JamesLHollyMD.com

	James L. Holly, M.D.

About SETMA Joint Commission Contact Information History Mission Statement Medical Home Scope of Services I-CARE Initiative Infusion Center The SETMA Way - What is it? SETMA's Model of Care Patient-Centered Medical Home The SETMA Approach to Patient Care	In The News Letters Vital Signs - Examiner Publication SETMA's Providers as of January, 2015 SETMA Knows - Abraham Lincoln and Healthcare Analytics SETMA – 1999 – Four Seminal Events PC-PCC Award January, 2015 Vital Signs Spring 2015 Vital Signs Q&A for PC-PCC Award Links to SETMA 2012 eHealth Innovator Award for LESS initiative Handout for Attendees eHealth Conference January 12, 2012 eHealth Initiative 2012 Award Program Application The eHealth Initiative's 2012 Award Letter 2012 National Quality Forum National Healthcare Improvement Award Effective prioritization of performance improvement goals Dashboard to Measure and Manage Whole System Performance Commitment to transparency Date-driven improvement of NQS priorities Demonstration of readiness to assume responsibilities of an ACO Demonstrated results on publicly reported performance measures Public Reporting Quality Metrics for 2009, 2010, 2011 Internally Tracked Reporting Quality Metrics for 2009, 2010, 2011 Complete Application in PDF Format SETMA's Medical Home Pilgrimage 2009 Medical Home Series I 2010 Medical Home Series II 2011 Medical Home Series Two 2009, 2010, 2011 Medical Home Miscellaneous Articles The Dr. and Mrs. James L. Holly Distinguished Professorship Universal American Letter of Transmittal for Support Dr. Holly's Acceptance Address for the 2012 Distinguished Alumnus Award CMS Medical Home Feedback Report Qualify & Cost SETMA questions Influenza Data SETMA I - October 2011 SETMA II - October 2011 Mark A. Wilson Clinic SETMA West - October 2011 SETMA and Fox 4 News - Healthy Living Videos SETMA Advertisements - Display and Video SETMA Announcements Featured Content Archive	Syllabus PC-MH Externship SETMA's MS4 Patient-Center Medical Home Selective Syllabus Introduction to SETMA's Senior Externship and Syllabus An Introduction to the Origins and Beginnings of Southeast Texas Medical Associates, LLP Patient-Centered Communication PC-MH Health Affairs August 15, 2013 Policy Brief -- Health Gap SETMA 8.20.13 Provider Training -- Health Affairs 2.14.13 -- Patient Engagement SETMA Provider Training 8.20.13 during First Senior Medical Student PC-MH Externship Medical Home Coordination Review Tutorial 2011 Medical Home Series Two Teaching Tool for PC-MH Course - Patient Care Activation, Engagement, Shared-Decision Making	Patient Information What Does Patient-Centered Medical Home Mean to You? What Does Patient-Centered Medical Home Mean to You? Health information exchange Patient Rights and Responsibilities Patient Directions Contact SETMA – Secure Texting What is HIPAA? Authorization To Release or Obtain Medical Records Complete Privacy Policy Website Privacy Policy	Presentations Invited Presentations SETMA Provider Training
Governance Board Governance Board Responsibilities Governance Board Leadership Training The SETMA Team and The SETMA Culture SETMA's Mission, Vision and Goals: Patient Safety and Quality Care Harassment, Neglect, Abuse, Exploitation - Role of HCAHPS & CAHPS Healthcare Provider Standards Providers Responsibility Medication Refills, Reconciliation and Maintenance Provider and Leadership Use of Data and Analytics Commitment To All Patients -- Ethnic Disparities Kaizen - Board Creates Culture of Safety and Quality SETMA's Policy and Practice for Advanced Directives SETMA's Policy on Completion of Medical Records Care Guidelines : Improve processes to evaluate and treat Integrated patient safety program (Sentinel Events) Effectively Manages all programs, services or sites Provides Patients with information about Primary-care Medical Home Organization-wide Planning to Maintain Focus on safety and quality Organization-wide Planning to Maintain Focus on safety and quality SETMA's Performance Quality & Safety Judged by CMS SETMA's Performance Quality & Safety Judged by CMS SETMA Awarded by HIMSS for Quality and Safety 2011 John M. Eisenberg Patient Safety and Quality Awards Application Healthcare Quality Award 2012 Principles of Quality and Metrics Principles Contacting SETMA & Secure Texting PC-MH Mission, Vision, Goal, Access, End-of-Life Communications and Public Reporting Change Existing Processes to