Have you ever wondered what exactly triggers a breach case investigated by Health and Human Services? While a number of things may attribute to an investigation, according to Deven McGraw, deputy director for health information privacy at the HHS Office for Civil Rights, nearly every breach case investigated by the department stems from a hospital failing to perform a risk analysis. An article on Healthcare IT News takes a closer look at the insight provided by McGraw.
At the recent Allscripts user conference in Chicago, McGraw explains that the OCR generally enters an office for an audit with no suspicions of wrong-doing. The goal of the audit is typically to review policies and procedures and give the office a report card to evaluate their current standings in terms of compliance. McGraw also mentions that if there is significant concern following an audit, a compliance review may follow.
What are some common mistakes that turn audits into compliance reviews?
According to McGraw, failure to have clear business associate agreements in place, failure to report a breach within 60 days of it being discovered and failure to conduct a risk analysis and act on the findings are all common mistakes that may lead to a compliance review. McGraw also warns that failure to respond to an audit notification will surely result in an enforcement review.
A lot of times we hear about organizations that go overboard with BA agreements with everyone that interacts with them,” she said. “But more often than not what we see is the failure to get business associate agreements with entities that clearly are business associates.”
While reminding attendees of the conference the importance of reporting a breach, McGraw points out that reporting breaches should occur as soon as possible, as the HIPAA rule strongly stresses this requirement. Breaches need to be reported within 60 days of their discovery, which McGraw reminds is not an optional window.
You can be in violation of HIPAA rules if you are sitting on your notification, waiting for those 60 days,” she said. “It’s not great to have to let people know of a breach, but it is without unreasonable delay.”
McGraw also informed attendees that OCR’s purpose in performing audits is to analyze how health organizations are performing in terms of their compliance measures. She also explains that it is expected that people will cooperate with their audits, which happens 95% of the time. Entities can typically show they have satisfactory compliance measures in place, sometimes receiving some corrective action items to improve on.
We did not find anything, we write a little note, it goes up on the web site, and you are good to go,” McGraw said. “Maybe you need to improve upon a couple of things, and that becomes the closer letter. And then there are the cases of systemic non-compliance. And so far to date we have had 49 settlement agreements that included detailed correction action plans and monetary settlement amounts.”