On the Clock

On Tuesday, we talked about the limitations of static patient portals, which hopefully will soon be going the way of the dinosaur. But not soon enough.

In our work to help patients get all of their medical records related to their cancer diagnosis and care, we have noticed that, on average, cancer patients need records from three hospitals or medical practices. When patients are dependent on portals to get at least some of these records, they have to remember usernames and passwords for each portal. Yes, convenience drives many of us to try to use the same username and password for practically everything — but sometimes username and/or password requirements make this impossible.

Patients with cancer frequently seek second (and sometimes more) opinions, which often requires them to send their records in advance of the visit. For a patient in portal hell to even be able to send a doctor their medical information for a second opinion, they would have to download the portal information (if that’s even possible); potentially separately submit a request to the HIM or Records Department for supplemental information not in the portal (for example, images, genomic test results, and notes); and then somehow package it to share with a new doctor.

One doctor we requested records from (whom we had to call multiple times just to confirm receipt of the request) refused our form twice and demanded the cancer patient come in-person to fill out the request form.  After the patient drove to the medical practice and reaffirmed his desire and legal right to have the records sent to us, the patient was told the practice would only send paper records to the patient’s home address, which is exactly what transpired. Wow, that’s helpful - reams of paper that an oncologist then needs to sort through before being able to give a cancer patient an informed treatment recommendation.

And all that back and forth took just shy of three agonizing weeks.

As we said on Tuesday, federal policies are heading in the right direction on this - but we just wish the needed improvements wouldn’t take so long!  

And on the issue of time, here’s another issue that concerns us. Hospitals and physician practices don’t keep medical records forever - and particularly for paper records, most of which were never scanned into electronic format. Files older than 10 years may not exist anymore - or may be housed in offsite storage, where it takes even longer to retrieve them. Many cancers are slow growing, so past history can be critical to understanding a cancer patient’s comprehensive health history. And the past can be key to understanding why some individuals develop cancer in the first place.

One of our cancer patient users had asked us to help her retrieve information from records created before she was diagnosed - and we were told that those records had been destroyed.  Her reaction: "Until I was diagnosed, I had no idea how valuable my health records could be and now the clinical record of all of the seemingly random issues I had over a decade ago are gone. With no known genetic variants, my health history could have been critical in understanding why I was diagnosed with cancer more than twenty years earlier than the average breast cancer diagnosis. And my health data could be critical in helping my children and others understand their potential risk. All that rich data - just deleted.”

Time is not our friend when it ticks away while patients in need await their rightful health data. Ciitizen will keep working to make sure cancer patients have a way to get all of their health information, digitally, in one place, in a way that is understandable and efficiently shareable by them, for nth opinions or whatever purpose is important to them.  

Patient Portals: Now & Tomorrow

Over the last decade, more and more of us have been able to access some of our health information online, by signing up for and using portals where we can view our lab test results, prescriptions, and other key health information. Although some health plans offer online portals with access to claims information, an increasing number of us are familiar with accessing health information from our health care providers – in particular, from hospitals and larger medical practices.

The rise of patient portals can mostly be traced to federal Medicare and Medicaid incentive payments to health care providers, authorized by Congress in the HITECH (Health Information Technology for Economic and Clinical Health) Act of 2009. In brief, providers received funding if they used certified electronic health record technology to both maintain health information and make some of that information accessible to patients through portals.

It is easier for most individuals to access their health information if it is available online, at the touch of a button (or at least the entry of a username and password). Much like viewing your banking information online, patients can see everything instantly; without the need to submit a special request and wait 30 days for it. With portal access, key aspects of your health information are affirmatively provided to you promptly after a doctor visit or an inpatient stay in a hospital.

These early health care portals were an important milestone in the fight to empower patients with their data. But they also have some significant limitations:

  • With some exceptions, there is little to no portability of the information – you can view it online but the information isn’t easy to download in portable format or upload into a medical or health app;

  • If you receive care from multiple different providers, you don’t have a single place to go to see a more complete picture of your health history; and...

  • The portals include key health information – but a lot of information is likely missing (for example, no x-rays, no pathology reports, no clinician notes – all of which are critical pieces of health information, particularly for someone who is very sick).

Over the past several weeks, we have blogged about the HIPAA Right of Access – how it gives patients the right to all of their health information, to receive it within 30 days in most cases, to receive it in the form and format most convenient for the patient (as long as it is readily producible in that format), and to receive it at low to no cost. We have chronicled how, notwithstanding this right, patients often have to jump through multiple hoops in order to get the information that they need. (And many of you have been sharing your stories, too, using #myhealthmydata. Keep ‘em coming.)

