Patient Portals: Now & Tomorrow

Over the last decade, more and more of us have been able to access some of our health information online, by signing up for and using portals where we can view our lab test results, prescriptions, and other key health information. Although some health plans offer online portals with access to claims information, an increasing number of us are familiar with accessing health information from our health care providers – in particular, from hospitals and larger medical practices.

The rise of patient portals can mostly be traced to federal Medicare and Medicaid incentive payments to health care providers, authorized by Congress in the HITECH (Health Information Technology for Economic and Clinical Health) Act of 2009. In brief, providers received funding if they used certified electronic health record technology to both maintain health information and make some of that information accessible to patients through portals.

It is easier for most individuals to access their health information if it is available online, at the touch of a button (or at least the entry of a username and password). Much like viewing your banking information online, patients can see everything instantly; without the need to submit a special request and wait 30 days for it. With portal access, key aspects of your health information are affirmatively provided to you promptly after a doctor visit or an inpatient stay in a hospital.

These early health care portals were an important milestone in the fight to empower patients with their data. But they also have some significant limitations:

  • With some exceptions, there is little to no portability of the information – you can view it online but the information isn’t easy to download in portable format or upload into a medical or health app;

  • If you receive care from multiple different providers, you don’t have a single place to go to see a more complete picture of your health history; and...

  • The portals include key health information – but a lot of information is likely missing (for example, no x-rays, no pathology reports, no clinician notes – all of which are critical pieces of health information, particularly for someone who is very sick).

Over the past several weeks, we have blogged about the HIPAA Right of Access – how it gives patients the right to all of their health information, to receive it within 30 days in most cases, to receive it in the form and format most convenient for the patient (as long as it is readily producible in that format), and to receive it at low to no cost. We have chronicled how, notwithstanding this right, patients often have to jump through multiple hoops in order to get the information that they need. (And many of you have been sharing your stories, too, using #myhealthmydata. Keep ‘em coming.)

How terrific it would be if all of the information that the patient had a right to under the HIPAA Right of Access could be accessed by the patient – or by an app or online service designated by the patient – with the push of a button or just a few keystrokes, within days or even hours of an encounter with the health care system, as easy as we can access our banking information today.

This capability exists today, but it is not yet available to all patients or for all medical record information. That is changing, however.

Earlier this month, two agencies with the U.S. Department of Health and Human Services – the Office of the National Coordinator for Health IT (ONC) and the Centers for Medicare and Medicaid Services (CMS) – issued proposed rules that will significantly improve the ability of patients to use an app or an online service to get more of their health information from their providers’ records, as well as claims information from their health plans. Imagine the ability to get your health information at no charge, and to have that information from all of your  providers and health plans, organized in one online account, and able to be shared at your direction and under your control. To have all of that information without having to find a fax machine to submit a written request, without having to make numerous follow-up calls, without having reams of paper mailed to your front door — you just log-on, and it’s all there.

Both of these proposed rules are open for public comment (see links above), and it is critical for patients, their caregivers, and other interested parties to submit comments that support patient access rights.

The future for patient access looks quite promising, but at Ciitizen we are also pragmatists.  These changes will not happen overnight — it will take months (if not the better part of this year) for the rules to be finalized. And even after the rules are finalized, it will be two years before the requirements fully kick in. And it will be even more years before all of the information that a patient has a right to under HIPAA is available at the touch of a button.

Cancer patients need all of their data today.

And this is why Ciitizen will continue to pursue all available avenues to get our users all of their health information – and why we will continue to press for improvements to the HIPAA right of access for all patients, whether through direct online connections or by pounding on every door.  

-Deven McGraw


From the very beginning, all of our request letters to health institutions have asked for records to be sent via email, as is the patient’s right under HIPAA. When an institution sends records to Ciitizen using the email address we provide, the information is populated directly into that patient’s Ciitizen profile—no need for manual handling, which introduces risks and opportunity for error. However, more often than not, we get push back when it comes to digital delivery. Some institutions insist on sending us to their secure portal (which requires entry of a one-time password), or sending the records with password-protected email, even though the request letter acknowledges and accepts any security risks (and, of course, some still insist on sending us reams of paper… see more below). Of course, we are willing to enter the data in manually if we need to, but the larger point is that patients should be able to choose email delivery if that’s what they want.   

That being said, our blog post for this week is actually a success story, rather than another aggravating anecdote detailing a slew of additional HIPAA violations. It also involves one of the largest non-profit healthcare chains in the United States, an institution that certainly has the technology necessary to service patient requests electronically. Yet, after we initially requested medical records to be sent via email to Ciitizen on behalf of a patient, they instead sent us a stack of paper printouts in the mail.

