Stanford Health Care

UCSF Medical Center – Mission Bay (UCSF Medical Center)

UCSF Benioff Children’s Hospital San Francisco (UCSF Medical Center)

UCSF Gynecology (UCSF Medical Center)

UCSF Center for Reproductive Health (UCSF Medical Center)

UCSF Helen Diller Comprehensive Cancer Center (UCSF Medical Center)

UCSF Medical Center – Parnassus (UCSF Medical Center)

OBGYN Partners for Health (Stanford Healthcare)

UCSF Medical Center – Mount Zion (UCSF Medical Center)

Mayo Clinic – Arizona (Mayo Clinic)

Mayo Clinic – Minnesota (Mayo Clinic)

Evanston Hospital (NorthShore University Health System)

Froedtert Hospital (Froedtert and Medical College of Wisconsin)

California Pacific Medical Center – California Campus (Sutter Health)

CPMC Imaging (Sutter Health)

One Medical

North Valley Breast Clinic (Dignity Health)

Cascade Family Medical Center

Patients’ Hospital of Redding

Mercy Medical Center – Redding (CommonSpirit Health)

Shasta Regional Medical Center

Baptist Hospital of Miami (Baptist Health South Florida)

South Miami Hospital (Baptist Health South Florida)

Eastside Radiation Oncology

Central Park Hematology and Oncology

Dr. Alysan Goldfarb

Providence Saint John’s Health Center (Providence Health & Services)

Boca Raton Regional Hospital (Baptist Health South Florida)

Memorial Sloan Kettering Cancer Center

Washington Hospital Healthcare System

Montefiore Hospital (Montefiore Health System)

Palo Alto Medical Foundation – Fremont Center (Sutter Health)

Palo Alto Medical Foundation – Dublin City Center (Sutter Health)

Northwestern Memorial Hospital (Northwestern Medicine)

UChicago Medicine (University of Chicago Medicine)

Rush University Medical Center

Scott Kramer MD

Hemant D Patel MD

Los Alamitos Medical Center

WellStar Kennestone Women’s Imaging Center (WellStar Health System)

Marietta OB/GYN Affiliates

Northwest Community Hospital (Northwest Community Healthcare)

Illinois Bone & Joint Institute

Scripps Green Hospital (Scripps Health)

Scripps Memorial Hospital Encinitas (Scripps Health)

Tri-City Medical Center

Mission Hospital (St. Joseph Health)

City of Hope Duarte Cancer Center

Billings Clinic (Mayo Clinic Care Network)

University Diagnostic Medical Imaging

University of Colorado Hospital

The Patient
Record Scorecard

Showing medical record providers’ compliance with the HIPAA Right of Access based on patient requests.

Providers without a score:

View the HIPAA Right of Access Survey to see an indication of compliance.

What does it mean to be compliant with the HIPAA Right of Access?

Record requests must be accepted by email or fax.

Records must be sent in the format requested - if that format can be readily produced - and to the designated recipient.

Records must be sent within 30 days.

No unreasonable fees should be charged for records.

When you’re sick, and you’re frightened, and you’re fighting for your life, that is not the time to have trouble gathering your data.

Diagnosed with Ovarian Cancer,
September 2, 2016

Patient Stories

Play Video
"Getting my records was so difficult, it was easier to repeat the tests for every new provider I saw."


Diagnosed with breast cancer, May 16, 2016

Play Video
"I am a cancer warrior, and data is one of my most powerful weapons."


Diagnosed with Ovarian Cancer, September 2, 2016

Play Video
"I need to get my records in a timely fashion so I can go about planning my treatment path"


Metastatic breast cancer since March 2014

Highlighting Five-Star Providers

“One Medical showed incredible compassion in wanting to help their patients. Even though they generally send medical records by fax, they understood that electronic records are more helpful for second opinions and continuity of care, and sent records immediately through an encrypted portal.”

Nasha Fitter

Director of Health Records Service


“At first, Shasta Regional insisted the patient use their specific form to request medical records. We explained this puts undue burden on the patient. They then immediately accepted the patient’s form and went above and beyond to ensure records were released electronically, within five days.”