How terrific it would be if all of the information that the patient had a right to under the HIPAA Right of Access could be accessed by the patient – or by an app or online service designated by the patient – with the push of a button or just a few keystrokes, within days or even hours of an encounter with the health care system, as easy as we can access our banking information today.

This capability exists today, but it is not yet available to all patients or for all medical record information. That is changing, however.

Earlier this month, two agencies with the U.S. Department of Health and Human Services – the Office of the National Coordinator for Health IT (ONC) and the Centers for Medicare and Medicaid Services (CMS) – issued proposed rules that will significantly improve the ability of patients to use an app or an online service to get more of their health information from their providers’ records, as well as claims information from their health plans. Imagine the ability to get your health information at no charge, and to have that information from all of your  providers and health plans, organized in one online account, and able to be shared at your direction and under your control. To have all of that information without having to find a fax machine to submit a written request, without having to make numerous follow-up calls, without having reams of paper mailed to your front door — you just log-on, and it’s all there.

Both of these proposed rules are open for public comment (see links above), and it is critical for patients, their caregivers, and other interested parties to submit comments that support patient access rights.

The future for patient access looks quite promising, but at Ciitizen we are also pragmatists.  These changes will not happen overnight — it will take months (if not the better part of this year) for the rules to be finalized. And even after the rules are finalized, it will be two years before the requirements fully kick in. And it will be even more years before all of the information that a patient has a right to under HIPAA is available at the touch of a button.

Cancer patients need all of their data today.

And this is why Ciitizen will continue to pursue all available avenues to get our users all of their health information – and why we will continue to press for improvements to the HIPAA right of access for all patients, whether through direct online connections or by pounding on every door.  

-Deven McGraw


From the very beginning, all of our request letters to health institutions have asked for records to be sent via email, as is the patient’s right under HIPAA. When an institution sends records to Ciitizen using the email address we provide, the information is populated directly into that patient’s Ciitizen profile—no need for manual handling, which introduces risks and opportunity for error. However, more often than not, we get push back when it comes to digital delivery. Some institutions insist on sending us to their secure portal (which requires entry of a one-time password), or sending the records with password-protected email, even though the request letter acknowledges and accepts any security risks (and, of course, some still insist on sending us reams of paper… see more below). Of course, we are willing to enter the data in manually if we need to, but the larger point is that patients should be able to choose email delivery if that’s what they want.   

That being said, our blog post for this week is actually a success story, rather than another aggravating anecdote detailing a slew of additional HIPAA violations. It also involves one of the largest non-profit healthcare chains in the United States, an institution that certainly has the technology necessary to service patient requests electronically. Yet, after we initially requested medical records to be sent via email to Ciitizen on behalf of a patient, they instead sent us a stack of paper printouts in the mail.

As you can imagine, we escalated this request in every way possible.

We spoke with the privacy officer, the compliance director, and the health information management director, as well as with employees in the HIM (health information management/records) department on several occasions. Overall, it took one confirmation call, five HIM interactions (meaning phone conversations and/or emails), and two calls with privacy officers to convey our message: we want these records sent electronically.

And in the end we got them to agree to send the records electronically; not just for this particular instance, but for all requests moving forward! Not only did they agree to deliver the data digitally, they did so using technology that easily deposits the records into a portal for patient access—no downloading or emailing necessary! The agreement to use ongoing digital delivery, converting from paper to electronic records, marks one of the largest success stories yet for Ciitizen in our quest to help patients easily obtain their health data.

Large institutions have the resources they can devote to improving their operations, you may say. However, large institutions can sometimes be the hardest with respect to changing their entrenched policies and practices. With some prodding, this particular one did change; relatively quickly, all things considered. We think others—both large and small—can as well. It is our mission to improve the processes for all patients seeking their health information.  

The Email Obstacle

Even people who are pretty sophisticated about the healthcare system – and know their rights under HIPAA –  face obstacles in getting copies of their health information.

On Friday, my friend Arien Malec, who has decades of experience in healthcare and life sciences and currently advises the HHS Office of the National Coordinator for Health IT (ONC) as a member of the Health Information Technology Advisory Committee, tweeted this:

Do individuals have the right under HIPAA to get copies of their health information sent to them by e-mail if that’s how they want to receive it?  Yes, they do.

