David Holtzman

About David Holtzman

Considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules, David Holtzman was a senior advisor at OCR before joining the team at CynergisTek. He also previously served as the privacy & security officer for Kaiser Permanente’s Mid-Atlantic Region.

Organizations Subject to HIPAA Get a Pass from New Mexico Breach Notification Law

Earlier this month, New Mexico became the forty-eighth state to enact a data breach notification law. Only Alabama and South Dakota remain without such requirements. The Data Breach Notification Act goes into effect on July 1, 2017. Organizations that are subject to the requirements of the HIPAA breach notification standards are exempt from the statute.

April 20th, 2017|

CMS Proposes EHR Incentive Program Changes and Affirms Stage 3 Effective in 2018

CynergisTek is alerting you to a number of changes the Centers for Medicare & Medicaid Services (CMS) is proposing to the requirements of the EHR Incentive Program that would apply to the program in either 2017 or 2018. The changes to the EHR Incentive Program, which would primarily apply to hospitals, are contained in a proposed rule, Medicare Program: Hospital Inpatient Prospective Payment Systems for Acute Care Hospitals and the Long Term Care Hospital Prospective Payment System and Proposed Policy Changes and Fiscal Year 2018 Rates, which is due to be published in the Federal Register on April 28th. The publication of the 2015 MU proposed rule in the Federal Register will start the customary 60-day public comment period which would be scheduled to end June 27, 2017.

April 18th, 2017|

Death, Taxes … and Breach Reporting

It is said that the only two certainties in life are death and taxes. If you are a HIPAA covered entity, you can add reporting breaches of unsecured protected health information (PHI) to the Department of Health and Human Services (HHS), Office for Civil Rights (OCR). For breaches involving less than 500 individuals, the Breach Notification Rule requires a covered entity to submit information to HHS at least annually through OCR’s breach reporting portal on the HHS website. For the 2016 calendar year the deadline for reporting breaches affecting fewer than 500 individuals is March 1, 2017.

February 14th, 2017|

OCR Penalizes Health System for Multiple HIPAA Violations

On February 1, 2017, OCR announced that it levied a $3.2 million civil money penalty against Children’s Medical Center of Dallas (Children’s). The enforcement action ends a nearly six-year long investigation into Children’s health information privacy and security practices.

February 2nd, 2017|

OCR Issues Guidance Emphasizing Importance of Audit Controls

OCR recently published its January Cyber Awareness Newsletter that provides guidance on how organizations should comply with the audit controls standard. The HIPAA Security Rule (45 CFR 164.312(b)) requires a covered entity or business associate is required to implement hardware, software, and/or procedural mechanisms that record and examine activity in electronic information systems that contain or use electronic protected health information.

January 16th, 2017|

UMass HIPAA Settlement is a Clarion Call to Colleges and Universities

The University of Massachusetts at Amherst (UMass) agreed to a settlement with the Office for Civil Rights (OCR) over allegations that it had violated the HIPAA Privacy and Security Rules after a 2013 incident that resulted in the unauthorized disclosure of patient information of 1,670 individuals. The settlement includes a $650,000 penalty and a two-year corrective action plan.

November 23rd, 2016|

OCR Plans to Expand Compliance Reviews of Small Healthcare Breaches

The Office for Civil Rights (OCR) of the Department of Health and Human Services has announced a new initiative, expanding review and investigations into the causes of breaches that affect fewer than 500 people. There were 232,000 breaches of PHI affecting fewer than 500 individuals reported to OCR by covered entities and business associates between October 2009 and June 2016.

August 24th, 2016|

Handling Multiple Requests From OCR Audit Program

Last week OCR reported that it had faced challenges in identifying and selecting a diverse pool of organizations to participate in the Phase 2 HIPAA Audit Program. In an effort to expand the roster of covered entity candidates, OCR sent up to 10,000 emails to prospective covered entities in a single “e-mail blast” asking for recipients to confirm if the recipient was associated with an organization that was a HIPAA covered entity, and to provide the contact information for appropriate

May 25th, 2016|

CMS Proposed MIPS/MACRA Would Have Little Impact on Privacy & Security

The Centers for Medicare & Medicaid Services (CMS) is proposing changes to how the Medicare program provides incentives and bonuses that could be paid to physicians and other clinicians beginning in 2017. The changes are being proposed to implement mandates set by Congress in the 2015 legislation known at the “Doc Fix” that eliminated the annual Medicare Sustained Growth Rate (SGR) payment adjustments and sunsetting financial penalties for clinicians not meeting Meaningful Use requirements after 2018.

May 2nd, 2016|

OCR Surveying Covered Entities for Participation in HIPAA Audit Program

The US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) is moving steadily forward to auditing covered entities and business associates. In the last few days the agency has distributed surveys to identify covered entities that will make up a pool of potential audit targets, released a new audit protocol substantially expanding the scope and criteria of what is subject to review, and described how it will collect information about business associates from covered entities.

April 5th, 2016|