CHICAGO -- Almost every breach case that Health and Human Services investigates begins with a hospital having failed to perform a risk analysis, according to Deven McGraw, deputy director for health information privacy for the HHS Office for Civil Rights.

Then it follows that they failed to manage and identify risk or, in many instances, conducted a risk analysis indicating what needs to be done, but then that just sits on a shelf gathering dust.

“We come in and you’re not under suspicion of anything wrong, just show us all your policies and procedures so we can give you a report card of where you are from a compliance standpoint,” McGraw said at the Allscripts user conference in Chicago on Wednesday. “It’s not intended to be punitive. But an audit can turn into a compliance review, the more robust enforcement pathway, if we see something in the audit that raises significant concern.”

[Register Now: Upcoming HIMSS Healthcare Security Forum]

McGraw pointed to common mistakes that can turn an audit into a compliance review, including not having clear business associate agreements in place and failing to report a breach within 60 days of discovery, as well as the aforementioned lack of risk analysis and subsequent action.

Between September 2009 and June 2017, healthcare organizations reported 1,982 large breaches of protected health information to the federal government, and the number of individuals affected by breaches is approaching 200 million, McGraw added.

“A lot of times we hear about organizations that go overboard with BA agreements with everyone that interacts with them,” she said. “But more often than not what we see is the failure to get business associate agreements with entities that clearly are business associates.”

[Also: HHS overhauls 'Wall of Shame' breach reporting website]

McGraw also reminded attendees about the details of reporting a breach, and that a breach must be reported as soon as possible and no later than 60 days after it’s discovered. But she pointed out that the HIPAA rule stresses as soon as possible, and that 60 days is not the optional window.

“You can be in violation of HIPAA rules if you are sitting on your notification, waiting for those 60 days,” she said. “It’s not great to have to let people know of a breach, but it is without unreasonable delay.”

Complaints by individuals can trigger an investigation by the OCR. The office has had just shy of 160,000 complaints since 2009.

[Also: What to know about risk, coverage before you buy cyber insurance]

“We expect to receive 17,000 complaints this year,” McGraw said. “But about 50 percent of the complaints are non-jurisdictional, they have a beef with the federal government and we are the only open portal they can find.”

A complaint could potentially trigger an audit. The purpose of an audit is to allow OCR to take a look at what a healthcare organization is doing from a compliance perspective, outside the context of a formal investigation.

The surest way to go from an audit to an enforcement review is not to respond to an audit notification, McGraw warned healthcare organizations.

“We do expect people to cooperate with the audit program,” she said. “In 95 percent of the cases people have cooperated. We will finish 167 desk audits by the end of the year and release a report with the results of the desk audits next year.”

In most cases, entities are able to demonstrate satisfactory compliance through voluntary cooperation, and maybe there are a few suggestions OCR has for corrective action.

“We did not find anything, we write a little note, it goes up on the web site, and you are good to go,” McGraw said. “Maybe you need to improve upon a couple of things, and that becomes the closer letter. And then there are the cases of systemic non-compliance. And so far to date we have had 49 settlement agreements that included detailed correction action plans and monetary settlement amounts.”

Twitter: @SiwickiHealthIT

Email the writer: bill.siwicki@himssmedia.com

Like Healthcare IT News on Facebook and LinkedIn