The Email Obstacle

Even people who are pretty sophisticated about the healthcare system – and know their rights under HIPAA –  face obstacles in getting copies of their health information.

On Friday, my friend Arien Malec, who has decades of experience in healthcare and life sciences and currently advises the HHS Office of the National Coordinator for Health IT (ONC) as a member of the Health Information Technology Advisory Committee, tweeted this:

Do individuals have the right under HIPAA to get copies of their health information sent to them by e-mail if that’s how they want to receive it?  Yes, they do.

Under the Privacy Rule, individuals have the right to access their health information in the form or format they request, as long as it is readily producible in that form/format (45 CFR 164.524(c)(2)(i). In guidance, the HHS Office for Civil Rights (OCR) clarified that this right extends to the way the information is delivered to the individual – and OCR has specifically stated in guidance that individuals have a right to receive copies of their PHI by email if they want it this way.

While ordinarily entities covered by HIPAA – doctors, hospitals, and health plans, for example – must send health information securely (such as by using encryption), individuals have the right to get their records by unencrypted email if they ask for it that way. The only obligation of the entity is to “provide a brief warning to the individual that there is some level of risk that the individual’s PHI could be read or otherwise accessed by a third party while in transit, and confirm that the individual still wants to receive her PHI by unencrypted email.” If the individual says yes, “the covered entity MUST comply with the request” (emphasis added).

OCR recognized that entities might be concerned about potentially being held responsible for records sent securely to individuals, so the agency issued even more guidance on this topic, in order to be clear that individuals have the right to get information by unsecure email if that is their choice.  Specifically, OCR’s guidance provides that entities are “not responsible for a disclosure of PHI [protected health information] while in transmission to the individual based on the individual’s access request to receive the PHI in an unsecure manner (assuming the individual was warned of and accepted the risks associated with the unsecure transmission).”

And an individual also has the right to have their health information sent by unsecure e-mail directly to a third party designee – such as a personal health record service (like Ciitizen), or to a friend or family member, or even to another health care professional or institution.

Seems pretty clear to me that refusing to honor an individual’s request to get their health information sent by email would be a violation of the HIPAA Privacy Rule.

What about individuals who want to receive their information in a way that is secure? OCR covered that as well. The guidance states that while individuals have the right to receive their health information by unsecure methods, an entity “is not permitted to require an individual to accept unsecure methods of transmission in order to receive copies of her health information.”

Arien Malec is not the only individual who has confronted obstacles in trying to get health information by email.  We’ll talk about our experience in trying to help our Ciitizen users get health information via email in our Thursday blog post.

-Deven McGraw

Paper Tiger

Over the past few weeks we’ve detailed some of the more frustrating issues faced by our data retrieval team when following up on patient medical records requests. The goal of each story was to illuminate in detail just how aggravating it can be for someone in dire need of their health data to obtain the information to which they have a legal right under HIPAA. However, for today’s blog post about a patient’s right to request a digital copy of their record instead of paper printouts, we’re not going to beat around the bush. The cold, hard facts are more than enough to illustrate our irritation.

As Deven pointed out on Tuesday, HIPAA requires an institution to provide patients with their records in an electronic format if the data is available as such. In the rare instance that a hospital is still using 100% paper records and has for some reason shunned the last thirty years of computer database technology, the institution still must still provide the patient with a digital scan if they’re capable. One would assume that if a hospital is capable of performing a CT scan to create cross-sectional images of the bones, blood vessels, and soft tissues in the human body, it would be also capable of feeding a piece of paper into a piece of plastic. However, as the old adage goes: when you assume, you make an ass out of u and me.

Below are a few anecdotes that highlight the difficulties of this digital struggle, taken from our recent experiences here at Ciitizen:

  • One doctor’s office refused our request form twice, demanded the patient come in person to request the records (which, as we covered in a previous blog, is not allowed), and then proceeded to send paper records to the patient despite numerous interventions on our part to have them sent digitally, as the patient specifically requested.

  • In response to one patient’s request, a large institution on the West Coast sent us an enormous stack of paper, despite numerous phone calls with their privacy official and their security team about using their web portal to transfer the records digitally.

  • A children’s hospital in California required ten separate phone calls, including an additional four calls to the privacy officer and three weeks of non-stop emailing, before a stack of paper showed up in our mailbox, despite the fact the patient had clearly requested the records in an electronic format.