As you can imagine, we escalated this request in every way possible.

We spoke with the privacy officer, the compliance director, and the health information management director, as well as with employees in the HIM (health information management/records) department on several occasions. Overall, it took one confirmation call, five HIM interactions (meaning phone conversations and/or emails), and two calls with privacy officers to convey our message: we want these records sent electronically.

And in the end we got them to agree to send the records electronically; not just for this particular instance, but for all requests moving forward! Not only did they agree to deliver the data digitally, they did so using technology that easily deposits the records into a portal for patient access—no downloading or emailing necessary! The agreement to use ongoing digital delivery, converting from paper to electronic records, marks one of the largest success stories yet for Ciitizen in our quest to help patients easily obtain their health data.

Large institutions have the resources they can devote to improving their operations, you may say. However, large institutions can sometimes be the hardest with respect to changing their entrenched policies and practices. With some prodding, this particular one did change; relatively quickly, all things considered. We think others—both large and small—can as well. It is our mission to improve the processes for all patients seeking their health information.  

The Email Obstacle

Even people who are pretty sophisticated about the healthcare system – and know their rights under HIPAA –  face obstacles in getting copies of their health information.

On Friday, my friend Arien Malec, who has decades of experience in healthcare and life sciences and currently advises the HHS Office of the National Coordinator for Health IT (ONC) as a member of the Health Information Technology Advisory Committee, tweeted this:

Do individuals have the right under HIPAA to get copies of their health information sent to them by e-mail if that’s how they want to receive it?  Yes, they do.

Under the Privacy Rule, individuals have the right to access their health information in the form or format they request, as long as it is readily producible in that form/format (45 CFR 164.524(c)(2)(i). In guidance, the HHS Office for Civil Rights (OCR) clarified that this right extends to the way the information is delivered to the individual – and OCR has specifically stated in guidance that individuals have a right to receive copies of their PHI by email if they want it this way.

While ordinarily entities covered by HIPAA – doctors, hospitals, and health plans, for example – must send health information securely (such as by using encryption), individuals have the right to get their records by unencrypted email if they ask for it that way. The only obligation of the entity is to “provide a brief warning to the individual that there is some level of risk that the individual’s PHI could be read or otherwise accessed by a third party while in transit, and confirm that the individual still wants to receive her PHI by unencrypted email.” If the individual says yes, “the covered entity MUST comply with the request” (emphasis added).

OCR recognized that entities might be concerned about potentially being held responsible for records sent securely to individuals, so the agency issued even more guidance on this topic, in order to be clear that individuals have the right to get information by unsecure email if that is their choice.  Specifically, OCR’s guidance provides that entities are “not responsible for a disclosure of PHI [protected health information] while in transmission to the individual based on the individual’s access request to receive the PHI in an unsecure manner (assuming the individual was warned of and accepted the risks associated with the unsecure transmission).”

And an individual also has the right to have their health information sent by unsecure e-mail directly to a third party designee – such as a personal health record service (like Ciitizen), or to a friend or family member, or even to another health care professional or institution.

Seems pretty clear to me that refusing to honor an individual’s request to get their health information sent by email would be a violation of the HIPAA Privacy Rule.

What about individuals who want to receive their information in a way that is secure? OCR covered that as well. The guidance states that while individuals have the right to receive their health information by unsecure methods, an entity “is not permitted to require an individual to accept unsecure methods of transmission in order to receive copies of her health information.”

Arien Malec is not the only individual who has confronted obstacles in trying to get health information by email.  We’ll talk about our experience in trying to help our Ciitizen users get health information via email in our Thursday blog post.

-Deven McGraw

Paper Tiger

Over the past few weeks we’ve detailed some of the more frustrating issues faced by our data retrieval team when following up on patient medical records requests. The goal of each story was to illuminate in detail just how aggravating it can be for someone in dire need of their health data to obtain the information to which they have a legal right under HIPAA. However, for today’s blog post about a patient’s right to request a digital copy of their record instead of paper printouts, we’re not going to beat around the bush. The cold, hard facts are more than enough to illustrate our irritation.

As Deven pointed out on Tuesday, HIPAA requires an institution to provide patients with their records in an electronic format if the data is available as such. In the rare instance that a hospital is still using 100% paper records and has for some reason shunned the last thirty years of computer database technology, the institution still must still provide the patient with a digital scan if they’re capable. One would assume that if a hospital is capable of performing a CT scan to create cross-sectional images of the bones, blood vessels, and soft tissues in the human body, it would be also capable of feeding a piece of paper into a piece of plastic. However, as the old adage goes: when you assume, you make an ass out of u and me.

