The Patient Record Scorecard: What is it and Why we did it.

Calendar Icon August 14, 2019
Reading Time Icon Read Time: 5 min
By Ciitizen

Today we launched an initiative aimed at eliminating the friction that too many patients face when trying to get their health records. It’s called the Patient Record Scorecard - and in it we have scored, from 1–5 stars, how healthcare providers responded to actual patient requests for their health records. But before I give you more details on the Scorecard, I want to explain why we decided to take this step.

During my tenure as Deputy Director for Health Information Privacy at the HHS Office for Civil Rights (OCR), OCR issued comprehensive guidance on the right of individuals to access, and obtain a copy of their health information (the Right of Access). I knew before I came to OCR that individuals had struggled to get their health information, and that noncompliance with the Right of Access was widespread. I was proud that we issued this guidance and thought it would make a difference for patients.

I came to Ciitizen in 2017 to help enable patients, beginning with cancer patients, to use their HIPAA Right of Access to have their health records at the ready, so they can seek second opinions, determine eligibility for clinical trials, and donate their data for research. With the OCR Right of Access guidance front of mind, I was confident we could help our users gather their health information with little (if any) friction.

Boy, was I wrong. Sadly, the guidance seems to have made little difference in helping patients easily exercise their HIPAA Right of Access in gathering records from their medical providers.

When we started helping our initial beta users to gather their medical records, we encountered so many roadblocks that we started blogging about them:

We are far from the only ones who have been vocal about patient struggles to get their health information. To name a few:

Regina Holliday painted a mural about her futile efforts to get her husband’s medical records when he was dying of cancer.

Regina Holliday

E-Patient Dave deBronkaart issued his call to action, Gimme my Damn Data, based on his experience.

Ross Martin wrote the movement’s anthem (Gimme my DaM (data about me) Data).

The National Partnership for Women and Families published their website,, to educate consumers about the right of access and to collect stories from individuals regarding their attempts to access their data.

And in October 2018, researchers at Yale published research in JAMA Network showing that medical record release processes at many of the nation’s top hospitals were out of compliance with HIPAA.

What was one thing most of these efforts had in common? Only a few named the particular providers whose patient record access processes were difficult (if not impossible) for patients to navigate.

On the one hand, if the problem of patient access is as ubiquitous as it appears to be, then all providers and payers need to step up and fix it. And in the case of individual patients, they may not have wanted to risk disruption of relationships with their medical providers.

But we see parallels between patient record access and the healthcare quality movement. A 2001 Institute of Medicine Report, Crossing the Quality Chasm, revealed significant problems with the quality of healthcare delivered in the U.S. and gave birth to the modern healthcare quality movement. A significant strategy in improving quality involves measuring and publicly reporting on provider performance - by specific provider. At the time the Crossing the Quality Chasm report was released, no provider thought they were providing less than quality care - but measuring and reporting on care quality, by provider name, using agreed upon standards, has moved the needle.

We decided to take a page out of the healthcare quality measurement playbook.

Today we released the results of a scorecard, rating the specific performance by name of 51 providers in responding to genuine patient access requests.

These are all requests submitted by Ciitizen users, requesting that their medical records be sent in digital form to Ciitizen for uploading into their Ciitizen profiles. The providers were rated from one to five stars based on whether they responded in compliance with HIPAA Privacy Rule regulations and guidance on the Right of Access. Those who established easy processes for record access - and who went above and beyond what HIPAA requires - were given bonus stars.

We plan to refresh the scorecard every few months based on the most recent record requests sent to a particular provider - so improvement and consistency in good performance can be rewarded (and consistency in poor performance can also be brought to public attention).

In conjunction with the scorecard, we also released survey of 3003 hospitals and healthcare systems who responded to anonymous questions about their record release processes. Their responses suggest that 56% of health care providers are out of compliance with one or more aspects of the HIPAA Right of Access.

We have published a white paper on the scorecard and survey in medRxiv and we will be submitting the paper for formal publication in a peer reviewed journal. We also have established a website - - to display the results of both the scorecard and the survey, for each provider by name.

We recognize that providers may be unhappy about their potential noncompliance with HIPAA being under the spotlight. But because all providers routinely profess to be HIPAA compliant - and we are confident that all of them want to be - we believe the spotlight, while it may initially feel harsh, will help raise the bar for compliance with the HIPAA Right of Access.

We are pleased to be able to recognize those providers whose response to patient record requests earned them 4 or 5 stars, because they got records to patients quickly, seamlessly, and in many cases, for free.

We are also doing our part to help providers get into compliance. In June and July, we hosted free webinars for health care providers on the Right of Access and plan to continue to host these webinars at least through the rest of the calendar year.

We also have offered to do provider-specific webinars to help train staff (again, at no cost other than the cost of any travel that is required) and to give providers assessments of whether their processes are in compliance with what HIPAA requires (for example, if they received a low score on the scorecard, or have not yet been scored or whose survey results indicate noncompliance).

We’re not just shining a light on noncompliance - we’re in this to help improve performance. We’re doing this even though these efforts are not just for the benefit of Ciitizen. If we can make the tide rise to lift all boats, we will have accomplished our mission.

-Deven McGraw

Share this insight