Improve Performance Team Members Focused on Safety and Quality	Your Life Your Health View Articles by Subject Aging Well Behavioral Health Cardiovascular Disease Risk Care Coordination Care Transitions Children's Health COGNOS Project Diabetes Exercise Healthcare Reform:Public Policy HIPAA & Security Labor Day Less Initiative Medical Home Medical Records Men's Health Mental Health Nutraceuticals Nutrition Smoking Cessation Thanksgiving Weight Management Women's Health All Articles	Public Reporting Public Reports by Year (2009-2017) Public Reports by Type Fall Risk, Pain, Functional, Wellness, Stress Assessment Fall Risk, Pain, Functional, Wellness, Stress Assessment for 2011 AND 2012 Core Measures: SETMA & Baptist Hospital Core Measures for January to December 2011 PQRS Diabetes Measures - Blood Pressure Diabetes Measures - Glyco and LDL Diabetes Measures - Nephropathy Screening, Foot Exam, and Eye Exam Preventive Measures - Screening (BMI, Colorectal Cancer, Mammography, Osteoporosis) Preventive Measures - Influenza, Pneumococcal, Urinary Incontinence Preventive Measures - Tobacco Use NQF Care for Older Adults Comprehensive CHF Care Diabetes Measures Diabetes Measures - Blood Pressure Control Diabetes Measures - Glyco and LDL Diabetes Measures - Smoking Cessation Female Measures General Health Measures Medication Measures Persistent Medications Medication Measures Pediatric Measures HEDIS (NCQA) Effectiveness of Acute Care Effectiveness of Chronic Care - Clinic/Hospital Effectiveness of Chronic Care - Clinic Only Effectiveness of Chronic Care - Diabetes (Smoking Cessation) Effectiveness of Chronic Care - Diabetes (Glyco and LDL) Effectiveness of Chronic Care - Diabetes (Blood Pressure Control) Effectiveness of Preventive Care Effectiveness of Preventive Care - Older Adults Effectiveness of Chronic Care - Diabetes Measures Effectiveness of Chronic Care - Persistent Medications (MPM) NCQA Diabetes Recognition Program Audit LESS Initiative PCPI PCPI Hypertension PCPI Diabetes PCPI Chronic Stable Angina PCPI Care Transitions PCPI CHF PCPI Weight Management PCPI CKD Stages IV V SETMA Lipid Audit Lipids Treatment Audit Tutorial Lipids Tutorial AQA COGNOS Project SETMA Audit for CKD Stages I III Patient Satisfaction Survey	Accreditations/Awards Achievements which have Advanced SETMA: The Time-line, Philosophy and Principles which Underlie that Advancement Awards	Diabetes Center of Excellence Education Diabetes Order Referral Form Seven Stations 2011 Advances in Diabetes Diabetes Tutorial Diabetes Prevention
EPM Tools Association of Medication and Diagnosis Automated Team Function Behavioral Health Adult Weight Management Tutorial Annual Questionnaires: Fall, Functional, Pain, Stress, Wellness Behavioral Health in SETMA's Patient-Centered Medical Home Model of Care Depression Tutorial Fall Risk Tutorial Health Insurance Portability and Accountability Act (HIPAA) Privacy Tutorial Intensive Behavioral Therapy (IBT) Obesity and Cardiovascular Disease Medicare Preventive LESS Initiative Tutorial Medical Home Transtheoretical Model Assessment Stages of Change Tutorial Pain Management Tutorial Reduction of Antipsychotic Medications Toolkit Smoking Cessation Tutorial Stratifying End-of-Life Risk for Hospice Services Tutorial Chronic Conditions Tutorial Chronic Renal Disease Management Tool Tutorial Calculating the Stages of Renal Disease Proteinuria Disease Management Tools Acute Coronary Syndrome Tutorial Adult Weight Management Tutorial Angina Tutorial Cardiometabolic Risk Syndrome Tutorial Chronic Renal Disease Tutorial Congestive Heart Failure Tutorial Diabetes Tutorial Hypertension Tutorial Lipids Tutorial Lipid Quality Audit Tutorial Primary Pulmonary Hypertension Tutorial Framingham Cardiovascular Risk Cardiometabolic Risk Assessment Framingham Heart Study Risk Calculators Tutorial Frederickson Classification of Dyslipidemia LDL Level Lipid Disease Management Risk Assessment General principles about ICD-9 Codes and HCC/RxHCC Codes Charge Posting Tutorial Coding to Ensure Accurate Health Risk Scoring E & M Codes Tutorial HCC & RxHCC Risk HCC/RxHCC Risk Tutorial ICD-9 Code Training Manual Hepatitis Screening Hospital Based Tools Hospital Care Summary and Post Hospital Plan of Care and Treatment Plan Tutorial Admission Orders Tutorial Daily Progress Notes Tutorial Care Transition Data Set from PCPI Tutorial Using The Clinic and Hospital Follow-up Call Templates Respiratory Failure