The Patient Record Scorecard

A deep analysis showing how medical record providers comply with the HIPAA Right of Access based on patient requests.

Scorecard reflects responses to patient requests for access from 2/10/19 – 2/13/20. Scoring is ongoing.
Contact us about your institution’s score.

Health Institution


Reported As Of

Non-HIPAA compliant

HIPAA compliant Substantial intervention

HIPAA compliant Minimal intervention

HIPAA compliant Seamless process

HIPAA compliant Patient focused

Witham Health Services 2605 N Lebanon St, Lebanon, IN


Women Partners in OB/GYN 502 Madison Oak Drive, #440, San Antonio, TX


Women’s Care of the Bluegrass 279 Kings Daughters Dr #301, Frankfort, KY


Women’s Wellness: Charlton 9 Trolley Crossing Road, Charlton, MA


Wyoming County Community Hospital 400 North Main Street, Warsaw, NY


Yale New Haven Health System 267 Grant St, Bridgeport, CT


Yavapai Regional Medical Center-West 1003 Willow Creek Rd, Prescott, AZ


Your Family Practice 2051 Evergreen Ln d, Show Low, AZ


Zuckerberg San Francisco General Hospital 1001 Potrero Ave, San Francisco, CA


The Patient Record Scorecard Methodology

The Patient Record Scorecard grades health care providers on how well they comply with a patient’s request, under the HIPAA Privacy Rule, to get copies of their medical records. Although there are a number of state laws that set a higher bar for patient access to records, only compliance with the HIPAA Privacy Rule was evaluated.

The score – between 1 to 5 stars – is based on the response of health care providers to one or more actual records requests submitted by patients (the patients request that their information be sent to their Ciitizen personal health record accounts). Ciitizen helps these patients by following up with each provider to make sure the patients’ requests get fulfilled.

The goal of the Patient Record Scorecard is to encourage and guide every health care provider to ultimately reach and maintain five stars.

How we reach the score

The star ratings are based on compliance with four key components of the HIPAA Right of Access:

Accepts requests by email or fax: Providers may not create a barrier to access by requiring patients to submit requests in person or by mail. (45 CFR 164.524(b)(1),

Sent in format requested: The provider sends the records in the format the patient requests, which is in digital – including by email – for text, CD for images. (45 CFR 164.524(c)(2)(ii)),

Sent within 30 days*: The provider responds to the request within 30 days of receipt. (45 CFR 164.524(b)(2)(i))

*Providers can get credit for meeting the “within 30 days” component if within 30 days they provide a written statement of reasons for the delay and the date by which the records will be provided, and if the records are received within 60 days of receipt.

No unreasonable fees: Providers may only charge reasonable, cost-based (i.e., minimal) fees to cover labor costs of copying and supplies. (45 CFR 164.524(c)(4))

Star Ratings

One-Star - Non-HIPAA compliant​

Providers get one star for accepting an access request from a patient by fax or e-mail. This means the provider at least has a HIPAA-compliant process in place for accepting patient record requests (for example, the patient is not asked to mail in a request or make the request in person).

Two-Stars - HIPAA compliant Substantial intervention​

A provider earns two stars if they:

  • Meet all four of the HIPAA compliant components
  • Request had to be escalated more than once to a supervisor or the provider’s privacy official to ensure it was fulfilled in compliance with HIPAA. The need for intervention puts undue burden on the patient.

Three-Stars - HIPAA compliant with minimal intervention​

A provider earns three stars if they:

  • Meet all four of the HIPAA compliant components
  • Request required only one escalation to a supervisor or chief privacy officer to educate, and bring to their attention, that staff were not meeting HIPAA requirements.

Four-Stars - HIPAA compliant with seamless process​

A provider earns four stars if they:

  • Meet all of the HIPAA-compliant components
  • Request was processed seamlessly (i.e. without the need for any additional escalations to supervisors or privacy officials).

Five-Stars - HIPAA compliant and patient focused​

Providers who earn five stars go above and beyond to put patients first by doing the following:

  • Send records in five days or less
  • Accept external request forms (i.e., not requiring that patients use a specific form)
  • Provide patients their records for free

For those health care providers where more than one request was submitted, the score reflects the provider’s performance based on the most recent records request. The Scorecard will be revised every three to six months to include new entries and updated scores from existing providers.