The Signature Burden

CMS Administrator Seema Verma, who attended this month’s HIMSS Annual Meeting, tweeted “[w]e can sequence the entire human genome, but we still can’t get much more than a print-out, fax or CD ROM when we leave the doctor’s office.”

Indeed. If we can even get that.

At a time when legal transactions happen every day with digital signatures, tax returns are filed electronically online without the slightest hint of pen ink, and mobile banking has made a physical trip to the bank obsolete, it is beyond befuddling that patients struggle to get their digital requests for their health information honored.

When we first started helping patients use their HIPAA right of access to get their health information, we used Docusign to obtain their signatures. After all, many of us had successfully used Docusign to sign an array of legal documents, and Docusign advertises that its signatures are compliant with the Federal E-Sign Act. But two very large hospitals in Silicon Valley - the epicenter of technological innovation - flat-out rejected the use of Docusign, requiring further hurdles to access medical records. The only option available for those early patients? Printing out the request, physically signing it with a pen, and then scanning it for submission via email. Not all patients have this capability readily at hand.  

Working from these frustrating experiences, Ciitizen has since developed new software that captures a patient’s actual signature on the screen, rather than the makeshift representation often used in Docusign. The release request, including the patient’s signature, is submitted to the patient’s medical provider, along with a copy of their government issued ID, which also includes the patient’s signature.

To reiterate: we’re providing medical institutions with the patient’s actual signature, captured digitally, plus official photo ID, also with a signature, and yet even this level of verification hasn’t worked 100 percent of the time.   

This method was rejected twice by a cancer specialist’s office because “it wasn’t a close enough match to what they held on file for the patient in question” (once it was rejected the first time, we asked the patient to e-sign the records request again). After multiple calls up the food chain to various members of this doctor’s office (including the doctor himself), this cancer patient was left with no other choice than to physically drive to the office and make an in-person plea to have records sent to us, the patient’s designee.

One truly could not ask for a clearer example of imposing a burden on the patient’s exercise of her HIPAA access rights, although we must note: this approach worked for 16 other separate PHI or imaging requests to a plethora of providers, including three of the largest healthcare organizations in the U.S. However, based on this experience, we have legitimate concerns that we will continue to get push back when using this approach with other organizations.

Why did this particular cancer specialist’s office push back so hard on the request?  Because, claimed the doctor’s office, “they were not convinced that this was a genuine request by the patient.” But the only way the office would resolve this was to require a physical request by the patient. Since requiring in-person appearance is not consistent with the HHS Office for Civil Rights (OCR)’s guidance on compliance with the right of access, this cannot be the answer. It’s a violation of the patient’s right of access.

So where does that leave the patient? Undoubtedly in a tricky and sensitive situation if they intend to continue seeing this doctor. Is it fair to ask patients to take on the role of unpaid privacy/compliance advisor, oh-so-gently pointing out to their doctors and hospitals that perhaps it’s time to get their policies and practices updated before OCR starts to enforce this right more aggressively, which they have recently said they are going to do? Or there is the more aggressive option, which involves the patient reporting this clear HIPAA violation to OCR? Although there is no guarantee that OCR will investigate a particular complaint, certainly nothing will change if these violations go unreported.