Tutorial Hospital Consumer Assessment of Healthcare Providers and Systems (HCAHPS): Tutorial for SETMA's Internal HCAHPS Survey Master GP Suite of Templates Master GP Suite of Templates Tutorial Medical Home Support Materials Department of Care Coordination, Director of Care Coordination and Care Coordination Referral Template Electronic Tickler File Electronic Tickler File Tutorial Follow-up Calls Intensive Behavioral Therapy (IBT) Obesity and Cardiovascular Disease Medicare Preventive Services Medical Home Coordination Review Tutorial Medical Home Plan of Care and Treatment Plan Medical Home Transtheoretical Model Assessment Stages of Change Tutorial Patient-Centered Medical Home Annual Questionnaires Patient-Centered Medical Home: SETMA's Medical Home Coordination Review (MHCR) Tutorial Patient Document for Coordination of Care Transitions of Care Management Coding (TCM Code) Tutorial Merit-Based Incentive Payment System (MIPS) Quality Metric Tool Tutorial Nursing Home Depression Tutorial Fall Risk Tutorial Hydration Assessment Tutorial Nursing Home Guidelines for Care Tutorial Nursing Home Principal Suite of Templates Nutrition Assessment Tutorial Reduction of Antipsychotic Medications Toolkit Skin Care Tutorial Outpatient Infusion Center for Intravenous Antibiotic Therapy and Other Meds Preventive Health Tools Adult Weight Management Tutorial CHF Exercise Tutorial Diabetic Exercise Tutorial Diabetes Prevention Tutorial Exercise Prescription Tutorial Hypertension Prevention Tutorial Intensive Behavioral Therapy (IBT) Obesity and Cardiovascular Disease Medicare Preventive Initial Preventive Physical Exam & Annual Wellness Visit Tutorial LESS Initiative Tutorial Progression to Type 2 Diabetes Smoking Cessation Tutorial Progression to Type 2 Diabetes Quality Metrics ACO and Medicare Advantage Stars HEDIS: NCQA, History, Quality, Safety, STARS, ACO ACO Quality Measures Performance Tool ACO Quality Measures Performance Tool Tutorial STARs - A Tutorial for Utilizing SETMA's Deployment of the STARS MA Program Specialized Tools Annual Questionnaires: Fall, Functional, Pain, Stress, Wellness Association of Medication & Diagnosis Chronic Conditions Tutorial Chronic Care Management Code (CCM) Tutorial Depression Tutorial Drug Interactions Tutorial Electronic Tickler File Tutorial Evaluation Lower Urinary Tract Symptoms in the Male Fall Risk Tutorial Future Labs Tutorial Hydration Assessment Tutorial HCC Risk Training Tool Hypertension: Fulfilling Quality Metrics for the PCPI Program Laboratory Results - Signing Off: Why and How Medication Module Tutorial Medication Reconciliation Tutorial Nutrition Tutorial Pain Management Tutorial Problem List Reconciliation Tutorial Progression to Type 2 Diabetes Referral Skin Care Tutorial SOAAP Opioid Risk Assessment Stratifying End-of-Life Risk for Hospice Services Tutorial Texas State Reportable Infectious Diseases Tutorial Transitions of Care Management Coding (TCM Code) Tutorial	Transforming Your Practice Library Introduction to SETMA's TCPI Library Transforming Your Practice (TCPI) Summary Document of TCPI CMS Quality 12.2015 TCPI Leadership and Governance Care Coordination HIPPA and Security Data Analytics Care Transitions LESS Initiative Medical Records Clinical Decision Support Hospital Care Tools Disease Management Tools Preventive Health Tools Behavioral Health Transformation Tools New Transformation Tools Patient-Centric Care Nursing Home Medical Home Display and Explanation of SETMA's Patient-Centered Medical Home Tools	Medical Home The Story and the Ideals Introduction to Preventive Health Tools PC-MH Patient Engagement & Alternative Payment Models Preventive Care: The Best Way to Treat Illness is Don’t Get it Coordination of Care Patient-Centric Care Population Health Transition of Care - One form of Care Coordination HCAHPS - Hospital Consumer Assessment Of Healthcare Providers and Systems CAHPS - Consumer Assessment of Health Care Provider and Systems Teaching Tool for PC-MH Course – Patient Care Activation, Engagement, Shared-Decision Making Display & Explanation of PC-MH Tools SETMA's Medical Home Pilgrimage Concierge Medicine not Medical Home Medical Neighborhood Security & HIPPA Referrals Patient Web Portal Health Information Exchange Medication Reconciliation The Automated Team Coordination of Care Medical Home Description & Standards AAAHC Joint Commission NCQA Planetree URAC NCQA Interview February 14, 2014	Facebook	Letters