  • A renowned clinic forced us to escalate a patient’s request up the chain of command more than five times before we were eventually sent paper records instead of the digital data the patient requested.

  • We spent hours tracking down the privacy officer of a major East Coast health network, where the patient’s request specified that her digital health record be sent to us via email (with the required acceptance of any security risks). Two weeks later we received the patient’s paper records in our mailbox.

The raison d’etre of Ciitizen is to provide patients with a digital profile of their complete health history because medical records are far easier to search and share when they’re in a digital format. Rather than spend forty-five minutes digging through binders of paper printouts, an oncologist can quickly access the digital information he or she needs to plan treatment, and the patient can easily send that data out for second and third opinions. There’s no debate: information moves faster and is easier to manage when it’s in a digital format. Yet, despite HIPAA’s requirement that health institutions provide patients with at least a PDF or an electronic scan of paper records, we’re still getting giant paper envelopes on our doorstep (and often these giant paper envelopes are clearly digital printouts!).

Cancer patients — actually, all patients — deserve better.  

Digital Delivery

Almost any information can be delivered digitally these days, whether it comes directly from a digital database or as a PDF scan attached to an email, and the privacy rules surrounding the release of medical records have taken these modern capabilities into account for patients requesting their health data. Under the HIPAA right of access, individuals have the right to get copies of their information in the form or format they they want — as long as it is “readily producible” in that format (i.e., the hospital or doctor is capable of producing it and doesn’t have to go out and buy new software to meet the individual’s particular format) (45 CFR 164.524(c)(2)(i)). That means a digital scan can be requested over a physical paper copy, so long as the hospital in question has evolved beyond the fax machine.

But the rule is even more specific when it comes to getting an electronic copy of your health data. If the information requested by the individual is maintained electronically (for example, if it is in an electronic medical record, or in software that stores electronic documents), and if the individual requests an electronic copy of that information, the covered entity (doctor, hospital, lab, pharmacy, health plan, for example) “must provide the individual with access to the protected health information in the electronic form and format requested by the individual.” If it is not available in the particular electronic form and format requested by the individual, it must be in a “readable electronic form and format as agreed to by the covered entity and the individual” (45 CFR 164.524(c)(2)(ii).

In other words, it is NEVER acceptable to provide an individual with paper copies of a digital record, unless the individual has specifically asked for paper copies — or the rare instance where the individual refuses to accept any reasonable digital options (such as PDF) that the entity can readily produce. In the words of OCR, “individuals who request electronic access to PHI maintained electronically can be diverted to receiving a paper copy only in circumstances where all of the covered entities’ existing capabilities for readily producing electronic copies have been presented to the individual, but the individual has determined that those formats are not acceptable to her.” If the information is stored digitally, it must be delivered digitally if the patient has requested it as such.

But what if the information the individual is requesting is actually maintained on paper (for example, a record that was created prior to the more widespread adoption of electronic medical records by doctors and hospitals and the information in that record was never scanned into the electronic medical record)? Even in that case, the individual has the right to get that information digitally if the covered entity has a scanner and can readily scan the paper record into electronic format. The rule doesn’t require hospitals to purchase a scanner in the absence of one, but I have to ask: what records office doesn’t have a scanner in 2019?

And while entities are not required to go out and buy new software just to meet an individual’s format request (even though scanners can be had for less than $100 these days), entities that maintain protected health information digitally must have the capability to provide some form of readable electronic copy of that information. According to OCR, “this means that some covered entities may need to make some investments (which cannot be charged to individuals) in order to meet this baseline requirement” (i.e. shelling out $100 or less for a scanner).

Finally, when an individual asks for a particular form and format, such as seeking PHI in digital format, the question of whether the entity can “readily produce” it in the requested form or format is a “matter of capability, not willingness.” An entity cannot decline to provide the individual’s requested form or format because the entity would prefer than individual accept another format, or another format is part of an entity’s customary record processes. It cannot be a policy decision. If a hospital is capable of digitally scanning a patient’s records (which they all should be), then they must do so at the patient’s request.

And the vendors who perform this service on behalf of hospitals and doctors must play by these same rules.

-Deven McGraw

The Signature Burden

CMS Administrator Seema Verma, who attended this month’s HIMSS Annual Meeting, tweeted “[w]e can sequence the entire human genome, but we still can’t get much more than a print-out, fax or CD ROM when we leave the doctor’s office.”

Indeed. If we can even get that.

