David Holtzman

About David Holtzman

Considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules, David Holtzman was a senior advisor at OCR before joining the team at CynergisTek. He also previously served as the privacy & security officer for Kaiser Permanente’s Mid-Atlantic Region.

Death, Taxes … and Breach Reporting

It is said that the only two certainties in life are death and taxes. If you are a HIPAA covered entity, you can add reporting breaches of unsecured protected health information (PHI) to the Department of Health and Human Services (HHS), Office for Civil Rights (OCR). For breaches involving less than 500 individuals, the Breach Notification Rule requires a covered entity to submit information to HHS at least annually through OCR’s breach reporting portal on the HHS website.

February 14th, 2017|

OCR Penalizes Health System for Multiple HIPAA Violations

On February 1, 2017, OCR announced that it levied a $3.2 million civil money penalty against Children’s Medical Center of Dallas (Children’s). The enforcement action ends a nearly six-year long investigation into Children’s health information privacy and security practices.

February 2nd, 2017|

OCR Issues Guidance Emphasizing Importance of Audit Controls

OCR recently published its January Cyber Awareness Newsletter that provides guidance on how organizations should comply with the audit controls standard. The HIPAA Security Rule (45 CFR 164.312(b)) requires a covered entity or business associate is required to implement hardware, software, and/or procedural mechanisms that record and examine activity in electronic information systems that contain or use electronic protected health information.

January 16th, 2017|

UMass HIPAA Settlement is a Clarion Call to Colleges and Universities

The University of Massachusetts at Amherst (UMass) agreed to a settlement with the Office for Civil Rights (OCR) over allegations that it had violated the HIPAA Privacy and Security Rules after a 2013 incident that resulted in the unauthorized disclosure of patient information of 1,670 individuals. The settlement includes a $650,000 penalty and a two-year corrective action plan.

November 23rd, 2016|

OCR Plans to Expand Compliance Reviews of Small Healthcare Breaches

The Office for Civil Rights (OCR) of the Department of Health and Human Services has announced a new initiative, expanding review and investigations into the causes of breaches that affect fewer than 500 people. There were 232,000 breaches of PHI affecting fewer than 500 individuals reported to OCR by covered entities and business associates between October 2009 and June 2016.

August 24th, 2016|

Handling Multiple Requests From OCR Audit Program

Last week OCR reported that it had faced challenges in identifying and selecting a diverse pool of organizations to participate in the Phase 2 HIPAA Audit Program. In an effort to expand the roster of covered entity candidates, OCR sent up to 10,000 emails to prospective covered entities in a single “e-mail blast” asking for recipients to confirm if the recipient was associated with an organization that was a HIPAA covered entity, and to provide the contact information for appropriate HIPAA privacy and security officials.

May 25th, 2016|

CMS Proposed MIPS/MACRA Would Have Little Impact on Privacy & Security

The Centers for Medicare & Medicaid Services (CMS) is proposing changes to how the Medicare program provides incentives and bonuses that could be paid to physicians and other clinicians beginning in 2017. The changes are being proposed to implement mandates set by Congress in the 2015 legislation known at the “Doc Fix” that eliminated the annual Medicare Sustained Growth Rate (SGR) payment adjustments and sunsetting financial penalties for clinicians not meeting Meaningful Use requirements after 2018.

May 2nd, 2016|

OCR Surveying Covered Entities for Participation in HIPAA Audit Program

The US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) is moving steadily forward to auditing covered entities and business associates. In the last few days the agency has distributed surveys to identify covered entities that will make up a pool of potential audit targets, released a new audit protocol substantially expanding the scope and criteria of what is subject to review, and described how it will collect information about business associates from covered entities.

April 5th, 2016|

OCR Phase 2 Audit Program Underway

The US Department of Health and Human Services, Office for Civil Rights (OCR) announced Monday that it has started Phase 2 of the HIPAA Audit Program that will lead to hundreds of reviews of covered entities and business associates. Over the next seven months OCR will be conducting limited scope desk audits of about 200 covered entities (CE) and business associates (BA). The agency said that it will also perform 24 on-site, comprehensive audits.

March 22nd, 2016|

Trio of New Guidance Documents From HHS Marks New Attention to HIPAA & e-PHI

HHS Releases New Guidance on Releasing PHI to Health Information Exchanges & CMS Extends Deadline for Filing 2015 Meaningful Use Attestation The Department of Health and Human Services (HHS) released new regulatory guidance in the form of facts sheets designed to demonstrate how the HIPAA Privacy Rule permits the sharing of Protected Health Information (PHI) in Health Information Exchange (HIE). Separately, the department’s Office for Civil Rights (OCR) opened a new front on its efforts to promote health information privacy and security through helping healthcare industry stakeholders with advisory materials to educate developers of software applications that handle sensitive consumer information popular and how the HIPAA Rules might apply to scenarios in which they are used.

February 15th, 2016|