"Patients need their records, and it shouldn't be hard to get them," says Deven McGraw, chief regulatory officer at Ciitizen, a startup founded in 2017 that develops tools to help patients access, manage and share their medical records.

There's a reason Ciitizen has a market for its services. Because, unfortunately, "the majority of medical record providers are not compliant" with the HIPAA Privacy Rule's right of access provisions, according to the company.

This past summer, Ciitizen launched its Patient Record Scorecard, which assesses providers nationwide and assigns them a score – one to five stars – on how well they complied with patients rights under that access rule.

Before joining the startup, McGraw served as Deputy Director for Health Information Privacy at the HHS Office for Civil Rights. (She also did a stint as acting chief privacy officer at the Office of the National Coordinator for Health IT.)

During her time at OCR, the office issued a "comprehensive guidance on the right of individuals to access, and obtain a copy of their health information," McGraw explained in an August blog post. "I knew before I came to OCR that individuals had struggled to get their health information, and that noncompliance with the Right of Access was widespread. I was proud that we issued this guidance and thought it would make a difference for patients."

After joining Ciitizen, she said, "I was confident we could help our users gather their health information with little (if any) friction. Boy, was I wrong."

Among the many hurdles standing between patients and their lawful rights to timely access to their own data: records not sent within the required 30-day period, or not shared in the digital format requested; some records are sent directly to the patient, rather than their preferred third-party designee.

Some providers will not send images, and others don't accept requests by email or fax, as required. Still others charge patients inflated rates for their own data, far and above HIPAA's allowance for a "reasonable, cost-based" fee.

Those who still put up roadblocks to patient access should note the case of one Florida hospital, which was in September was required to pay OCR $85,000 to settle the first enforcement action related to HIPAA's right of access provision.

Moving from noncompliant to 'patient focused'

This week, Ciitizen released a new version of the scorecard, which includes updated scores for the first round of graded providers, plus an assessment of 150 new ones – bringing the total to 210 providers, scored between February and September of 2019.

The star ratings are labeled accordingly:                   

1. Non-HIPAA compliant
2. HIPAA compliant: Substantial intervention
3. HIPAA compliant: Minimal intervention                   
4. HIPAA compliant: Seamless process
5. HIPAA compliant: Patient focused

The scores are "based on the response of healthcare providers to one or more actual records requests submitted by patients (the patients request that their information be sent directly to Ciitizen in order to be populated into their Ciitizen personal record accounts)," according to the company's methodology.

In a blog post, the company unpacked some of the findings. While more than half (51%) of the providers it scored are still non-compliant with HIPAA Right of Access – or else needed "significant intervention to become compliant," the good news is that then number of health systems "providing access or exceeding HIPAA’s requirements appears to be increasing."

Its data shows that the number of providers "delivering seamless access to patient records" increased from 30% to 40%. But big challenges still exist, notably that too many providers still fail to send records in the form and format requested by the patient, and the fact, says Ciitizen, that "when we decreased follow-up calls to medical records departments, it took them longer, often over the 30 day HIPAA limit, to send records."

As CMS and ONC push for more seamless patient access with their soon-to-be-finalized interoperability rules, clearly many organizations have some catching up to do.

Going forward, the company says it plans to revise the scorecard every three to six months to include new entries and updated scores from existing providers, and will continue to publish all results to allow for review and comment prior to submission to a peer reviewed journal.