New Release of The Patient Record Scorecard: Reasons for Optimism – But Still Too Much Noncompliance with HIPAA

Calendar Icon November 12, 2019
Reading Time Icon Read Time: 7 min
By Ciitizen

On August 14, 2019, Ciitizen released the first Patient Record Scorecard (Version I) evaluating compliance of individual health care providers with the right, under the HIPAA Privacy Rule, for individuals to access and receive copies of their health information (the HIPAA Right of Access).  On November 12, we will release Version II of the Patient Record Scorecard, with refreshed scores from the initial providers and scores from over 150 new providers.

Spoiler alert:  while 51 % of providers scored are still either not compliant with the HIPAA Right of Access or needed significant intervention to become compliant, the percentage of providers seamlessly providing access or exceeding HIPAA’s requirements appears to be increasing.  There is reason to hope that access is improving. Major learnings:

The Good: providers are improving their focus on patient access

  • Providers delivering seamless access to patient records increased from 30% to 40%

The Bad: many providers  still need major improvement

  • Roughly half (51%) of providers continue to be noncompliant with the HIPAA Right of Access or need significant intervention to be compliant
  • Sending records in the form and format requested by the patient still continues to be the biggest reason for noncompliance with HIPAA

The Bad: too much patient follow-up required

  • When we decreased follow-up calls to medical records departments, it took them longer, often over the 30 day HIPAA limit, to send records
  • Compliance is inconsistent

Why are we doing this? We published the Scorecard to improve compliance with the HIPAA Right of Access – not just for Ciitizen users but for all patients.  We have gone about this effort in a systematic way and continue to publish all results via medRxiv to allow for review and comment prior to submission to a peer reviewed journal (we updated the paper to reflect the more recent scores, but the original version will  still be available at the above link). We plan to continue this refresh every few months.

Introducing Scorecard Version II

Version II of the Scorecard rates a total of 210 providers scored between February 10, 2019 and September 30, 2019. Scores are based on a scale of 1-5 stars (this includes the scores of the 51 providers scored in Version I, based on the latest patient request).

The results?

We still have a lot of work to do to improve compliance with the HIPAA Right of Access.  But there is reason to be hopeful. Overall, 51% of scored providers were either noncompliant or required significant intervention to become compliant.  However, 40% were compliant with seamless access for patients or went above and beyond what HIPAA requires.

Figure A: Compliance with HIPAA based on 210 healthcare providers

Figure A: Compliance with HIPAA based on 210 healthcare providers

A detailed analysis of the results can be found at

Comparing the results from the first 51 providers (Cohort I) to those of the new (150+) providers (Cohort II)

In this blog post we do some comparisons between the first cohort of providers scored in Version I of the Scorecard (51 providers, with requests submitted between February 10 and July 2, 2019) and the 169 providers who made up the second cohort (requests submitted between July 3, 2019 and September 30, 2019).  Of note: there are providers who are in both cohorts.

More providers received 1 star (out of compliance) in Cohort II.   For the second cohort of providers, 51% received a one-star rating, which is a significant increase over the percent who received one star in Cohort I (27%). Why did this happen?  It could have been the small sample size for Cohort I did not yield reliable results. But we also treated Cohort II slightly differently than Cohort I with respect to how frequently we got on the phone to escalate requests.  In Cohort I, we had many more providers who scored two or three stars because they required escalation calls to supervisors or privacy officials to ensure compliant responses (three stars = one escalation call, two stars = two or more escalation calls). In Cohort II, we called providers less to ensure compliance – and we believe that is reflected in the score they achieved. See Figure B below.

Figure B: Comparison of Cohort I and Cohort II

Figure B: Comparison of Cohort I and Cohort II

Form/format of records still a key area of noncompliance.  Sending records in the form and format requested by the patient (as long as that form/format is readily producible) continued to be the Achilles heel for providers that are out of compliance with the HIPAA Right of Access – 86% of noncompliant providers in the second cohort were out of compliance for this reason (as compared to 85% for the first cohort). See Figure C below.