Under the Privacy Rule, individuals have the right to access their health information in the form or format they request, as long as it is readily producible in that form/format (45 CFR 164.524(c)(2)(i). In guidance, the HHS Office for Civil Rights (OCR) clarified that this right extends to the way the information is delivered to the individual – and OCR has specifically stated in guidance that individuals have a right to receive copies of their PHI by email if they want it this way.

While ordinarily entities covered by HIPAA – doctors, hospitals, and health plans, for example – must send health information securely (such as by using encryption), individuals have the right to get their records by unencrypted email if they ask for it that way. The only obligation of the entity is to “provide a brief warning to the individual that there is some level of risk that the individual’s PHI could be read or otherwise accessed by a third party while in transit, and confirm that the individual still wants to receive her PHI by unencrypted email.” If the individual says yes, “the covered entity MUST comply with the request” (emphasis added).

OCR recognized that entities might be concerned about potentially being held responsible for records sent securely to individuals, so the agency issued even more guidance on this topic, in order to be clear that individuals have the right to get information by unsecure email if that is their choice.  Specifically, OCR’s guidance provides that entities are “not responsible for a disclosure of PHI [protected health information] while in transmission to the individual based on the individual’s access request to receive the PHI in an unsecure manner (assuming the individual was warned of and accepted the risks associated with the unsecure transmission).”

And an individual also has the right to have their health information sent by unsecure e-mail directly to a third party designee – such as a personal health record service (like Ciitizen), or to a friend or family member, or even to another health care professional or institution.

Seems pretty clear to me that refusing to honor an individual’s request to get their health information sent by email would be a violation of the HIPAA Privacy Rule.

What about individuals who want to receive their information in a way that is secure? OCR covered that as well. The guidance states that while individuals have the right to receive their health information by unsecure methods, an entity “is not permitted to require an individual to accept unsecure methods of transmission in order to receive copies of her health information.”

Arien Malec is not the only individual who has confronted obstacles in trying to get health information by email.  We’ll talk about our experience in trying to help our Ciitizen users get health information via email in our Thursday blog post.

-Deven McGraw

Paper Tiger

Over the past few weeks we’ve detailed some of the more frustrating issues faced by our data retrieval team when following up on patient medical records requests. The goal of each story was to illuminate in detail just how aggravating it can be for someone in dire need of their health data to obtain the information to which they have a legal right under HIPAA. However, for today’s blog post about a patient’s right to request a digital copy of their record instead of paper printouts, we’re not going to beat around the bush. The cold, hard facts are more than enough to illustrate our irritation.

As Deven pointed out on Tuesday, HIPAA requires an institution to provide patients with their records in an electronic format if the data is available as such. In the rare instance that a hospital is still using 100% paper records and has for some reason shunned the last thirty years of computer database technology, the institution still must still provide the patient with a digital scan if they’re capable. One would assume that if a hospital is capable of performing a CT scan to create cross-sectional images of the bones, blood vessels, and soft tissues in the human body, it would be also capable of feeding a piece of paper into a piece of plastic. However, as the old adage goes: when you assume, you make an ass out of u and me.

Below are a few anecdotes that highlight the difficulties of this digital struggle, taken from our recent experiences here at Ciitizen:

  • One doctor’s office refused our request form twice, demanded the patient come in person to request the records (which, as we covered in a previous blog, is not allowed), and then proceeded to send paper records to the patient despite numerous interventions on our part to have them sent digitally, as the patient specifically requested.

  • In response to one patient’s request, a large institution on the West Coast sent us an enormous stack of paper, despite numerous phone calls with their privacy official and their security team about using their web portal to transfer the records digitally.

  • A children’s hospital in California required ten separate phone calls, including an additional four calls to the privacy officer and three weeks of non-stop emailing, before a stack of paper showed up in our mailbox, despite the fact the patient had clearly requested the records in an electronic format.

  • A renowned clinic forced us to escalate a patient’s request up the chain of command more than five times before we were eventually sent paper records instead of the digital data the patient requested.

  • We spent hours tracking down the privacy officer of a major East Coast health network, where the patient’s request specified that her digital health record be sent to us via email (with the required acceptance of any security risks). Two weeks later we received the patient’s paper records in our mailbox.