Below are a few anecdotes that highlight the difficulties of this digital struggle, taken from our recent experiences here at Ciitizen:

  • One doctor’s office refused our request form twice, demanded the patient come in person to request the records (which, as we covered in a previous blog, is not allowed), and then proceeded to send paper records to the patient despite numerous interventions on our part to have them sent digitally, as the patient specifically requested.

  • In response to one patient’s request, a large institution on the West Coast sent us an enormous stack of paper, despite numerous phone calls with their privacy official and their security team about using their web portal to transfer the records digitally.

  • A children’s hospital in California required ten separate phone calls, including an additional four calls to the privacy officer and three weeks of non-stop emailing, before a stack of paper showed up in our mailbox, despite the fact the patient had clearly requested the records in an electronic format.

  • A renowned clinic forced us to escalate a patient’s request up the chain of command more than five times before we were eventually sent paper records instead of the digital data the patient requested.

  • We spent hours tracking down the privacy officer of a major East Coast health network, where the patient’s request specified that her digital health record be sent to us via email (with the required acceptance of any security risks). Two weeks later we received the patient’s paper records in our mailbox.

The raison d’etre of Ciitizen is to provide patients with a digital profile of their complete health history because medical records are far easier to search and share when they’re in a digital format. Rather than spend forty-five minutes digging through binders of paper printouts, an oncologist can quickly access the digital information he or she needs to plan treatment, and the patient can easily send that data out for second and third opinions. There’s no debate: information moves faster and is easier to manage when it’s in a digital format. Yet, despite HIPAA’s requirement that health institutions provide patients with at least a PDF or an electronic scan of paper records, we’re still getting giant paper envelopes on our doorstep (and often these giant paper envelopes are clearly digital printouts!).

Cancer patients — actually, all patients — deserve better.  

Digital Delivery

Almost any information can be delivered digitally these days, whether it comes directly from a digital database or as a PDF scan attached to an email, and the privacy rules surrounding the release of medical records have taken these modern capabilities into account for patients requesting their health data. Under the HIPAA right of access, individuals have the right to get copies of their information in the form or format they they want — as long as it is “readily producible” in that format (i.e., the hospital or doctor is capable of producing it and doesn’t have to go out and buy new software to meet the individual’s particular format) (45 CFR 164.524(c)(2)(i)). That means a digital scan can be requested over a physical paper copy, so long as the hospital in question has evolved beyond the fax machine.

But the rule is even more specific when it comes to getting an electronic copy of your health data. If the information requested by the individual is maintained electronically (for example, if it is in an electronic medical record, or in software that stores electronic documents), and if the individual requests an electronic copy of that information, the covered entity (doctor, hospital, lab, pharmacy, health plan, for example) “must provide the individual with access to the protected health information in the electronic form and format requested by the individual.” If it is not available in the particular electronic form and format requested by the individual, it must be in a “readable electronic form and format as agreed to by the covered entity and the individual” (45 CFR 164.524(c)(2)(ii).

In other words, it is NEVER acceptable to provide an individual with paper copies of a digital record, unless the individual has specifically asked for paper copies — or the rare instance where the individual refuses to accept any reasonable digital options (such as PDF) that the entity can readily produce. In the words of OCR, “individuals who request electronic access to PHI maintained electronically can be diverted to receiving a paper copy only in circumstances where all of the covered entities’ existing capabilities for readily producing electronic copies have been presented to the individual, but the individual has determined that those formats are not acceptable to her.” If the information is stored digitally, it must be delivered digitally if the patient has requested it as such.

But what if the information the individual is requesting is actually maintained on paper (for example, a record that was created prior to the more widespread adoption of electronic medical records by doctors and hospitals and the information in that record was never scanned into the electronic medical record)? Even in that case, the individual has the right to get that information digitally if the covered entity has a scanner and can readily scan the paper record into electronic format. The rule doesn’t require hospitals to purchase a scanner in the absence of one, but I have to ask: what records office doesn’t have a scanner in 2019?

And while entities are not required to go out and buy new software just to meet an individual’s format request (even though scanners can be had for less than $100 these days), entities that maintain protected health information digitally must have the capability to provide some form of readable electronic copy of that information. According to OCR, “this means that some covered entities may need to make some investments (which cannot be charged to individuals) in order to meet this baseline requirement” (i.e. shelling out $100 or less for a scanner).