Figure C: Reasons for One-Star Rating

Figure C: Reasons for One-Star Rating

When we were analyzing the data for the second cohort, we noticed something interesting:  many providers who were noncompliant due to form/format would have received four or five stars if they had been allowed to  send records in any digital format. We re-analyzed the cohort II data, removing the “form and format” requirements of the HIPAA Right of Access if they provided records in any format but paper (our users’ requests clearly ask for electronic data).  The results? Out of the 86 providers in the second cohort who were not HIPAA compliant, 65 (76%) would have been HIPAA compliant if they were allowed to send the information in any digital format (CD, fax, or encrypted email). Of those 65:

  • 25 (38%) would have been five star providers (the information was sent in under five days, without requiring the patient to complete a specific form, and for free);
  • 25 (38%) would have been four star providers (seamless, compliant process);
  • 11 (17%) would have been three star providers (one escalation call); and
  • 4 (6%) would have been two star providers (two or more escalation calls).

The high percentage of providers who would be compliant but for form/format suggests that efforts to automate access through open standard APIs – which takes the form and format issue off the table – will go a long way to resolving a major compliance obstacle. (Note: We also did this analysis for all 210 providers in Scorecard Version II and the numbers were similar – please see the full paper for details.)

As a company, Ciitizen can handle data in any format sent to us. It is tempting to reward providers who are getting records to patients or their designees seamlessly and promptly, regardless of the format – especially since so many of them would have earned top scores. But ultimately we decided the Scorecard should continue to reflect HIPAA compliance.  Form and format is an aspect of the law that is very important to patients, who often can’t accept a fax or CD or for whom encrypting data could create a barrier (encryption can “stick” to the data and the password typically will expire within 30 days or less). OCR’s guidance emphasizes that patients can choose convenience over security in getting their records, and providers (or their vendors) who ignore this aspect of a patient’s request are placing obstacles in the path of patients exercising their HIPAA Right of Access.

Getting records for patients still takes work. As noted above, for the first cohort, with only 51 providers,  we took time to follow up, educate, and push providers to comply and to get records back to us in a HIPAA compliant way within 30 days. This involved a lot of phone calls, including escalations to HIM supervisors and privacy officials.

Figure D: Phone Calls for Cohort I

For the second cohort, with the larger volume of requests we had fewer escalations (and as a result, fewer providers in the two and three-star category).

Figure D: Phone Calls Cohort I vs. Cohort II

However as a result of fewer escalations, in Cohort II as many as 20% of noncompliant providers did not return records within the required 30-day timeline. No providers in Cohort I  were late with returning records.

Notwithstanding that Ciitizen did fewer escalations for the second cohort, the amount of time spent on the phone following up on and escalating records requests is considerable.

Figure E: Examples of Phone Call Times in Cohort II

Figure E: Examples of Phone Call Times in Cohort II

The amount of time required on the phone, and that escalation calls to supervisors and privacy officials are often necessary in order to ensure that records are provided to patients or their designees in a way that is fully compliant with HIPAA, demonstrates the importance of services like Ciitizen to ensure individuals can meaningfully exercise their HIPAA Right of Access.

Good News (Mostly)

More 4 and 5 star providers! In the Cohort II , 41% of providers scored either 4 (seamless process) or 5 stars (above and beyond what HIPAA requires) In comparison, only 30% of providers in Cohort I earned the highest star ratings. (See Figure B1.) This increase could be an artifact of our small sample sizes, but the data is encouraging.  Bottom line: there are providers who are working hard to meet the records needs of their patients, and that is reason to celebrate.

We saw some improvement among the ten providers in Cohort I to whom we also submitted requests for Cohort II – but consistency is still an issue.  Two providers on the original scorecard improved, but for five providers, their scores dropped. Scores for the remaining three stayed the same.

Example of Score changes

Finally, Scorecard providers are continuing to accept any request form sent by the patient and are accepting the patient’s request form by e-mail or by fax, which is a prerequisite to achieving even a one star in the Scorecard.  This is not insignificant, as these easy pathways to make requests help reduce obstacles to patients trying to get their records. And to date, fees out of compliance with HIPAA have not been an issue – but in some cases, we believe this is due to Ciitizen escalating (and successfully resolving) attempts to charge fees not permitted by HIPAA.

We are committed to continuing to release an updated Patient Record Scorecard every few months, so stay tuned for more.  We will continue to conduct free webinars to educate providers on the HIPAA Right of Access requirements, and we remain hopeful that the scores will improve in Version III.

Share this insight