At a time when legal transactions happen every day with digital signatures, tax returns are filed electronically online without the slightest hint of pen ink, and mobile banking has made a physical trip to the bank obsolete, it is beyond befuddling that patients struggle to get their digital requests for their health information honored.

When we first started helping patients use their HIPAA right of access to get their health information, we used Docusign to obtain their signatures. After all, many of us had successfully used Docusign to sign an array of legal documents, and Docusign advertises that its signatures are compliant with the Federal E-Sign Act. But two very large hospitals in Silicon Valley - the epicenter of technological innovation - flat-out rejected the use of Docusign, requiring further hurdles to access medical records. The only option available for those early patients? Printing out the request, physically signing it with a pen, and then scanning it for submission via email. Not all patients have this capability readily at hand.  

Working from these frustrating experiences, Ciitizen has since developed new software that captures a patient’s actual signature on the screen, rather than the makeshift representation often used in Docusign. The release request, including the patient’s signature, is submitted to the patient’s medical provider, along with a copy of their government issued ID, which also includes the patient’s signature.

To reiterate: we’re providing medical institutions with the patient’s actual signature, captured digitally, plus official photo ID, also with a signature, and yet even this level of verification hasn’t worked 100 percent of the time.   

This method was rejected twice by a cancer specialist’s office because “it wasn’t a close enough match to what they held on file for the patient in question” (once it was rejected the first time, we asked the patient to e-sign the records request again). After multiple calls up the food chain to various members of this doctor’s office (including the doctor himself), this cancer patient was left with no other choice than to physically drive to the office and make an in-person plea to have records sent to us, the patient’s designee.

One truly could not ask for a clearer example of imposing a burden on the patient’s exercise of her HIPAA access rights, although we must note: this approach worked for 16 other separate PHI or imaging requests to a plethora of providers, including three of the largest healthcare organizations in the U.S. However, based on this experience, we have legitimate concerns that we will continue to get push back when using this approach with other organizations.

Why did this particular cancer specialist’s office push back so hard on the request?  Because, claimed the doctor’s office, “they were not convinced that this was a genuine request by the patient.” But the only way the office would resolve this was to require a physical request by the patient. Since requiring in-person appearance is not consistent with the HHS Office for Civil Rights (OCR)’s guidance on compliance with the right of access, this cannot be the answer. It’s a violation of the patient’s right of access.

So where does that leave the patient? Undoubtedly in a tricky and sensitive situation if they intend to continue seeing this doctor. Is it fair to ask patients to take on the role of unpaid privacy/compliance advisor, oh-so-gently pointing out to their doctors and hospitals that perhaps it’s time to get their policies and practices updated before OCR starts to enforce this right more aggressively, which they have recently said they are going to do? Or there is the more aggressive option, which involves the patient reporting this clear HIPAA violation to OCR? Although there is no guarantee that OCR will investigate a particular complaint, certainly nothing will change if these violations go unreported.

A Digital Dilemma

Under the HIPAA Privacy Rule, a doctor or hospital may require individuals to make requests for their records in writing, and in the case where the individual is asking for his or her records to be sent directly to a third party designee, the request is required to be “in writing, signed by the individual,” and it must “clearly identify” both the third party designee and where to send the copy of the information (45 CFR 164.524(c)(3)(ii)). However, the HHS Office for Civil Rights (which develops policy for and enforces the HIPAA Privacy Rule) has said in guidance that doctors or hospitals cannot require individuals to make their requests for information in person, or by mail — so how else can an individual, signed request for information be submitted?

Via the internet, of course; the medium with which countless people around the world communicate on a daily basis. For example, many of us have used the online service Docusign to authorize or sign a digital signature that is acceptable in other contexts, such as signing for a loan, submitting documents to governmental authorities, or enacting a residential lease. Yet, we’ve found that Docusign doesn’t seem to pass muster when it comes to patient requests for their health records!

OCR has clearly said that “the Privacy Rule allows for electronic documents to qualify as written documents for purposes of meeting the Privacy Rule’s requirements, as well as electronic signatures to satisfy any requirement for a signature, to the extent the signature is valid under applicable law.” (78 Federal Register 5566, at 5634 (Jan. 13, 2013)). HIPAA itself has no specific standards for electronic signatures, but the Federal E-Sign Act broadly recognizes the validity of electronic signatures in most contexts (there are exceptions, but none apply to the circumstance of patients seeking their health information).

