March 2020

Keeping Tabs on Right of Access
By Elizabeth S. Goar
For The Record
Vol. 32 No. 2 P. 10

As a patient, would you like to know a health care organization’s track record of meeting medical record requests? An organization dubbed Ciitizen is doing the grunt work to provide such info.

When the Office for Civil Rights (OCR) in September 2019 levied an $85,000 fine against Bayfront Health St. Petersburg in Florida for failing to provide a mother with timely access to medical records about her unborn child, it sent a very clear message that its HIPAA Right of Access Initiative has teeth. Bayfront was the first health care organization snared by the effort, launched in early 2019, that promised vigorous enforcement of patients’ rights to receive copies of their medical records promptly and affordably.

“Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law,” said OCR Director Roger Severino in a press release announcing the fine. “We aim to hold the health care industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.”

It took an investigation by OCR prompted by the mother’s complaint for Bayfront to finally release the records—nine months after the initial request. HIPAA rules generally require that medical records be provided within 30 days of the initial request, and limits charges to a reasonable cost-based fee. The right to access extends to parents seeking information about minor children, including mothers requesting prenatal health records.

The Right of Access Initiative gave rise to the idea of scoring hospitals on how well they comply with HIPAA rules, which quickly morphed into The Patient Record Scorecard from Ciitizen, a company helping patients digitally collect, summarize, and share their medical records.

“When I was at OCR as deputy director, we had done a lot of work on providing guidance on right of individuals to access their health information, which we put out in 2016. I thought when I got to Ciitizen, where our goal is to enable users to have all their medical information at their fingertips, we could rely on the HIPAA Right of Access,” says Deven McGraw, JD, chief regulatory officer for Ciitizen. “I thought we had all this guidance out there, so it shouldn’t be difficult to get records. I was so wrong.”

Scoring Compliance
The Patient Record Scorecard assigns a score of between one and five stars based on how well a health care organization complies with the HIPAA Right of Access Rules when a patient requests his or her medical records. Scores are based on providers’ responses to actual record requests submitted by Ciitizen on behalf of its users.

Patients request that their records be sent directly to Ciitizen, where the information is used to populate personal record accounts. Ciitizen follows up with each provider to make sure the patients’ requests are fulfilled.

“Nobody was publicly reporting on how well providers are complying or not complying with Right of Access. Why not be more public about the experience of getting records? [Typically,] what gets measured and publicly reported tends to get improved,” McGraw says.

The star ratings are based on compliance with the following four key components of the HIPAA Right of Access Rules:

• requests are accepted by e-mail or fax;

• records are sent in the format requested (when readily producible);

• records are sent within 30 days, or a written statement of reasons for any delay and the date by which the records will be provided is submitted within 30 days and if the records are received within 60 days of receipt; and

• any fees charged to fulfill the request are not unreasonable.

A single star means the only criteria met by that provider is accepting an access request from a patient by fax or e-mail. Two stars means HIPAA compliance was achieved only with substantial intervention, meaning they met all four criteria but only when the request was escalated more than once to a supervisor or the organization’s privacy official. Three stars represents compliance with minimal intervention—only one escalation was necessary.

Organizations that achieve four stars are HIPAA compliant with seamless processes. In other words, they met all four criteria without the need for any escalations. Five-star organizations are both compliant and patient focused, meaning they sent records in five days or less, accepted external request forms, and provided records at no cost.

Boca Raton Regional Hospital was one of the organizations that achieved a five-star rating on the latest scorecard. Chana Feinberg, RHIA, director of HIM and clinical documentation improvement, notes the transparency around the Patient’s Right to Access Rules afforded by the scorecard is important for its role in demonstrating to patients the significance the facility places on ensuring they can easily access the information they need, when they need it.

“It helps patients understand and know that we value their rights—that their right to access is very important to us and we hold it very high in terms of patient satisfaction as well as from the clinical perspective,” she says. “We understand the impact that [access to their records] may have on their overall care.”

Driving Improvements
The first scorecard, which was published in August 2019, encompassed 51 providers that were on the receiving end of requests from Ciitizen’s customers, who are cancer patients often in active treatment. The second edition, issued in November, featured 210 providers. Hospitals and physician practices are notified of their scores before the scorecard is published and are invited to reach out to Ciitizen to discuss the findings.

Because detailed notes are taken around each request scored, Ciitizen is able to provide in-depth information on the patient, request date, individual who handled the request, dates of follow-up calls, and other key factors. For facilities with low scores, the information provided by Ciitizen can identify where additional training might be needed or where processes need to be improved to achieve compliance.

“We are seeing some improvement and that’s exciting because I’d much prefer to help [providers] improve before OCR comes knocking on their doors. We’re trying to raise consciousness and put this as a priority with compliance officials. They have a lot on their plates, and this has been on the bottom for too long,” McGraw says.

It’s not just providers that can benefit from the information gleaned from the scorecard. McGraw hopes patients will use the tool to understand their rights, especially when they receive pushback in response to requests.

“Hopefully they won’t just decide not to submit a request,” she says. “Maybe they will point to the scorecard and say, ‘I see you didn’t do so well, but here’s my request and I think you can do it in a HIPAA-compliant way.’”

