Stories of HIPAA Non-Compliance

Calendar Icon January 15, 2019
Reading Time Icon Read Time: 4 min
By Ciitizen

Back in July 2018, Ciitizen began collecting medical records to populate accounts for the initial users of its platform.

I was excited to put my knowledge of the HIPAA right of access, and my experience in drafting HHS 2016 guidance to help improve compliance with that right, into practice.

I suspected we would face some obstacles — after all, complaints about the inability to fully exercise the HIPAA access right has been in the top five of categories of complaints received by the HHS Office for Civil Rights (OCR) since the right went into effect. But I had no idea then just how frustrating — and frankly depressing and demoralizing — the experience of obtaining medical records would be. The story I’m telling today is but one of many, sadly.

On July 27, 2018, Ciitizen emailed a letter to a large hospital in Colorado, seeking all records included in our user’s “designated record set” (which is all information that individuals have a right to under HIPAA) between 1999–2004 (encompassing the time period when our user had received services in that hospital). According to its website, this hospital accepted patient requests for information via email, which we were pleased to see (it helps avoid the delays associated with having to send the requests by mail). Our letter cited HIPAA requirements and guidance, and was digitally signed by the user via Docusign (which is a digital signing service that is super convenient for users and that I have used in the past to legally sign home and stock purchase documents). The letter also indicated that the records should be emailed to Ciitizen. We pressed “send” on the email, anticipating that we would receive the requested records within the required 30-day timeframe (by August 25, 2018).

On August 16, 2018, we received via regular mail a letter from a records release vendor working for the Colorado hospital. The letter stated there was a “discrepancy” between the signature on the request letter and the “signature on file.” It indicated we could provide a copy of the patient’s valid ID with an authorization signed by the patient, or we could have the signature notarized. Our user indicated that the least burdensome path for them would be to resign and scan the request letter and provide a driver’s license copy.

Of note: the letter also indicated that we were to re-submit this request for documentation by mail to the Colorado hospital. So much for the use of email to speed up the process! On August 21, 2018 (very close to the original 30 day deadline for release of records), we mailed to the indicated address the re-signed request, plus a copy of the user’s driver’s license.

On August 29th, we received an email from yet another vendor to the Colorado hospital indicating they had “inadvertently received the attached documentation” (our user’s resubmitted records request, plus driver’s license copy), adding “which I believe was meant to be returned to you.” The email also stated “[i]n regards to this matter, please see the first page for instructions on sending it back to our retention center for processing.” Since we had re-submitted the request exactly as directed, on August 31 we emailed the re-submitted request — along with a cover email documenting each step of this wild goose chase — to the original email address the Colorado hospital had indicated on its website for patient requests.

Note that we are now more than a month past our original request, with much of the delay resulting from the use of mail to return the original request to us, along with inaccurate instructions on how to mail a request that would meet their specific criteria. Ciitizen’s initial users are all individuals who have — or have had — cancer, and the time spent to get records is therefore critical.

Finally, on October 19, 2018 we received a letter by mail (dated September 30, 2018!) from the Colorado hospital’s initial medical record vendor indicating “[w]e no longer have any information on this patient for the date(s) specified. The medical record has been purged, because we only hold records for ten years.” We reconfirmed this information by phone directly with the hospital’s medical records department. Our Ciitizen user was disheartened, as the user believed information from care received at that hospital could be relevant to a later cancer diagnosis. This information is now forever lost to further inquiry.

Although it is understandable that records would not be kept by the hospital indefinitely, the hospital and its vendor could have checked this much earlier in the process. And the process was inexplicably and unnecessarily drawn out for almost three months due to a slow response from the vendor, coupled with the use of mail by either the hospital or its vendor for most correspondence, despite being in possession of (and in some cases actually using) a Ciitizen email address. It is also a textbook example for why it is critical for patients to get copies of their information promptly after being in the hospital or seeing the doctor.

To add insult to injury, although we received no records, we did receive an invoice from this vendor for a $14.00 “basic fee,” plus tax — a total of $15.23 (HIPAA does not permit a charge of a “basic fee” for HIPAA patient right of access request). We have had to send further correspondence disputing these impermissible charges, as the vendor is still trying to collect.

This is a particularly frustrating example of the infuriating maze that people are often forced to navigate in trying to obtain their medical records. We think these stories need to be told, in an effort to motivate greater compliance with HIPAA’s access rights.

Stay tuned, as we intend to tell them.

-Deven McGraw

Originally published at on January 15, 2019.

Share this insight