David Holtzman

David Holtzman

About David Holtzman

Considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules, David Holtzman was a senior advisor at OCR before joining the team at CynergisTek. He also previously served as the privacy & security officer for Kaiser Permanente’s Mid-Atlantic Region.

Changes to New California Privacy Law Exempts Some Healthcare Organizations

Much has been written about the potential impacts that the California Consumer Privacy Act of 2018 (CaCPA) could make on health care organizations and their business partners. The California legislature quickly passed an amendment and technical correction that rolled back some of CaCPA’s provisions exempting data that is regulated by the HIPAA privacy standards and the Common Rule, sparing some health care businesses from CaCPA’s requirements. CaCPA requires that starting in January 2020, businesses that have some role in

October 16th, 2018|

Ohio Creates Incentives to Proactively Adopt Cybersecurity Programs

A new Ohio law, the Data Protection Act, incentivizes businesses and not-for-profit organizations that proactively put into place cybersecurity programs to safeguard electronic information containing identifiable information of consumers that could be used for identity theft or fraud if it were disclosed in a security breach. The law which takes effect on November 2, 2018, will provide organizations a safe harbor from consumer lawsuits if they can demonstrate that a cybersecurity program was in place when the security breach

September 11th, 2018|

OCR Updates Audit Protocol Emphasizing Compliance

The US Department of Health and Human Services, Office for Civil Rights (OCR) has without fanfare updated its comprehensive audit protocol, making substantive changes to inquiries to demonstrate how an organization applies it workforce sanctions policy and more broadly, compliance with the Breach Notification Rule. Released in 2016 for use by HIPAA covered entities and business associates to prepare for the Phase 2 Audit Program, the Audit Protocol is now used by health care organizations, as well as OCR’s

September 5th, 2018|

Colorado Breach Law Uses Long Arms to Protect Health Information Not Covered by HIPAA

Colorado has put into place a new law that will require organizations handling digital personal information of Colorado residents have security safeguards in place to protect information from unauthorized disclosure and misuse, as well as breach notification requirements that will apply in addition to any other state or federal requirements. Some other provisions in the bill: Sets new standards for breach notification to require notice by any organization to affected Colorado residents, and in some cases the Colorado Attorney

July 3rd, 2018|

OCR Says Gap Analysis Does Not Meet HIPAA Requirements

The HHS Office for Civil Rights (OCR) has issued guidance answering the question that performing a gap analysis of an information system’s safeguards is not enough to meet the minimum requirements of the HIPAA Security Rule. While a gap analysis can be used to discover where problems exist in securing electronic protected health information (ePHI), it does not satisfy the risk analysis obligations under the Security Rule. Under the HIPAA rule, a covered entity or business associate must perform

May 7th, 2018|

HIPAA Enforcement: 2017 Year in Review

2017 will go down as a change year for Health Insurance Portability and Accountability Act (HIPAA) enforcement of the Privacy, Security, and Breach Notification Rules. This comes on the heels of 2016, which saw an unprecedented level of enforcement actions, with 13 total settlements and nearly a 300% increase in total collected fines over 2015. In 2017, nine compliance reviews were settled with resolution agreements in addition to a HIPAA enforcement action in which a civil monetary penalty was levied. A total of $19.4 million in fines and penalties were collected in 2017 by OCR through its enforcement actions.

January 5th, 2018|

OCR Says Desk Audits Rates Many HIPAA Efforts to be Inadequate or Worse

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) released preliminary results from Phase 2 of the HIPAA Audit Program. The data was drawn from limited scope desk audits of 166 covered entities (CE) in July 2016. OCR rated their compliance with the HIPAA Privacy, Security and Breach Notification standards as largely “inadequate,” with over 94% of the covered entities failing to demonstrate appropriate risk management plans.

September 15th, 2017|

What Does a Cybersecurity Workforce Look Like?

There is consensus agreement that threats that exploit vulnerabilities in the health care cyberinfrastructure grow and evolve at a breakneck pace. Organizations that take a holistic view in developing a flexible approach to understand, manage and reduce its cybersecurity risk, will be in a better position to defend their enterprise from attack.

August 17th, 2017|

OCR Enforcement Actions: Prioritize HIPAA Security & Vendor Management Requirements

Thus far in 2017, the Office for Civil Rights (OCR) has announced that they have negotiated settlements or levied penalties in seven cases that have resulted in covered entities and business associates paying over $14.3 million. In all but one of these cases, organizations have also been saddled with multi-year corrective action plans in which HHS will exercise oversight of their compliance with the HIPAA standards. At this pace, OCR will eclipse its record-setting performance of 2016 in which there were 13 formal enforcement actions that had covered entities and business associates paying $23.5 million in fines and penalties for HIPAA violations.

May 9th, 2017|