Finally, when an individual asks for a particular form and format, such as seeking PHI in digital format, the question of whether the entity can “readily produce” it in the requested form or format is a “matter of capability, not willingness.” An entity cannot decline to provide the individual’s requested form or format because the entity would prefer than individual accept another format, or another format is part of an entity’s customary record processes. It cannot be a policy decision. If a hospital is capable of digitally scanning a patient’s records (which they all should be), then they must do so at the patient’s request.

And the vendors who perform this service on behalf of hospitals and doctors must play by these same rules.

-Deven McGraw

The Signature Burden

CMS Administrator Seema Verma, who attended this month’s HIMSS Annual Meeting, tweeted “[w]e can sequence the entire human genome, but we still can’t get much more than a print-out, fax or CD ROM when we leave the doctor’s office.”

Indeed. If we can even get that.

At a time when legal transactions happen every day with digital signatures, tax returns are filed electronically online without the slightest hint of pen ink, and mobile banking has made a physical trip to the bank obsolete, it is beyond befuddling that patients struggle to get their digital requests for their health information honored.

When we first started helping patients use their HIPAA right of access to get their health information, we used Docusign to obtain their signatures. After all, many of us had successfully used Docusign to sign an array of legal documents, and Docusign advertises that its signatures are compliant with the Federal E-Sign Act. But two very large hospitals in Silicon Valley - the epicenter of technological innovation - flat-out rejected the use of Docusign, requiring further hurdles to access medical records. The only option available for those early patients? Printing out the request, physically signing it with a pen, and then scanning it for submission via email. Not all patients have this capability readily at hand.  

Working from these frustrating experiences, Ciitizen has since developed new software that captures a patient’s actual signature on the screen, rather than the makeshift representation often used in Docusign. The release request, including the patient’s signature, is submitted to the patient’s medical provider, along with a copy of their government issued ID, which also includes the patient’s signature.

To reiterate: we’re providing medical institutions with the patient’s actual signature, captured digitally, plus official photo ID, also with a signature, and yet even this level of verification hasn’t worked 100 percent of the time.   

This method was rejected twice by a cancer specialist’s office because “it wasn’t a close enough match to what they held on file for the patient in question” (once it was rejected the first time, we asked the patient to e-sign the records request again). After multiple calls up the food chain to various members of this doctor’s office (including the doctor himself), this cancer patient was left with no other choice than to physically drive to the office and make an in-person plea to have records sent to us, the patient’s designee.

One truly could not ask for a clearer example of imposing a burden on the patient’s exercise of her HIPAA access rights, although we must note: this approach worked for 16 other separate PHI or imaging requests to a plethora of providers, including three of the largest healthcare organizations in the U.S. However, based on this experience, we have legitimate concerns that we will continue to get push back when using this approach with other organizations.

Why did this particular cancer specialist’s office push back so hard on the request?  Because, claimed the doctor’s office, “they were not convinced that this was a genuine request by the patient.” But the only way the office would resolve this was to require a physical request by the patient. Since requiring in-person appearance is not consistent with the HHS Office for Civil Rights (OCR)’s guidance on compliance with the right of access, this cannot be the answer. It’s a violation of the patient’s right of access.

So where does that leave the patient? Undoubtedly in a tricky and sensitive situation if they intend to continue seeing this doctor. Is it fair to ask patients to take on the role of unpaid privacy/compliance advisor, oh-so-gently pointing out to their doctors and hospitals that perhaps it’s time to get their policies and practices updated before OCR starts to enforce this right more aggressively, which they have recently said they are going to do? Or there is the more aggressive option, which involves the patient reporting this clear HIPAA violation to OCR? Although there is no guarantee that OCR will investigate a particular complaint, certainly nothing will change if these violations go unreported.

A Digital Dilemma

Under the HIPAA Privacy Rule, a doctor or hospital may require individuals to make requests for their records in writing, and in the case where the individual is asking for his or her records to be sent directly to a third party designee, the request is required to be “in writing, signed by the individual,” and it must “clearly identify” both the third party designee and where to send the copy of the information (45 CFR 164.524(c)(3)(ii)). However, the HHS Office for Civil Rights (which develops policy for and enforces the HIPAA Privacy Rule) has said in guidance that doctors or hospitals cannot require individuals to make their requests for information in person, or by mail — so how else can an individual, signed request for information be submitted?

