Ciitizen has released the third version of its Patient Record Scorecard, evaluating compliance of 820 health care providers with the right under the HIPAA Privacy Rule for individuals to access and receive copies of their health information (the HIPAA Right of Access). As has always been the case for the Scorecard, the providers range from solo physician practices to community hospitals and integrated delivery systems.
This version of the Scorecard suggests significant improvement in provider compliance with the HIPAA Right of Access. Top line results:
- Percentage of providers noncompliant (or needing significant help to get compliant) has dropped from 51% to 27%, a dramatic improvement.
- Percentage of providers receiving the highest score – going above and beyond what HIPAA requires – went up from 20% to 28%.
- Percentage of providers giving seamless access to records or going above and beyond what HIPAA requires increased from 40% to 67%.
Wowza! Before we dive into some of these numbers in more detail, a bit of history on the Scorecard.
Ciitizen released the first ever version of the Patient Record Scorecard on August 14, 2019, evaluating the performance of 51 health care providers in response to HIPAA requests for records submitted by Ciitizen users. On November 12, we released Version II, which had a total of 210 providers (including latest scores from the 51 providers in Version I). This scorecard includes the latest scores on a total of 820 providers (including the 210 from the prior versions).
Each provider is scored from 1-5 stars based on how they responded to the latest request from a Ciitizen user. (See box for refresher on the Scorecard methodology.) Version III reflects performance of providers between February 10, 2019 and February 13, 2020.
Why are we doing this? We continue to publish the Scorecard to improve compliance with the HIPAA Right of Access – not just for Ciitizen users but for all patients. We have gone about this effort in a systematic way, including publishing a paper in medRxiv with the results of prior versions of the Scorecard and a survey of nearly 3000 hospitals and health care systems on how they respond to patient access requests. The impact of the Scorecard was the cover story in the March 2020 issue of For the Record, a publication for health information management professionals. We are also pleased to share that an abstract based on the original Scorecard findings was peer-reviewed and accepted to be presented at the annual conference of the International Society for Pharmacoeconomics and Outcomes Research (ISPOR). An abstract based upon that presentation will be published in May 2020 in the scientific journal Value in Health, and we will share a link to that abstract as soon as it is published.
Of note: because the results for Version III are dramatically improved from the prior versions, we consider the published paper to be final, representing a snapshot in time with respect to compliance with the HIPAA Right of Access. We anticipate publishing a second paper on Scorecard results in 2020 before the end of this year. We plan to continue to refresh the Scorecard periodically through 2020.
The Details of Scorecard Version III
In prior versions of the Scorecard, a majority of providers – 51% – were out of compliance with the Right of Access. We included providers with two stars as noncompliant, assuming they achieved compliance only because we escalated the patient requests two or more times to supervisors or privacy officials in order to get them fulfilled in compliance with HIPAA (in other words, we concluded they would have been out of compliance without our educating or at least reminding supervisors and compliance officials – two or more times – on what HIPAA requires). In version III, this number dropped significantly to 27%.
This is very good news – and it gets even better. The percentage of providers receiving 5 stars for going above and beyond HIPAA in responding to a patient request increased from 20% to 28%. Further, the percentage of providers at the top tier of the Scorecard – receiving scores of 4 (seamless processing of requests) or 5 went from 40% to 67%. This is worth repeating: Nearly two thirds of a sample of 820 providers processed patient requests without hassle or went beyond what HIPAA requires.
On top of that, only 6% of providers on the Scorecard charged any fees to Ciitizen patient users. In addition, nearly all providers accepted patient written requests without requiring the patient to complete a particular form. This is not insignificant, as patients frequently need to gather records from multiple providers, so easy pathways to make record requests help reduce obstacles to patients trying to get their records.