Your Life Your Health - Is Your SETMA Medical Record Secure?: Part II

James L. Holly,M.D.

October 04, 2012

Your Life Your Health - The Examiner

This is the second in a two-part series about SETMA’s electronic medical record security program. The first part was published September 27, 2012.

Scanning our System

The complexity of SETMA’s systems requires that we depend on software produced by many different companies, like Microsoft Windows, Microsoft SQL, Microsoft Exchange, Adobe Reader, Adober Flash, Java, Cisco IOS, etc. Each of these products is used heavily in the IT industry. Keeping systems updated with the latest patches and firmware is critical but challenging. However, not doing it also increases the opportunity for data breeches, or for inappropriate access. It would take numerous employees to keep checking our system to make sure there are no security risks or updates we have overlooked. But, the problem created by technology, i.e., security can also be solved by technology.

SETMA has incorporated a device in our system which at regular intervals scans our system. This product is named Nexpose by Rapid7 and is considered the enterprise leader in vulnerability management and penetration testing. It continually looks at all software in our system. It regularly sends a report to SETMA’s CIO about new versions or upgrades of the software that we use. It tells the CIO that SETMA is on one version and another is available. Included in that report, is an assessment of the value of the upgrade and the security risk of not upgrading to the new version. The risk is graded as moderate, severe and critical.

Since deploying this tool, SETMA has found almost 9,000 such security risks which were vulnerable to attack. Most of these were because outside entities we interact with do not keep their systems updated. In order to allow our systems to work together, we had to leave our systems on older software. SETMA’s CIO was instructed by the SETMA Partners to secure our systems regardless of whether or not it broke our ability to interact with others. The others would either be forced to upgrade their systems, or we would find other vendors to replace them, i.e., vendors that properly secured their systems. Within one 27-hour weekend period, SETMA’s IT department reduced the almost 9000 vulnerabilities to just under 2000. Within the next week, the vulnerabilities were down to 1100. That accounts for 87% of the vulnerabilities being eliminated in only one week. SETMA IT Department is actively addressing the remaining issues and expects to have them to zero within the next four weeks. Going forward, the scanning system will alert us to new issues which will be able to be remedied immediately.