Via the internet, of course; the medium with which countless people around the world communicate on a daily basis. For example, many of us have used the online service Docusign to authorize or sign a digital signature that is acceptable in other contexts, such as signing for a loan, submitting documents to governmental authorities, or enacting a residential lease. Yet, we’ve found that Docusign doesn’t seem to pass muster when it comes to patient requests for their health records!

OCR has clearly said that “the Privacy Rule allows for electronic documents to qualify as written documents for purposes of meeting the Privacy Rule’s requirements, as well as electronic signatures to satisfy any requirement for a signature, to the extent the signature is valid under applicable law.” (78 Federal Register 5566, at 5634 (Jan. 13, 2013)). HIPAA itself has no specific standards for electronic signatures, but the Federal E-Sign Act broadly recognizes the validity of electronic signatures in most contexts (there are exceptions, but none apply to the circumstance of patients seeking their health information).

Therefore, individuals seeking to have copies of their health records sent to Ciitizen or any third party of their choice should be allowed to submit a digital request that includes a digital signature, right?

The answer should be yes, yet we have found that too many health care providers “do not accept electronic signatures” on patient requests for access (a direct quote from some of the rejections we have received). While it is true that the Privacy Rule does not include an express requirement to accept an electronic signature on a patient request for access and, as far as I can tell, the Federal E-Sign Act does not require an entity to accept an electronic signature, I have to ask: should the rejection of such a signature, when it meets reasonable commercial standards for acceptability, be seen as imposing a burden on individuals seeking to exercise their access rights?

See our blog post on Thursday for more on our experiences submitting electronic requests on behalf of our users with a digital signature.

-Deven McGraw

Unaware or Unwilling to Comply

Navigating the medical system alone can be intimidating, which is part of the reason many cancer patients turn to others for help - such as a close family member, or friend, or a patient advocacy organization. Getting copies of your medical records - even though it is the patient’s right - is also intimidating and time consuming. At Ciitizen, we help relieve cancer patients of this burden by doing the work of obtaining copies of their medical records and organizing it into a profile for the patient’s use. In this role, we are their medical record advocates. We make sure that the patient’s record requests get sent to the right providers, and we follow up to make sure those requests get fulfilled - which includes the records being sent directly to Ciitizen, per the patient’s specific request, so they can be populated in the patient’s Ciitizen profile.

As Deven stated in Tuesday’s blog: per HIPAA, patients can request that hospitals send their medical records to whomever they wish, such as an advocacy group or any other designated third party. Unfortunately, all too often, we see various hospital providers and labs either unaware or unwilling to acknowledge this right.

Let’s use a recent request we sent to a medical center on the west coast as an example. We spoke to the Health Information Management representative on three separate occasions, explaining that we work on behalf of cancer patients to help them obtain their records, and we sent them the patient’s request, with the patient’s signature, designating that the records were to be sent to Ciitizen. The institution simply would not agree to send the records, citing “privacy issues.” We escalated the matter to the hospital’s privacy officer, who proceeded to ignore all of our phone calls, as did the hospital’s director. We then called the head of legal matters, who decided to bypass us and contact the patient directly, telling her “they were uncomfortable sending an email to a third party and that law required them to mail out paper copies to the patient only.” However, as we’ve already made clear in Tuesday’s blog, this is absolutely untrue.

This hospital, all the way to the CEO, either did not understand the HIPAA regulations or simply did not want to comply. Either way, their lack of compliance both disturbed the patient and went against her request to have her records sent to the third party of her choice (and on top of that they sent her paper records after we had requested them digitally). Sometimes even with the help of an advocacy group, patients cannot have their needs met by the medical system, so can you imagine having to do all this alone?

At another prominent lab, a patient recently made a request that her medical records be sent to Ciitizen. We started by emailing the request, but apparently record requests could not be made via email. We then faxed the request, only to be told “the request asked for unencrypted email [which patient’s can choose, as a matter of convenience] and my legal counsel will only allow unencrypted emails to the patient only.” As Deven also explained, the right of the patient to have copies sent directly to a third party must be honored in the same way as if the patient had asked for the records to be sent directly to her. The failure of this institution to honor the patient’s request in this case - to send the records by unencrypted e-mail directly to Ciitizen - is out of compliance with the HIPAA Privacy Rule.

When a request is signed by a patient and directs that records be sent directly to a third party designee like Ciitizen, these are requests that, pursuant to the HIPAA regulations, must be honored. Cancer patients turn to advocacy organizations like Ciitizen to help them navigate the medical system and get the best possible care. Institutions who make the process more difficult for us need to realize that they are placing obstacles in the path of the patients who have come to us for help.