Nasha Fitter

Director of Health Records Service

The HIPAA Right of Access Webinar Series

Join Deven McGraw, Chief Regulatory Officer at Ciitizen, to discuss HIPAA Right of Access regulations, increased OCR enforcement, removing unnecessary friction, and putting patients first.

Sign up to receive information about:

Patient Record Scorecard updates, upcoming HIPAA Right of Access webinars, personalized webinars for your team, in-person feedback about improving your score,  and more.

The Patient Record Scorecard Methodology

The Patient Record Scorecard grades health care providers on how well they comply with a patient’s request, under the HIPAA Privacy Rule, to get copies of their medical records. Although there are a number of state laws that set a higher bar for patient access to records, only compliance with the HIPAA Privacy Rule was evaluated.

The score – between 1 to 5 stars – is based on the response of health care providers to one or more actual records requests submitted by patients (the patients request that their information be sent directly to Ciitizen in order to be populated into their Ciitizen personal record accounts). Ciitizen supports these requests by following up with each provider to make sure they get fulfilled.

The goal of the Patient Record Scorecard is to encourage and guide every health care provider to ultimately reach and maintain five stars. 

How we reach the score

The star ratings are based on compliance with four key components of the HIPAA Right of Access:

Accepts requests by email or fax: Providers may not create a barrier to access by requiring patients to submit requests in person or by mail. (45 CFR 164.524(b)(1),

Sent in format requested to the patient’s designated recipient: The provider sends the records in the format the patient requests, which is in digital form by email for text, CD for images, and sends it to the third party designated by the patient. (45 CFR 164.524(c)(2)(ii) & (c)(3)(ii),

Sent within 30 days*: The provider responds to the request within 30 days of receipt. (45 CFR 164.524(b)(2)(i))

*Providers can get credit for meeting the “within 30 days” component if within 30 days they provide a written statement of reasons for the delay and the date by which the records will be provided, and if the records are received within 60 days of receipt.

No unreasonable fees: Providers may only charge reasonable, cost-based (i.e., minimal) fees to cover labor costs of copying and supplies. (45 CFR 164.524(c)(4))

Star Ratings

One-Star - Non-HIPAA compliant

Providers get one star for accepting an access request from a patient by fax or e-mail. This means the provider at least has a HIPAA-compliant process in place for accepting patient record requests (for example, the patient is not asked to mail in a request or make the request in person).

Two-Stars - HIPAA compliant Substantial intervention

A provider earns two stars if they:

  • Meet all four of the HIPAA compliant components
  • Request had to be escalated more than once to a supervisor or the provider’s privacy official to ensure it was fulfilled in compliance with HIPAA. The need for intervention puts undue burden on the patient.

Three-Stars - HIPAA compliant with minimal intervention

A provider earns three stars if they:

  • Meet all four of the HIPAA compliant components
  • Request required only one escalation to a supervisor or chief privacy officer to educate, and bring to their attention, that staff were not meeting HIPAA requirements.

Four-Stars - HIPAA compliant with seamless process

A provider earns four stars if they:

  • Meet all of the HIPAA-compliant components
  • Request was processed seamlessly (i.e. without the need for any additional escalations to supervisors or privacy officials).

Five-Stars - HIPAA compliant and patient focused

Providers who earn five stars go above and beyond to put patients first by doing the following:

  • Send records in five days or less
  • Accept external request forms (i.e., not requiring that patients use a specific form)
  • Provide patients their records for free

For those health care providers where more than one request was submitted, the score reflects the provider’s performance based on the most recent records request. The Scorecard will be revised every three to six months to include new entries and updated scores from existing providers.

Five-Star Providers



  • Boca Raton Regional Hospital (Baptist Health South Florida)
  • Central Park Hematology and Oncology
  • Eastside Radiation Oncology
  • Marietta OB/GYN Affiliates
  • Mayo Clinic – Arizona (Mayo Clinic)
  • One Medical
  • Scott Kramer MD
  • Shasta Regional Medical Center
  • UCSF Medical Center – Mission Bay (UCSF Medical Center)