The raison d’etre of Ciitizen is to provide patients with a digital profile of their complete health history because medical records are far easier to search and share when they’re in a digital format. Rather than spend forty-five minutes digging through binders of paper printouts, an oncologist can quickly access the digital information he or she needs to plan treatment, and the patient can easily send that data out for second and third opinions. There’s no debate: information moves faster and is easier to manage when it’s in a digital format. Yet, despite HIPAA’s requirement that health institutions provide patients with at least a PDF or an electronic scan of paper records, we’re still getting giant paper envelopes on our doorstep (and often these giant paper envelopes are clearly digital printouts!).

Cancer patients — actually, all patients — deserve better.  

Digital Delivery

Almost any information can be delivered digitally these days, whether it comes directly from a digital database or as a PDF scan attached to an email, and the privacy rules surrounding the release of medical records have taken these modern capabilities into account for patients requesting their health data. Under the HIPAA right of access, individuals have the right to get copies of their information in the form or format they they want — as long as it is “readily producible” in that format (i.e., the hospital or doctor is capable of producing it and doesn’t have to go out and buy new software to meet the individual’s particular format) (45 CFR 164.524(c)(2)(i)). That means a digital scan can be requested over a physical paper copy, so long as the hospital in question has evolved beyond the fax machine.

But the rule is even more specific when it comes to getting an electronic copy of your health data. If the information requested by the individual is maintained electronically (for example, if it is in an electronic medical record, or in software that stores electronic documents), and if the individual requests an electronic copy of that information, the covered entity (doctor, hospital, lab, pharmacy, health plan, for example) “must provide the individual with access to the protected health information in the electronic form and format requested by the individual.” If it is not available in the particular electronic form and format requested by the individual, it must be in a “readable electronic form and format as agreed to by the covered entity and the individual” (45 CFR 164.524(c)(2)(ii).

In other words, it is NEVER acceptable to provide an individual with paper copies of a digital record, unless the individual has specifically asked for paper copies — or the rare instance where the individual refuses to accept any reasonable digital options (such as PDF) that the entity can readily produce. In the words of OCR, “individuals who request electronic access to PHI maintained electronically can be diverted to receiving a paper copy only in circumstances where all of the covered entities’ existing capabilities for readily producing electronic copies have been presented to the individual, but the individual has determined that those formats are not acceptable to her.” If the information is stored digitally, it must be delivered digitally if the patient has requested it as such.

But what if the information the individual is requesting is actually maintained on paper (for example, a record that was created prior to the more widespread adoption of electronic medical records by doctors and hospitals and the information in that record was never scanned into the electronic medical record)? Even in that case, the individual has the right to get that information digitally if the covered entity has a scanner and can readily scan the paper record into electronic format. The rule doesn’t require hospitals to purchase a scanner in the absence of one, but I have to ask: what records office doesn’t have a scanner in 2019?

And while entities are not required to go out and buy new software just to meet an individual’s format request (even though scanners can be had for less than $100 these days), entities that maintain protected health information digitally must have the capability to provide some form of readable electronic copy of that information. According to OCR, “this means that some covered entities may need to make some investments (which cannot be charged to individuals) in order to meet this baseline requirement” (i.e. shelling out $100 or less for a scanner).

Finally, when an individual asks for a particular form and format, such as seeking PHI in digital format, the question of whether the entity can “readily produce” it in the requested form or format is a “matter of capability, not willingness.” An entity cannot decline to provide the individual’s requested form or format because the entity would prefer than individual accept another format, or another format is part of an entity’s customary record processes. It cannot be a policy decision. If a hospital is capable of digitally scanning a patient’s records (which they all should be), then they must do so at the patient’s request.

And the vendors who perform this service on behalf of hospitals and doctors must play by these same rules.

-Deven McGraw

The Signature Burden

CMS Administrator Seema Verma, who attended this month’s HIMSS Annual Meeting, tweeted “[w]e can sequence the entire human genome, but we still can’t get much more than a print-out, fax or CD ROM when we leave the doctor’s office.”

Indeed. If we can even get that.

At a time when legal transactions happen every day with digital signatures, tax returns are filed electronically online without the slightest hint of pen ink, and mobile banking has made a physical trip to the bank obsolete, it is beyond befuddling that patients struggle to get their digital requests for their health information honored.

When we first started helping patients use their HIPAA right of access to get their health information, we used Docusign to obtain their signatures. After all, many of us had successfully used Docusign to sign an array of legal documents, and Docusign advertises that its signatures are compliant with the Federal E-Sign Act. But two very large hospitals in Silicon Valley - the epicenter of technological innovation - flat-out rejected the use of Docusign, requiring further hurdles to access medical records. The only option available for those early patients? Printing out the request, physically signing it with a pen, and then scanning it for submission via email. Not all patients have this capability readily at hand.  