Therefore, individuals seeking to have copies of their health records sent to Ciitizen or any third party of their choice should be allowed to submit a digital request that includes a digital signature, right?

The answer should be yes, yet we have found that too many health care providers “do not accept electronic signatures” on patient requests for access (a direct quote from some of the rejections we have received). While it is true that the Privacy Rule does not include an express requirement to accept an electronic signature on a patient request for access and, as far as I can tell, the Federal E-Sign Act does not require an entity to accept an electronic signature, I have to ask: should the rejection of such a signature, when it meets reasonable commercial standards for acceptability, be seen as imposing a burden on individuals seeking to exercise their access rights?

See our blog post on Thursday for more on our experiences submitting electronic requests on behalf of our users with a digital signature.

-Deven McGraw

Unaware or Unwilling to Comply

Navigating the medical system alone can be intimidating, which is part of the reason many cancer patients turn to others for help - such as a close family member, or friend, or a patient advocacy organization. Getting copies of your medical records - even though it is the patient’s right - is also intimidating and time consuming. At Ciitizen, we help relieve cancer patients of this burden by doing the work of obtaining copies of their medical records and organizing it into a profile for the patient’s use. In this role, we are their medical record advocates. We make sure that the patient’s record requests get sent to the right providers, and we follow up to make sure those requests get fulfilled - which includes the records being sent directly to Ciitizen, per the patient’s specific request, so they can be populated in the patient’s Ciitizen profile.

As Deven stated in Tuesday’s blog: per HIPAA, patients can request that hospitals send their medical records to whomever they wish, such as an advocacy group or any other designated third party. Unfortunately, all too often, we see various hospital providers and labs either unaware or unwilling to acknowledge this right.

Let’s use a recent request we sent to a medical center on the west coast as an example. We spoke to the Health Information Management representative on three separate occasions, explaining that we work on behalf of cancer patients to help them obtain their records, and we sent them the patient’s request, with the patient’s signature, designating that the records were to be sent to Ciitizen. The institution simply would not agree to send the records, citing “privacy issues.” We escalated the matter to the hospital’s privacy officer, who proceeded to ignore all of our phone calls, as did the hospital’s director. We then called the head of legal matters, who decided to bypass us and contact the patient directly, telling her “they were uncomfortable sending an email to a third party and that law required them to mail out paper copies to the patient only.” However, as we’ve already made clear in Tuesday’s blog, this is absolutely untrue.

This hospital, all the way to the CEO, either did not understand the HIPAA regulations or simply did not want to comply. Either way, their lack of compliance both disturbed the patient and went against her request to have her records sent to the third party of her choice (and on top of that they sent her paper records after we had requested them digitally). Sometimes even with the help of an advocacy group, patients cannot have their needs met by the medical system, so can you imagine having to do all this alone?

At another prominent lab, a patient recently made a request that her medical records be sent to Ciitizen. We started by emailing the request, but apparently record requests could not be made via email. We then faxed the request, only to be told “the request asked for unencrypted email [which patient’s can choose, as a matter of convenience] and my legal counsel will only allow unencrypted emails to the patient only.” As Deven also explained, the right of the patient to have copies sent directly to a third party must be honored in the same way as if the patient had asked for the records to be sent directly to her. The failure of this institution to honor the patient’s request in this case - to send the records by unencrypted e-mail directly to Ciitizen - is out of compliance with the HIPAA Privacy Rule.

When a request is signed by a patient and directs that records be sent directly to a third party designee like Ciitizen, these are requests that, pursuant to the HIPAA regulations, must be honored. Cancer patients turn to advocacy organizations like Ciitizen to help them navigate the medical system and get the best possible care. Institutions who make the process more difficult for us need to realize that they are placing obstacles in the path of the patients who have come to us for help.

Third Party Rights Under HIPAA

The right for individuals to access and receive copies of their “protected health information” (PHI) has existed since the HIPAA Privacy Rule was first effective in 2003. In 2009, Congress improved this right in the Health Information Technology for Economic and Clinical Health Act (HITECH) by allowing individuals to use their right of access to have information from an "electronic health record" sent directly to a third party of their choice. To exercise this right, individuals merely needed to make sure that their choice of third party was “clear, conspicuous, and specific” (Section 13405(e)(1)).  