Why did the scores improve so dramatically? We acknowledge that the small sample sizes in the earlier versions impacted the strength of the conclusions we could draw from the results. In contrast, Version III includes a much larger sample size, which may paint a more accurate picture of provider compliance. However, the percent noncompliant in those earlier versions of the Scorecard matched the percent potentially noncompliant based on or survey of nearly 3000 providers – and this suggests Version III reflects actual improvement in patient access. Multiple factors could be combining to help drive improvements:
- Greater emphasis on the right of individuals to access their health information due to long-pending (and now final) rules from the Office of the National Coordinator for Health IT (ONC) and the Centers for Medicare and Medicaid Services (CMS) that will make it easier for individuals to access their health information;
- Greater enforcement by the OCR of the HIPAA Right of Access; and
- The positive influence of vendors (often called “release of information” or ROI vendors) who help their provider clients comply with HIPAA Right of Access obligations and who often take steps to make sure patients seeking their health information have a smooth pathway for obtaining these records.
We hope that this Scorecard also has played a role in helping to raise awareness of the challenges patients too often face in obtaining their health information. We have some concerns that the improvement reflects better treatment of Ciitizen users (given the Scorecard) and not necessarily improved performance for patient access requests overall. We invite patients whose experiences are not consistent with a particular provider’s score to reach out to us.
Still Room for Improvement
Notwithstanding the good news above, there is still significant room for improvement in the right of access. Still over a quarter of providers are either noncompliant or struggle to be compliant. Failure to send records in the form and format requested by the patient (as long as that form/format is readily producible) is still the biggest reason for noncompliance. In scorecard version III, 65% of noncompliant providers failed to send records in the form & format requested, as compared to 86% in previous Scorecard versions (improving, but not as much as we would like). More specifically, providers decline to honor a patient’s request to receive information by unsecure e-mail (even when the requester acknowledges and accepts the risk of unsecure e-mail).
“Form and format” is an aspect of the law that can be very important to patients, who often can’t accept a fax or CD or for whom encrypting data could create a barrier, because the encryption can “stick” to the data and the password typically will expire within 30 days (or less). OCR’s guidance emphasizes that patients can choose convenience over security in getting their records, and providers (or their vendors) who ignore this aspect of a patient’s request are placing obstacles in the path of patients exercising their HIPAA Right of Access.
The number of providers missing the 30-day deadline for return of records increased. The percentage of providers who were noncompliant because of failure to send records within 30 days (and failure to send notice within the first 30 days of rationale for delay and estimate of when records would be provided) jumped up, from 20% of noncompliant providers in Scorecard Version II to 46% in Version III. For the first 51 providers in the Scorecard, we had staff time to contact medical records offices multiple times to assure all requests were fulfilled within 30 days. But with the increase in Ciitizen users, and subsequent increase in requests for records, we are making fewer “nudge” calls. Consequently the number of providers who are noncompliant due to failure to meet the 30-day deadline has been increasing.
Phone calls to supervisors and privacy officials on HIPAA requirements are still needed. For 9% of compliant providers in Scorecard Version III, one or more phone calls to medical records office supervisors or privacy officials were necessary in order to get a patient’s record request processed in compliance with HIPAA.
Change in Scores – and Scorecard Methodology – due to Federal District Court Ruling
On January 23, 2020 a federal District Court judge issued an opinion regarding the fees that can be charged when individuals seek to have copies of their health information sent directly to third parties, such as attorneys and insurance companies. In response to this opinion, HHS issued a statement making clear that individuals still have the right to get low-cost copies of their health information for themselves.
Because of uncertainty regarding the reach of this court ruling, for this version of the Scorecard we refrained from judging whether fees charged to Ciitizen users are “compliant” with HIPAA. Instead, the Scorecard just reports any fees that are charged to Ciitizen users. Because only 6% of providers charged any fees, this amount is reported just as part of each provider’s individual score. This decision not to “score” providers based on fees resulted in three providers who had previously received a score of 1 on prior versions of the Scorecard being re-calibrated; each now has a score indicating compliance with the Right of Access.
We are committed to continuing to release an updated Patient Record Scorecard again in 2020, so stay tuned for more. We will continue to conduct free webinars to educate providers on the HIPAA Right of Access requirements, and we remain hopeful that the trend will continue and scores will improve even more in Version IV.