The Patient Record Scorecard: New Features, Room for Public Comment

Calendar Icon April 5, 2021
Reading Time Icon Read Time: 6 min
By Ciitizen

For more than two years, Ciitizen has maintained the Patient Record Scorecard, evaluating compliance of health care providers with the right under the HIPAA Privacy Rule for individuals to access and receive copies of their health information (the HIPAA Right of Access).  As has always been the case for the Scorecard, the providers range from solo physician practices to community hospitals and integrated delivery systems.

Today we announce several important changes to the Patient Record Scorecard:

  • The Scorecard will refresh every week. New providers will regularly be added to the Scorecard, and scores for existing providers will always reflect the most recent record processing experience. The Scorecard has grown, from the initial 51 providers scored in Version I of the Scorecard (August 2019) to nearly 3400.
  • There is now a public comment feature for each provider’s score. Provider scores for the Scorecard have always been based on a provider’s response to HIPAA requests for records submitted by Ciitizen users because we are able to track and consistently document and evaluate that experience. But we still want the Scorecard to improve compliance with the right of access for all patients requesting their health information.  Adding a public comment feature takes another step toward that goal. Go ahead and look up your health care provider – if they have been scored, you will see a place for public comment  If we scored your provider a 5, which is the top score, and your experience was different, we invite you to constructively comment.  If we scored your provider a 1 (not compliant with HIPAA), and your experience was much better, we hope you will add a comment. Or even if your experience was consistent with ours, we hope you will comment. 
  • Each provider’s score now indicates whether or not they use such a vendor (often called release of information or ROI companies). We have found that medical records vendors – companies that help providers comply with the HIPAA Right of Access – have a significant impact on whether or not a provider is in compliance, and more importantly, whether the record request process is seamless or full of obstacles like multiple phone calls and delays. We have not reached the point of scoring those vendors, because their customers – the providers – are the ones legally responsible for complying with HIPAA. But we are considering ways in future iterations of the Scorecard to more specifically acknowledge and vet the contributions of these vendors.

We also have made some minor changes in our scoring methodology (see more details below). Of note: we now have a score of 0 for providers who never provided records in response to a Ciitizen user request.  


Each provider is scored from 0-5 stars based on how they responded to the latest request from a Ciitizen user. We have made some tweaks to the Scorecard methodology – noted below – but the basic measurement framework has been consistent.

  1. Provider does not provide records notwithstanding the patient’s request.  This is a new scoring category. 
  2. Records were provided but the response was out of compliance with one or more key components of the HIPAA Right of Access (for example, the records were not provided within 30 days or the form and format of the response did not meet the patient’s request in a situation where the records should have been “readily producible in that form and format).
  3. Records were provided in compliance with HIPAA but only after the request had to be escalated to a supervisor or privacy officer to ensure the request was fulfilled per the Right of Access. (Note: previously, we scored providers a 2 if it took two or more calls to supervisors or privacy officers, but we since the Right of Access has been the law for more than two decades – and it should be common knowledge that OCR is now actively enforcing this right – we decided any escalation of a request just to meet the requirements of HIPAA should merit a score of 2.)
  4. Records were provided but it took 3 or more follow-up phone calls with front-line staff to get the request fulfilled per the Right of Access. (Note: previously, we did not score requests based on how many phone calls it took to get the records, but having to make multiple phone calls can be a significant obstacle for patients seeking their records. We decided that requiring this much effort just to get records in compliance with the law should merit a score of 3.) 
  5. Record requests are fulfilled through a seamless process (no escalation phone calls needed, few – if any – follow-up phone calls).
  6. Response goes above and beyond HIPAA requirements: the records office accepts a patient request letter in any form, fulfills request within 5 days of receipt with no escalations or excessive follow-up calls, and charges no fee. 

Of note:  any changes in our methodology have been applied to all providers on the Scorecard, not just those who have been scored more recently. 

Why are we doing this? We continue to publish the Scorecard to improve compliance with the HIPAA Right of Access – not just for Ciitizen users, but for all patients. We have gone about this effort in a systematic way, including publishing a paper in medRxiv with the results of prior versions of the Scorecard and a survey of nearly 3000 hospitals and health care systems on how they respond to patient access requests). The impact of the Scorecard was the cover story in the March 2020 issue of For the Record, a publication for health information management professionals. An abstract based on the original Scorecard findings was peer-reviewed and accepted to be presented at the annual conference of the International Society for Pharmacoeconomics and Outcomes Research (ISPOR). 

Latest Scorecard Metrics 

In the last version of the Scorecard, we reported significant improvements in provider performance, with a dramatic increase in the percentage of providers achieving top scores of 4 or 5, and a significant decrease in noncompliant providers.  That improvement trend continues. 

Top line results: 

  • Percentage of providers noncompliant (or needing intervention from supervisors or privacy officials to get compliant) has further dropped from 27% to 20%. 
  • Percentage of providers receiving the highest score of 5 – going above and beyond what HIPAA requires – remained steady at 28%.
  • Percentage of providers receiving top scores by providing seamless access or going above and beyond what HIPAA requires increased from 67% to 74%.

For providers out of compliance, 28% are not sending information in the form or format requested by individuals, even in circumstances where the information should be readily producible in that format (for example, the records are maintained digitally – and electronic copies are requested, but paper copies are sent). The biggest reason for noncompliance?  Not sending records within 30 days (69%).  Just 4% of patient requests had to be escalated to supervisors or privacy officials to achieve compliance (down from 9%).  Only 8% of requests required multiple (3 or more) phone calls to staff to obtain records.

Why are scores continuing to improve? The small sample sizes in the earlier versions impacted the strength of the conclusions we could draw from the results. But the last two versions – with much larger sample sizes – are showing consistent improvement. Multiple factors could be combining to help drive improvements, including: 

  • Greater emphasis on the right of individuals to access their health information due to upcoming rules from the Office of the National Coordinator for Health IT (ONC) and the Centers for Medicare and Medicaid Services (CMS) that would make it easier for individuals to access their health information and 
  • Greater enforcement by OCR of the HIPAA Right of Access (16 cases settled in the past two years). 

Why We Don’t Score Fees Charged by Providers 

The HIPAA Privacy Rule limits the fees that can be charged to patients for copies of their medical records. However, it is unclear whether these fee limitations apply when the patient asks for her records to be sent to her personal health record or “app.” On January 23, 2020, a federal District Court judge issued an opinion allowing higher fees to be charged in many instances when individuals seek to have copies of their health information sent directly to “third parties.” 

Users of Ciitizen typically ask for their records to be sent to Ciitizen for population in their accounts.  But because of uncertainty regarding application of this court ruling to personal health records or apps chosen by patients, we refrain from judging whether fees that are charged to Ciitizen users for having their records sent directly to Ciitizen are “compliant” with HIPAA. Instead, the Scorecard just reports any fees that are charged to Ciitizen users. Because only 7% of providers charged any fees, this amount is reported just as part of each provider’s individual score. 

What’s Next

We will report quarterly on Scorecard results.  We are also considering how to expand the Scorecard to include compliance with ONC and CMS’ interoperability rules, including the Information Blocking Rules, due to go into effect later this year and next year – at least with respect to patient access.  So stay tuned!

Share this insight