David Holtzman

About David Holtzman

Considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules, David Holtzman was a senior advisor at OCR before joining the team at CynergisTek. He also previously served as the privacy & security officer for Kaiser Permanente’s Mid-Atlantic Region.

What Does a Cybersecurity Workforce Look Like?

There is consensus agreement that threats that exploit vulnerabilities in the health care cyberinfrastructure grow and evolve at a breakneck pace. Organizations that take a holistic view in developing a flexible approach to understand, manage and reduce its cybersecurity risk, will be in a better position to defend their enterprise from attack.

August 17th, 2017|

OCR Enforcement Actions: Prioritize HIPAA Security & Vendor Management Requirements

Thus far in 2017, the Office for Civil Rights (OCR) has announced that they have negotiated settlements or levied penalties in seven cases that have resulted in covered entities and business associates paying over $14.3 million. In all but one of these cases, organizations have also been saddled with multi-year corrective action plans in which HHS will exercise oversight of their compliance with the HIPAA standards. At this pace, OCR will eclipse its record-setting performance of 2016 in which there were 13 formal enforcement actions that had covered entities and business associates paying $23.5 million in fines and penalties for HIPAA violations.

May 9th, 2017|

Organizations Subject to HIPAA Get a Pass from New Mexico Breach Notification Law

Earlier this month, New Mexico became the forty-eighth state to enact a data breach notification law. Only Alabama and South Dakota remain without such requirements. The Data Breach Notification Act goes into effect on July 1, 2017. Organizations that are subject to the requirements of the HIPAA breach notification standards are exempt from the statute.

April 20th, 2017|

CMS Proposes EHR Incentive Program Changes and Affirms Stage 3 Effective in 2018

CynergisTek is alerting you to a number of changes the Centers for Medicare & Medicaid Services (CMS) is proposing to the requirements of the EHR Incentive Program that would apply to the program in either 2017 or 2018. The changes to the EHR Incentive Program, which would primarily apply to hospitals, are contained in a proposed rule, Medicare Program: Hospital Inpatient Prospective Payment Systems for Acute Care Hospitals and the Long Term Care Hospital Prospective Payment System and Proposed Policy Changes and Fiscal Year 2018 Rates, which is due to be published in the Federal Register on April 28th. The publication of the 2015 MU proposed rule in the Federal Register will start the customary 60-day public comment period which would be scheduled to end June 27, 2017.

April 18th, 2017|

Death, Taxes … and Breach Reporting

It is said that the only two certainties in life are death and taxes. If you are a HIPAA covered entity, you can add reporting breaches of unsecured protected health information (PHI) to the Department of Health and Human Services (HHS), Office for Civil Rights (OCR). For breaches involving less than 500 individuals, the Breach Notification Rule requires a covered entity to submit information to HHS at least annually through OCR’s breach reporting portal on the HHS website. For the 2016 calendar year the deadline for reporting breaches affecting fewer than 500 individuals is March 1, 2017.

February 14th, 2017|

OCR Penalizes Health System for Multiple HIPAA Violations

On February 1, 2017, OCR announced that it levied a $3.2 million civil money penalty against Children’s Medical Center of Dallas (Children’s). The enforcement action ends a nearly six-year long investigation into Children’s health information privacy and security practices.

February 2nd, 2017|

OCR Issues Guidance Emphasizing Importance of Audit Controls

OCR recently published its January Cyber Awareness Newsletter that provides guidance on how organizations should comply with the audit controls standard. The HIPAA Security Rule (45 CFR 164.312(b)) requires a covered entity or business associate is required to implement hardware, software, and/or procedural mechanisms that record and examine activity in electronic information systems that contain or use electronic protected health information.

January 16th, 2017|

UMass HIPAA Settlement is a Clarion Call to Colleges and Universities

The University of Massachusetts at Amherst (UMass) agreed to a settlement with the Office for Civil Rights (OCR) over allegations that it had violated the HIPAA Privacy and Security Rules after a 2013 incident that resulted in the unauthorized disclosure of patient information of 1,670 individuals. The settlement includes a $650,000 penalty and a two-year corrective action plan.

November 23rd, 2016|

OCR Plans to Expand Compliance Reviews of Small Healthcare Breaches

The Office for Civil Rights (OCR) of the Department of Health and Human Services has announced a new initiative, expanding review and investigations into the causes of breaches that affect fewer than 500 people. There were 232,000 breaches of PHI affecting fewer than 500 individuals reported to OCR by covered entities and business associates between October 2009 and June 2016.

August 24th, 2016|