Compliance with HIPAA is voluntary, not mandatory is something that many still believe about the healthcare privacy regulations. While this is completely incorrect under the law today, there is a good reason why some may still believe this. In this post, we will discuss a brief history of HIPAA regulations and how they have changed and what that means to the physician today. We will discuss how this myth survives today and why believing it sets up practices for very expensive fines and potential lawsuits from patients. Read on to find out so you aren’t trapped by this myth in your own practice.
Compliance with HIPAA is voluntary, not mandatory?
HIPAA, the Healthcare Insurance Portability and Accountability Act, was signed into law in 1996. At that time, the law was more about making insurance portable so that when an employee left one company, they could maintain their insurance. It did have some language about patient privacy, but it was more focused on insurance portability.
It wasn’t until 2003 that the HIPAA Privacy Rule came into being. During this time, compliance with HIPAA is voluntary, not mandatory. This was called voluntary compliance. However, in 2004, compliance with the HIPAA Privacy Rule became mandatory.
The HIPAA Security Rule came into effect in 2006 and was made mandatory in 2006.
The Breach Notification Rule became effective (and mandatory) in 2009.
During the period between 1996 and 2004, HIPAA was under voluntary compliance. This means that Covered Entities could decide if they would follow the recommendation to protect patient privacy. This where the myth of compliance with HIPAA is voluntary, not mandatory came from. It was true, 15 years ago.
Does voluntary compliance exist today with HIPAA?
Voluntary compliance is no longer a component, or an option, for HIPAA compliance. One reason this idea still exists today is the areas of the HIPAA Security Rule that are called Addressable. Addressable means that Covered Entities and Business Associates have discretion in how they will handle the items, not that the items are optional. Addressable does not equal optional.
An example to help illustrate this point is car insurance. The government mandates that if you drive a car in the United States, you must have car insurance. However, it doesn’t say what level of insurance you must carry (minimum coverage, full coverage, etc), what company you buy it from, or how you purchase it. Those decisions are left to you as long as you address the requirement of having car insurance.
HIPAA addressable requirements are the same. It’s up to you how you will address them, but they must be addressed.
HIPAA regulations and enforcement
In 2006, with the release of the Enforcement Rule, the Department of Health and Human Services was given the power to enforce HIPAA regulations and punish violations. Each year, the amount of cases investigated and fines issued has increased.
In 2018, the total amount of fines issued was $28 million. This has quadrupled from just 3 years before.
HIPAA compliance and MIPS Attesting
Becoming HIPAA compliant is a challenge, especially for small practices. One area where this is especially true is the attesting for meaningful use. Meaningful use has been replaced by MIPS Measures. Included with that is the Advancing Care Information measure. To accomplish that, a security Risk Assessment must be performed by the practice. This is where HIPAA compliance and MIPS intersect. HIPAA also requires a Risk Assessment to be performed on a regular basis or whenever something changes with your network environment.
If a practice were to attest that they had completed the necessary requirements for MIPS but had not performed a Risk Assessment, that could potentially be a fraudulent claim.
Compliance with HIPAA is mandatory and is also part of attesting for MIPS for practices.