Working from these frustrating experiences, Ciitizen has since developed new software that captures a patient’s actual signature on the screen, rather than the makeshift representation often used in Docusign. The release request, including the patient’s signature, is submitted to the patient’s medical provider, along with a copy of their government issued ID, which also includes the patient’s signature.

To reiterate: we’re providing medical institutions with the patient’s actual signature, captured digitally, plus official photo ID, also with a signature, and yet even this level of verification hasn’t worked 100 percent of the time.   

This method was rejected twice by a cancer specialist’s office because “it wasn’t a close enough match to what they held on file for the patient in question” (once it was rejected the first time, we asked the patient to e-sign the records request again). After multiple calls up the food chain to various members of this doctor’s office (including the doctor himself), this cancer patient was left with no other choice than to physically drive to the office and make an in-person plea to have records sent to us, the patient’s designee.

One truly could not ask for a clearer example of imposing a burden on the patient’s exercise of her HIPAA access rights, although we must note: this approach worked for 16 other separate PHI or imaging requests to a plethora of providers, including three of the largest healthcare organizations in the U.S. However, based on this experience, we have legitimate concerns that we will continue to get push back when using this approach with other organizations.

Why did this particular cancer specialist’s office push back so hard on the request?  Because, claimed the doctor’s office, “they were not convinced that this was a genuine request by the patient.” But the only way the office would resolve this was to require a physical request by the patient. Since requiring in-person appearance is not consistent with the HHS Office for Civil Rights (OCR)’s guidance on compliance with the right of access, this cannot be the answer. It’s a violation of the patient’s right of access.

So where does that leave the patient? Undoubtedly in a tricky and sensitive situation if they intend to continue seeing this doctor. Is it fair to ask patients to take on the role of unpaid privacy/compliance advisor, oh-so-gently pointing out to their doctors and hospitals that perhaps it’s time to get their policies and practices updated before OCR starts to enforce this right more aggressively, which they have recently said they are going to do? Or there is the more aggressive option, which involves the patient reporting this clear HIPAA violation to OCR? Although there is no guarantee that OCR will investigate a particular complaint, certainly nothing will change if these violations go unreported.

A Digital Dilemma

Under the HIPAA Privacy Rule, a doctor or hospital may require individuals to make requests for their records in writing, and in the case where the individual is asking for his or her records to be sent directly to a third party designee, the request is required to be “in writing, signed by the individual,” and it must “clearly identify” both the third party designee and where to send the copy of the information (45 CFR 164.524(c)(3)(ii)). However, the HHS Office for Civil Rights (which develops policy for and enforces the HIPAA Privacy Rule) has said in guidance that doctors or hospitals cannot require individuals to make their requests for information in person, or by mail — so how else can an individual, signed request for information be submitted?

Via the internet, of course; the medium with which countless people around the world communicate on a daily basis. For example, many of us have used the online service Docusign to authorize or sign a digital signature that is acceptable in other contexts, such as signing for a loan, submitting documents to governmental authorities, or enacting a residential lease. Yet, we’ve found that Docusign doesn’t seem to pass muster when it comes to patient requests for their health records!

OCR has clearly said that “the Privacy Rule allows for electronic documents to qualify as written documents for purposes of meeting the Privacy Rule’s requirements, as well as electronic signatures to satisfy any requirement for a signature, to the extent the signature is valid under applicable law.” (78 Federal Register 5566, at 5634 (Jan. 13, 2013)). HIPAA itself has no specific standards for electronic signatures, but the Federal E-Sign Act broadly recognizes the validity of electronic signatures in most contexts (there are exceptions, but none apply to the circumstance of patients seeking their health information).

Therefore, individuals seeking to have copies of their health records sent to Ciitizen or any third party of their choice should be allowed to submit a digital request that includes a digital signature, right?

The answer should be yes, yet we have found that too many health care providers “do not accept electronic signatures” on patient requests for access (a direct quote from some of the rejections we have received). While it is true that the Privacy Rule does not include an express requirement to accept an electronic signature on a patient request for access and, as far as I can tell, the Federal E-Sign Act does not require an entity to accept an electronic signature, I have to ask: should the rejection of such a signature, when it meets reasonable commercial standards for acceptability, be seen as imposing a burden on individuals seeking to exercise their access rights?

See our blog post on Thursday for more on our experiences submitting electronic requests on behalf of our users with a digital signature.

-Deven McGraw