Clarity and Consistency
While it’s difficult to argue with the goals of the scorecard—to encourage and guide health care providers to ultimately reach and maintain five stars—that doesn’t mean it has been embraced by the industry with open arms. One point of contention is the fact that the facilities are being scored on a single request.

It’s something that Ciitizen is comfortable doing, according to McGraw, because “The OCR could launch an investigation and penalties based on one patient. They do it now … it doesn’t matter if five other patient requests received great service. The expectation is that you comply with HIPAA based on every single request. It’s not an average. We’re looking for consistency in behavior, so if your last request was a four, we would expect your next request to be a four or five.”

However, Deborah Hsieh, chief policy and strategy officer with Ciox Health, which provides outsourced HIM services including release of information (ROI), notes that basing a score on a single request means the sample size is, in effect, one. There is a real risk that the public will be confused if a provider’s score varies widely because it is based on the last interaction, she notes.

“We support efforts to increase patient awareness of their health data access and privacy rights and especially the lack thereof when they grant permissions to organizations that are not covered entities or business associates,” Hsieh says. “At the same time, we are cautious when private sector entities take on the responsibility of evaluating compliance with federal privacy law. While we support transparency and agree that covered entities should fully meet the standards as set in law providing patients with access to their data, it is apparent from patient comments on the scorecard that the scorecard is creating confusion between HIPAA compliance and customer service standards.

“We want to be sure that patients understand the difference, as customer service standards may vary across providers while HIPAA compliance is a uniform standard that carries significant federal penalties and should not vary across providers,” Hsieh adds.

With or without a scorecard, Hsieh says Ciox continues to work on developing new processes and technologies to continue improving patient access to their medical records. She points to the company’s HealthSource platform and electronic request portals as examples of innovations in response to demands to give patients more options on how to request and receive records.

“We are hopeful increased attention reinforces the critical need for public awareness about health data rights and helps patients make informed choices in granting permissions to their health information,” Hsieh says. “We continue to focus on complying fully with federal guidelines and connecting health care decision makers with the clinical data and hidden insights contained in patient medical records so that they can deliver greater outcomes at lower costs.”

Source Concerns
The Association of Health Information Outsourcing Services (AHIOS) is concerned about the motives whenever “any data aggregator who seeks PHI [protected health information] as part of their business model” is involved. That’s according to AHIOS President Carlos A. Rodriguez, MBA, who spoke on behalf of the organization’s membership comprising more than 20 HIM outsourcing vendors. He notes that while the association “embraces wholeheartedly any effort to increase transparency and continue to empower the patient,” tracking compliance with the Right to Access Rule is best left in the hands of a neutral third party.

“We believe this metric should be tracked by the government or a neutral third party, not by a data aggregator in the business of commercializing PHI,” Rodriguez says, adding that AHIOS believes that “utilizing OCR’s existing mechanism to investigate any complaint by a patient or patient representative concerning access, timing, or the form of receipt of a medical records request is a more appropriate way to collect and report on this information.”

McGraw disputes the categorization of Ciitizen as a data aggregator. While she understands AHIOS’s concerns about third-party aggregators, she asserts that services such as Ciitizen that are hired by patients do not fall within that category. McGraw says Ciitizen gathers information only at a patient’s request and for population into their PHRs.

“As for whether a neutral third party would be a better evaluator for the right of access, I think it would be great if a neutral third party or even the government took this on,” she says. “No one was doing it; we had firsthand information about how these requests were frequently being handled, and we were willing to put time and resources into developing and publishing it.”

McGraw encourages others to talk about their records retrieval/collection experience “because all of our voices can help move the needle.” As an example, she points to Twitter user @TheLizArmy, who posted the responses she received from three California hospitals when she requested her medical records, complete with screenshots.

Meanwhile, AHIOS believes it is too early to determine whether the Ciitizen scorecard is having an effect on the industry. According to Rodriguez, “ROI outsourcing companies are governed by our business associate agreements with our health care partners, as well as HIPAA and Right of Access rules, not third-party scorecards that monetize PHI. We will continue to act in compliance with the law and our legal responsibilities.”

Education and Awareness
It’s safe to say that the entire industry agrees that providers need to get ready for the future of ROI—and they need to help their patients do the same.

“The ongoing push for transparency, including efforts like the scorecard, is just one reason why health care providers must adjust their approach to health information management and prepare for increased digital and third-party requests for health data,” Hsieh says. “Providers should understand that patients have a very low awareness of their health data access and privacy rights and need help being educated so they can make informed decisions in sharing their health data.”

Whether it’s due to the scorecard or OCR actions, the industry is waking up to the issues surrounding ROI and patient rights, McGraw says. And not a moment too soon, as the growing proliferation of patient portals and other technologies increasingly automates information requests.

“The law requires [providers] to make dramatic improvements [in ROI]. Whether it makes sense financially or not doesn’t matter. It’s cheaper to improve your processes than it is to pay a fine to OCR in the long run. It’s also a hit to your reputation to be noncompliant,” McGraw says. “Providers want their reputation to be ‘we care about the patient and put the patient first.’ Well, delivering good care is part of that equation, as is providing patients with good service.”

Adds Feinberg, “There are pros and cons to any type of scorecard based on their statistical significance. But the pros of [the current scorecard] are that it’s helping patients to know and understand their rights—and transparency is always very helpful.”

— Elizabeth S. Goar is a freelance writer based in Wisconsin.