In the final Omnibus Rule, which was issued in January 2013, HHS used its broad authority under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to expand this right and enable individuals to use their right of access to send PHI from any source (not just from an “electronic health record”) to third party designees.  Individuals merely needed to make this request in writing (which could be electronic) and be clear about the destination. Hospitals, physician practices, and health plans were required to honor this designation and provide the PHI under the same terms and conditions as apply to PHI delivered to the individual (e.g., provided within 30 days, at low cost, in the form or format requested by the individual).

Before Congress and HHS established the right of individuals to have information sent directly to third parties, individuals had the right to access their PHI themselves. But to get that information to a third party, such as another doctor or a caregiver, the individual had to be an intermediary in the middle, personally obtaining the information and then sending it along to its destination.  

HHS gave entities like hospitals and physician practices 60 days to get into compliance with this new rule; thus, for more than five years individuals should have enjoyed the right to have their health information sent directly to the third party of their choice.  

Yet, when I was the Deputy Director for Health Information Privacy at the HHS Office for Civil Rights, I heard many stories of individuals who faced obstacles in trying to get their health information from point A to point B and found it difficult to have it shared with a loved one, with another medical provider for treatment, or with an insurance provider in order to get a claim fully paid.

OCR issued comprehensive guidance in 2016 to entities covered by HIPAA to be more clear about the right of individuals to “get out of the middle” of routing their health information — to enable them to use the right of access to have information sent to the third party of their choice.  OCR also, jointly with the HHS Office of the National Coordinator for Health IT (ONC), issued fact sheets for consumers, and as well as some videos. The guidance makes clear that:

  • Individuals have the right to use the HIPAA right of access to send information to any third party they want, for any purpose.

  • All of the provisions of HIPAA that apply to the right of access also apply when the individual is asking to have their PHI sent to a designated third party — for example, the right to have information sent in the form or format the individual wants (including the right to get information digitally); the right to have information sent within 30 days in most circumstances; and the right to have that information at a reasonable-cost based fee (for the labor associated with making the requested copy and any necessary supplies)

At Ciitizen, our users seek their health information from all of their medical providers in order to have it aggregated and neatly organized in their Ciitizen profile, allowing them to share it for care coordination, donate it for research purposes, or use it for any other purpose that suits their needs. The individuals request their health information under the right of access and clearly, conspicuously, and specifically designate Ciitizen as the third party to receive those records, in accordance with HIPAA’s rules and guidelines.

In Thursday's blog you will hear more about our experiences in helping our users get their health information as our users’ third party designee.

-Deven McGraw

Stories of Non-Compliance: Fax & Email Requests

We sent a plethora of requests to a massive, well-known hospital chain on the west coast recently, and they responded by sending us this:

***Action Required*** Faxed/Emailed Requests No Longer Accepted - Please Mail Requests With Prepayment.

Let’s just forget for the moment that the email we received included an encrypted password just to access the notice that our request could not be faxed or emailed, creating yet another obstacle for our patient. As Deven’s blog post on Tuesday stated, per OCR guidelines, hospitals cannot force patients to mail in an access request, as this would unreasonably delay the covered entity’s receipt of the request and thus the individual’s access. Hospitals also cannot charge unreasonable fees, yet this particular hospital chain was demanding a prepayment—even though fees for digital copies of digital records would generate a low (if any) fee, and how do you know how much you are required to pay before you’ve even submitted a request?  

But this is the type of message we see all too often, if we’re lucky enough to receive any message at all.

We recently faxed another request to a provider listed as one of the “top 100 hospitals” in the US, part of a division of a leading hospital management company with 34 hospitals across 10 states. After not hearing anything for three days, we called the office to follow up. The medical records representative’s exact response to our Ciitizen request sheet was:

“You make life so complicated. What the heck? Your form confused the heck out of me. I just put it to the side.”

At Ciitizen, we use nothing more complicated than a standard form to request medical records. The fact that it confused this particular representative is highly unnerving, but even more concerning is that she chose to put it aside rather than follow-up on the request (we provide our contact information, of course). She then added that it would take her 15 days just to transfer the request to corporate. When we pushed back that this request was for a cancer patient needing continuity of care, she said:

“Well, I could expedite it. Do you want me to?”

Uh….for God’s sake: YES! We are helping cancer patients in need of treatment here, and fortunately we understand the rights that HIPAA provides them to access their health records. But what about those patients that are putting in requests on their own? Are they supposed to fight a two-front war against the disease on one side, and the hospital’s records department on the other?