives. Read her full bio at the PMWC site.

PMWC: Patient healthcare data aggregation and analysis is seen as both the panacea for tremendous breakthroughs in precision medicine and as one of its biggest challenges. Are both true and how so?

Deven: Yes, both are true. Achieving breakthroughs in precision medicine will require a lot of data – and yet it is often difficult for researchers to amass all of the data needed to advance precision medicine discoveries. Getting data from institutions can be a slog, due to multiple layers of review, lack of institutional incentives to share, and proprietary concerns. But individuals – particularly patients and their families – have great incentives to share data, to save themselves and to improve prospects for others like them. But the challenge is that individuals can face enormous obstacles in getting their data. They have a legal right to this data – but the institutions who hold this data still make it difficult for individuals to get their data.

PMWC: What are the biggest hurdles today in getting people to share their health data?

Deven: The biggest hurdle today in getting people to share their health data is that people can’t share what they don’t have. The obstacles to individuals getting all of their health data – so they can then share it to power discoveries – are far larger than the obstacles to sharing once individuals have dominion and control over their data. A second hurdle (which frankly will be far easier to solve) is providing people with trusted options for donating their data. It is a misnomer that people who are sick “don’t care” about their privacy – they do care, but they also want ways to liberally share their health information in order to try to help themselves and others like them.

PMWC: How can they be overcome? What is needed?

Deven: What is needed is for entities to more consistently comply with legal mandates to provide health data to patients. This is the law in the U.S. (HIPAA), and it is also the law in the EU (GDPR) and in other jurisdictions. U.S. law could also use some improvements, for example shorter timelines for release of data (30 days is way too long) and waiving of fees, particularly for patients who are sick.

PMWC: We have a long way to go with clinical trials enrolling at 2-3% today and that number falling. What type and level of shift in culture, laws, collection methods, or other areas is going to be needed to accomplish widespread data sharing?

Deven: Giving health information to patients – and letting them share data for clinical trial enrollment purposes – is a strategy that has been significantly underutilized. There are some restrictions that institutions face in allowing researchers to both examine data for potential clinical trial participants and then reach out to those individuals to enroll them. In addition, a single institution may not have all of the relevant data on a patient, because individuals – particularly those who are ill – are cared for in multiple settings. If patients are given dominion and control over all of their health information, they can actively seek out potential trials, or allow trial sponsors to examine their data to determine if they are eligible.

PMWC: Will there always be certain communities or populations that will not participate in research because of history or privacy issues?

Deven: Without a doubt there is work to do to earn the trust of individuals in communities with a deep distrust of research. But it is critical that we do this work, because those communities are significantly affected by disparities in health care – and data sharing will be key to eliminating those disparities. Building trust starts by giving control of health data to those individuals and communities – so that they are empowered to make decisions about with whom they will share this data.

PMWC: What role will personal technology play in scaling health data sharing and collection?

Deven: The patient, who has the right to all of their health information and the most interest in sharing it, should be the hub for data collection and sharing. But patients generate a great deal of health information – personal technology is key to enabling each patient to collect, aggregate and easily share his or her information. In addition, medical breakthroughs likely require amassing of large data sets – so personal technologies that enable patients to collectively share their data for medical breakthroughs will be essential.

Ciitizen Raises $17M in Series A Financing

We’re very excited to share the following press release with the Voice of Ciitizens readers:

Ciitizen, a consumer health tech company working to build the leading platform that helps patients collect, organize, and share their medical records digitally, has closed $17M in new funding in a round led by Andreessen Horowitz and included Section 32 and Verily. The company will use the proceeds to accelerate platform development and expand commercial operations. As part of the financing, Vijay Pande, General Partner of Andreessen Horowitz's Bio fund, will join the Ciitizen board of directors. Michael Pellini, Managing Partner at Section 32, and Andy Harrison, Head of Business and Corporate Development at Verily, will join the board as observers.

"Ciitizen uniquely understands the challenges cancer patients face - including the intense friction patients experience when managing their medical records in our current healthcare system," said Pande. "Using their deep insights, the Ciitizen team have developed sophisticated technology and tools that remove this friction, putting the power back in the patients' hands and literally saving lives."

The Series A financing follows a Seed round led by Andreessen Horowitz in July of 2018.

"The continued support from Andreessen Horowitz reaffirms the rapid progress we have already made and further validates our potential to significantly impact healthcare globally. Adding Section 32 and Verily to our effort further enhances our ability to transform the way patients engage with their health data," said Anil Sethi, CEO and Founder of Ciitizen, whose former company Gliimpse was acquired by Apple for its Health Records business. "Vijay (Pande)continues to set the standard in health-tech investing. Michael (Pellini) is a proven operator and leader, first as President and COO of Clarient and then as CEO of Foundation Medicine. Together with Andy (Harrison), they share our commitment to working on behalf of patients— ciitizens—to advance healthcare."

With continued development of the Ciitizen platform, the company is poised to release products that will make an immediate impact in healthcare.

"We are aggressively hiring to support release of products in partnership with select healthcare stakeholders that will immediately benefit patients—all driven by obtaining and organizing a patient's health data," said Premal Shah, COO and Co-Founder of Ciitizen. "Contrary to what is happening today, we want to facilitate patients gaining maximum direct benefit from what is rightfully theirs: their personal healthcare data."

In addition to launching the platform less than a year from the company's founding, Ciitizen initiated a weekly blog, The Voice of Ciitizens, that offers opinions from healthcare thought leaders on ways to address some of healthcare's most pressing challenges.

"We will always work to change healthcare for the benefit of patients, and we will continue to work with thought leaders and patient advocates in healthcare to do so," said Sethi.