In this week’s Ask Dr. Mingle, we’re providing an overview of cybersecurity, sharing some helpful cybersecurity resources, and explaining how to implement privacy and security policies in your organization.

Click play to listen to this week’s episode right now:

Questions and Answers in this Episode

This episode features two cybersecurity-related questions from Brian and Linda. Before we got into the questions, Dr. Dan Mingle had some general information on security, privacy, and cybersecurity that he wanted to share.

The information in the introduction helped us place the cybersecurity questions in the proper context. In his introduction, Dr. Mingle mentioned:

• In terms of HIPAA, privacy and security are two sides of the same coin. Think of a breach in privacy as the case-by-case individual instances of violating protocols protecting personal healthcare information. Security breaches, on the other hand, can be thought of as “mass casualty” events that go beyond individual healthcare information and potentially place large sets of healthcare information at risk.
• HIPAA is a compliance program, but it doesn’t behave like most compliance programs you’re used to. There are no random or routine audits of HIPAA. Compliance is incident-centric and based on complaints or reports of violations, and investigation of HIPAA violations may lead to civil and criminal consequences.
• In the MIPS program, the Promoting Interoperability category is an example of a more routine investigation of HIPAA compliance. Still, the Promoting Interoperability rules don’t offer much as far as enforcement goes.
  • Throughout the lifespan of Promoting Interoperability, we’ve all experienced one measure: the Annual Security Assessment. This measure is unscored, but if you don’t answer “Yes” – meaning that you’ve performed a security assessment in the past year – you won’t get a score for Promoting Interoperability.
• This year, there’s an addition to the measure: you are now required to read and attest to reading the High Priority Practices SAFER Guide – one of nine total SAFER Guides published by The Office of the National Coordinator for Health Information Technology.

With this background information on healthcare cybersecurity, we have a great starting place to get into this episode’s questions.

Linda Asks: “Do you have a repository of compliance forms that my organization can follow to help with our cybersecurity? I’m looking for things like Security Breach Incident Response Plans to satisfy an active cybersecurity insurance application.”

• Dr. Mingle explained that we don’t offer a repository of cybersecurity resources, but there are some great sources of information online.
• Searching online for a template Security Breach Incident Response Plan should help you find a starting point that you can tailor to your organization’s particular needs.
• You may also consider hiring a third party to help create custom plans and documents for your organization.
• You can find some great (and free) resources on this subject at www.healthit.gov, and The Security Risk Assessment Tool and the SAFER Guides are two great places to start.

Brian Asks: “I am the IT director in a mid-sized single-specialty practice with multiple locations. I’ve been assigned the task of implementing privacy and security policies. As a compliance requirement, shouldn’t our legal counsel take charge of this? I know I don’t have the authority, and I don’t feel like I have the expertise to implement and monitor the program.”

• Dr. Mingle mentioned that, in his experience, this responsibility usually falls to the IT Director.
• But, no matter who takes the lead on privacy and security policies, there are usually three critical roles needed in any plan:
  • A coordinating officer manages the effort of creating and maintaining the privacy and security documents your organization will follow.
  • A privacy officer who has a daily relationship with the employees of your organization and helps your team implement protocols and monitor potential privacy lapses.
  • A security officer responsible for technical maintenance related to privacy and security. These responsibilities could include network maintenance, password management, two-factor authentication, and encryption. This role is also responsible for complaints and reports of potential security lapses.
• In some rare cases, these three roles are the responsibility of one individual.
• Ultimately, your organization’s leadership team must take responsibility for these policies and protocols. The tasks and training required to keep these policies in place may fall to individuals, but your organizational leadership needs to create and ratify these policies.
• And finally, your organizational leadership and individual privacy and security officers will have ultimate responsibility for security, privacy, and cybersecurity policies, but adherence to your protocols will require a team effort. It would help if you considered this a continuing training program with everyone involved working to protect privacy, maintain security, and report any issues that may arise.

Send us your value-based care questions!

If you’d like to ask a question about MIPS, Primary Care First, ACO quality reporting, or any other Alternative Payment Model, you can reach out to us in three ways:

• You can leave your questions in a YouTube comment under any episode of Ask Dr. Mingle.
• On LinkedIn, leave your questions in a comment on any of our posts.
• And you can reach out directly by sending an email to hello@minglehealth.com. Please put Ask Dr. Mingle in the subject line when you submit your questions via email.

Want to learn more about the MIPS program in 2022?

Click the button below to access the recording of our latest webinar - "The Hardest Year Yet: Your MIPS Success in 2022" - where Dr. Dan Mingle provides an in-depth exploration of the MIPS program this year.

Access the Webinar Recording