Plugging and Playing

With multiple locations and hundreds of secure devises being used by SETMA, another significant risk to our security was the potential for an employee or someone else bringing an external device, such as a laptop, and plugging it into our system. Regardless of the intent, whether innocent or criminal, this presents a great risk to our systems. The risk could be a virus getting into our system, or someone trying to steal data. By upgrading our switches to state-of-the-art Cisco switches, we are now able to identify “unapproved” devices and refuse them access to our network.

Log of Activity

With a paper medical record, there is no way to know who has looked at the record. Maybe with finger printing it could be done but that is unreliable and expensive. With a robust EHR however, it is possible to know everyone who has looked at, accessed or entered data into a chart. With SETMA’s state-of-the-art EHR, an electronic log is kept of all activities related to a patient’s record. In the past several years, SETMA had occasion to need to know if a particular record had been inappropriately accessed by another person. This issue is so important that even as the CEO of SETMA, I do not look at any medical record unless I am involved in the patient’s care or unless I have a specific, legal need to do so. In fact, we are so serious about this issue that typically, even when there is a legitimate need to know something about a record, if that need is not involving patient-care or safety, that chart is not looked at without legal counsel and direction from counsel. In the case above, it was reassuring to discover that no one had looked at or accessed that chart inappropriately.

Now, SETMA is upgrading that ability. While various parts of our system created a log of activity, we did not have a cumulative log over our entire system. In our security analysis, we discovered that that was a HIPAA requirement and we are remedying that. Henceforth, if a patient raised a question or any other legitimate authority raised a question about access to any health information, SETMA will be able to comply with that legitimate and legal question via a log which contains information on all access and activity from all devices about a particular patient.

E-mail Security

Because we live in an electronic age, electronic communication is important. Where it is important to share patient information which is compliant with HIPAA, the connection between both ends of the communication must be encrypted. It is not feasible to encrypt traditional email between SETMA and the thousands of patients we serve. This is why we have partnered with our EHR vendor to offer NextMD to our patients. NextMD is a secure web portal that allows patients and SETMA providers to communicate securely.

Email continues though to present a security risk by employees accidentally sending emails out that might have protected health information (PHI) in them. SETMA has implemented Cisco’s Ironport product that provides data loss prevention (DLP) technology. All outgoing e-mail is scanned for prohibited information. For instance, if an e-mail includes a patient’s social security number or other confidential information, that e-mail is prohibited from being sent.

Minimum Necessary Access

One of HIPAA’s primary requirements is that “minimum necessary access” to patient information be established so that a specific employee can do his/her job without having access to patient information which is not required for the performance of that job.. All of SETMA’s employees do not need to have the same access, or perhaps any access to all to SETMA’s patient records. Therefore, SETMA’s executive staff reviewed the responsibilities of each employee and has set up their account in SETMA’s system to allow access only to what they need. This is also true of external organizations which have a HIPAA-compliant need to know information and which have an encrypted access to our system; their access is limited only to that which they need in order to serve our mutual patients’ needs and interests.

Back up of all of SETMA’s system and information

Another aspect of security relates to what happens if SETMA’s systems are destroyed by fire or natural disaster. SETMA has state-of-the-art, encrypted, digital tape backup of ALL SETMA system information, as well as the integration of the various parts of our system. Daily a copy of that tape is taken off premise and monthly a copy is placed in a safety deposit box in a local bank.

If a medical practice using paper records is destroyed, the records are lost. Most practices have insurance which will pay $5,000 for record restoration. When SETMA integrated five medical practices at its founding the paper products to create a new charting system – this was before electronic record – cost $20,000. You can see how inadequate the insurance is for record restoration, even if you could find copies of the information.

