As the former head of healthcare privacy policy at the Department of Health and Human Services, Deven McGraw led efforts to issue guidance on the right of individuals to access and obtain a copy of their health information.
When McGraw joined technology startup Ciitizen two years ago, she realized the efforts by the Office for Civil Rights to educate patients and industry stakeholders about the "Right of Access" had done little to reduce friction for patients, McGraw wrote in a Ciitizen blog post.
But as Ciitizen—which helps patients collect and share their medical records digitally—started helping its initial beta users gather their medical records, the company encountered countless roadblocks from providers refusing to accept requests by fax or email to others imposing fees that are not compliant with HIPAA, McGraw wrote. It was consistent with a 2018 study by Yale University researchers that found medical record release processes at many of the nation’s top hospitals were out of compliance with HIPAA.
So McGraw and her colleagues at Ciitizen decided to steal a page out of the playbook for healthcare quality measurement: They established a five-star rating system for providers based on patient record access.
"A significant strategy in improving quality involves measuring and publicly reporting on provider performance - by specific provider," McGraw said in the blog post, noting that before quality measurement initiatives most providers thought they were providing quality care.
The patient record scorecard rates providers, from one to five stars, based on how they responded to actual patient requests for their health records and whether they were in compliance with HIPAA Privacy Rule regulations and guidance on the Right of Access.
To date, the scorecard rates the specific performance by name of 51 providers in responding to genuine patient access requests.
Many of the low scorers are also some of the biggest names in healthcare. Mayo Clinic, Memorial Sloan Kettering Cancer Center, Stanford Health Care and Northwest Memorial Hospital all received one star on their scorecard.
The hospitals did not respond to a request for comment. FierceHealthcare will update this story with comments by organization officials when they respond.
According to Ciitizen, HIPAA-compliant components include accepting requests by email or fax, sending records in the format requested and to the requested designee, sending records in 30 days or less and not charging unreasonable fees.
Among the five-star providers are Boca Raton Regional Hospital (part of Baptist Health South Florida), Mayo Clinic-Arizona, UCSF Medical Center-Mission Bay and Shasta Regional Medical Center.
McGraw said the goal is not just to shine a light on noncompliance but to help improve performance.
RELATED: Anthem, Humana along with Apple and Google testing API for patient access to claims data
"We recognize that providers may be unhappy about their potential noncompliance with HIPAA being under the spotlight. But because all providers routinely profess to be HIPAA compliant — and we are confident that all of them want to be—we believe the spotlight, while it may initially feel harsh, will help raise the bar for compliance with the HIPAA Right of Access," McGraw wrote.
The record quests were submitted by Ciitizen users, requesting their medical records be sent in digital form to Ciitizen for uploading into their profiles.
Ciitizen says it plans to refresh the scorecard every few months based on the most recent record requests sent to a particular provider so improvement and consistency in good performance can be rewarded, and consistency in poor performance can also be brought to public attention.