Today we launched an initiative aimed at eliminating the friction that too many patients face when trying to get their health records. It’s called the Patient Record Scorecard — and in it we have scored, from 1–5 stars, how healthcare providers responded to actual patient requests for their health records. But before I give you more details on the Scorecard, I want to explain why we decided to take this step.

During my tenure as Deputy Director for Health Information Privacy at the HHS Office for Civil Rights (OCR), OCR issued comprehensive guidance on the right of individuals to access…

This post is part of the Health Care Blog series “The Health Data Goldilocks Dilemma: Privacy? Sharing? Both?


In our initial blog post of February 20th, “For Your Radar — Huge Implications for Healthcare in Pending Privacy Legislation,” we broadly discussed six key issues for healthcare stakeholders in the potential federal privacy and data protection legislation. We committed to future posts comparing and contrasting specific legislative proposals.

What’s happened since then?

Additional bills have been introduced and hearings have been held in both the House and the Senate. The Federal Trade Commission (FTC) also hosted two days of hearings on the FTC’s Approach to Consumer Privacy.

The buzz around federal privacy legislation…

On June 1, 2019, the Biden Cancer Initiative announced the launch of a collaborative effort to create an Oncology Clinical Trial Information Commons (OCTIC). The vision of the OCTIC is a shared platform where all information about oncology clinical trials can be stored and accessed, which will enable patients to be more accurately matched to clinical trials that have the potential to save or extend their lives, or that provide treatment that more closely matches their goals.

In launching this initiative, Martin Naley — the Biden Cancer Initiative’s Program Lead for Clinical Trials Association — told a story about Melissa…

HIPAA Right of Access 101 webinar -Ciitizen

For nearly a year I have been posting about the core elements of the HIPAA Privacy Rule’s right of individuals to access and receive copies of all of their of their health information.

We’ve also been posting about Ciitizen’s experience in helping our users leverage this HIPAA right to get all of their health information. There are some exceptions, but in general this experience has been characterized by multiple phone calls per request, long hold times, refusals to send records digitally, resistance to sending records to the patient’s designee, and high fees.

But by far, the most frustrating aspect of…

Since I became the Chief Regulatory Officer at Ciitizen, I’ve been posting a lot on our blog, The Voice of Ciitizens.

It’s been a great platform that helped put Ciitizen on the map for many people, but now we’ve moved my voice here — to a bigger stage — with one main goal: to help patients get their health records.

This has always been my passion — helping patients exercise their right under HIPAA to obtain copies of their medical records. It’s what brought me to Ciitizen. …

UdeMNouvelles — Université de Montréal

Last year, when we first began helping cancer patients collect their medical records, I had a conversation with the wife of a cancer patient to gage her interest in having her husband’s cancer records.

He was just getting ready to begin chemotherapy for liver cancer, and she was coordinating his care. I asked if she was interested in having us help gather his medical records.

Her initial reaction was lukewarm. He was getting care “at the good local hospital” where he had been diagnosed, and where they had both received care in the past, she said. This hospital’s electronic medical…

And the answer is …… 329!

For just 95 records requests it took 329 calls to get to someone who would agree to send the records the patients were requesting. And 128 of these calls were escalations to privacy officers.

If you think that this was because we were dealing with very small doctors’ offices or medical centers in remote areas, think again. In fact, of the 27 institutions to whom record requests were sent, only four were small physician offices, and none were in remote areas.

As Deven pointed out in her 4/9 post, this averages out to nearly…

Under the HIPAA Privacy Rule, covered entities — including hospitals, doctors, and health plans — must have processes in place to assure that individuals can exercise their rights, including the HIPAA Right of Access. We first blogged about this obligation back on February 12th .

When we first started sending patient requests for their records, we painstakingly looked up the process for each institution and medical practice, followed their instructions to the letter, and set ourselves a reminder for when the request was close to approaching the 30 day deadline.

We learned a lot that first month.

As we got…

I sincerely hope that everyone on this planet has read and imbibed Deven’s post Empowering Patients: Know your rights!

Her valuable HIPAA lesson will help you fully understand your rights as a patient to better navigate the roadblocks that often stand between you and your health data. Even with this information the road is often difficult, but that shouldn’t come as any great surprise to anyone who has been following our posts for some months now.

Because of the difficulties patients often face when requesting their records, some patients will seek help from others. As an example, Ciitizen is the…

Deven McGraw, Voice of Ciitizen

Former Deputy Dir. for Health Information Privacy at the Office for Civil Rights of the U.S. Dept. of Health and Human Services. Enforcer of HIPAA rights.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store