For SETMA, we have in place a “disaster recovery plan” so that all of SETMA’s systems and information can be restored within a few days, even if our IT Department and server room were totally destroyed.

HIPPA Policies and Standards

SETMA’s Information Technology Department has developed and established comprehensive policies and standards by which to guide the department and all of SETMA in the maintenance of HIPAA Compliant, secure and confidential medical records and medical information in an electronic environment. Security and compliance is not just the responsibility of SETMA’s IT Department but includes all departments and providers. There are several dozen such policies and standards. SETMA has introduced all of SETMA’s staff and providers to these policies and each staff member and provider has signed a compliance agreement document which affirms their understanding of the policy and their pledge to be guided by it and to comply with it.

Policy

“ This policy is established to ensure all SETMA facilities, practices and personnel: Comply with federal HIPAA privacy and security regulations; adopt and enforce appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of protected health information (PHI); Safeguard confidential information from unauthorized access and use; and Maintain the confidentiality, availability and integrity of electronic information assets for which SETMA is the custodian according to SETMA Policies and Standards.”

Each policy and standard has a “scope” which relates to the specific issue addressed by the particular policy. The intent of each policy is stated in the “policy section” of each of the policies and standards:

“The Health Insurance Portability and Accountability Act (HIPAA) is a federal law. As part of compliance with HIPAA regulations, SETMA has defined policies and procedures for handling the privacy and security of health information. Information assets are valuable, and thus their integrity, availability, and confidentiality are essential to the business and to the patients we serve. Information assets shall be protected commensurate with their defined value, risk, and legal requirements.

“All SETMA facilities must apply prudent measures to protect the confidentiality, availability, and integrity of electronic information assets. In addition to implementing the SETMA information security policies and standards, each facility must implement and oversee procedures to support the SETMA Information Security Program and to comply with applicable federal and state regulations. Facilities in states with additional requirements must gain SETMA Corporate assistance to implement policies that address state-specific requirements.

“Information Security Program Elements

“The SETMA Information Security Program consists of policies, procedures and standards provided by the Corporate Information Technology Department. Each SETMA facility will implement the Corporate Information Security Program and any additional facility-specific information security procedures necessary to support compliance with applicable federal and state requirements.”

SETMA Policies include an explanation of the penalty for non-compliance. This section of the policy manual addresses:

Compliance Violations

“Suspected violations of this policy must be handled in accordance with this policy, the SETMA Code of Conduct, and with SETMA Compliance Policies. Each facility must implement and enforce the SETMA process for promptly reporting violations. Violations must be reported to the Facility Security Officer, Facility Privacy Officer and the Corporate Security Officer, as warranted. (See policy on Security Incident Reporting and Response).
Policy Exceptions

“The Chief Information Officer (CIO) approves information security governance processes and exceptions. Exception approval is based upon risk management reflecting appropriate, reasonable, and effective information security measures for a given situation.
Security Program Policies and Standards

“Refer to the currently-approved list of SETMA security policies and standards. These policies and standards will be reviewed and updated at least annually.”

Conclusion

This is only a summary of SETMA’s security systems. It lets everyone know we are serious about the safety and security of our patients’ health information. And, it suggests that security is not a point you reach but it is a mind-set which drives SETMA to continually find new and better ways to secure our systems.

As the article from twelve years ago, so this article is co-authored by SETMA’s CEO and CIO. The collaboration between clinicians, technologists and administration creates a strong environment for excellence in SETMA. These are exciting days in healthcare. Technology helps us do a better job, but ultimately it is about persons – real people – and these tools only allows us to treat people with respect, with compassion and with excellence.

About SETMA	In The News	Syllabus PC-MH Externship	Patient Information	Presentations
Governance Board	Your Life Your Health	Public Reporting	Accreditations/Awards	Diabetes Center of Excellence
EPM Tools	Transforming Your Practice Library	Medical Home	I-CARE Initiative	NextMD