David Holtzman

David Holtzman

About David Holtzman

Considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules, David Holtzman was a senior advisor at OCR before joining the team at CynergisTek. He also previously served as the privacy & security officer for Kaiser Permanente’s Mid-Atlantic Region.

Thinking About Buying New IoT Devices? Better Wait ‘til Next Year for Better Security Features!

IoT Devices Vulnerable to Cybersecurity Threats   Healthcare organizations, like other businesses, are integrating “smart technologies” into devices and facility controls that are connected to the internet. While much attention has been paid to the cybersecurity risks surrounding information systems that handle e-PHI, the security risks related to IoT devices are less well known. Since IoT devices are connected to the internet, they can be hacked just like any other internet-enabled device. Many device manufacturers do not design security

Debunking Four Common Myths of the California Consumer Privacy Act (CCPA)

How CCPA Applies to Healthcare, Non-Profits, and Data Outside of California Beginning January 1, 2020, the California Consumer Privacy Act (CCPA) requires businesses that collect, share, or sell the personal information of California residents to provide a long list of privacy rights. Much like the General Data Protection Regulation (GDPR) in Europe, CCPA is expected to dramatically alter the way American businesses use and disclose information about people and, in many cases forcing organizations to reexamine their practices. Let’s

New York’s Sweeping Data Protection & Breach Notification Law Takes Effect This Week

New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act that amends the state’s breach notification law goes into effect on October 23rd. The SHIELD Act significantly expands what types of personal information are protected, lowers the bar for which security incidents must be reported as a breach, and sets new mandates for organizations covered by the HIPAA rules to report breaches to state authorities. A separate mandate will take effect in March 2020 requiring organizations controlling the

OCR Business Associate Fact Sheet Sets Floor and AMCA Breach Shows Why We Must Do More

Why Having a Vendor Security Management Program is Necessary News of a cybersecurity incident compromising the personally identifiable information of the American Medical Collections Agency (AMCA), a downstream financial management and collections contractor serving scores of healthcare organizations, has put a spotlight on concerns over the lax approach some in the industry take to assessing vendor information security practices. The breach, the largest healthcare related incident to have been reported since 2017, comes on the heels of the recently

HHS Proposed Information Blocking Rules and OCR FAQs

The Office of the National Coordinator (ONC) released its long-awaited proposed rule on interoperability and information blocking, the 21st Century Cures Act, by identifying conduct that is not information blocking. If finalized, ONC’s proposed rule would have a significant impact on data sharing arrangements and other relationships among health care providers, health IT developers, and other stakeholders. The Groundwork In 2016, President Obama signed into law the 21st Century Cures Act (CURES). CURES amended the Health Information Technology for Economic

Changes to New California Privacy Law Exempts Some Healthcare Organizations

Much has been written about the potential impacts that the California Consumer Privacy Act of 2018 (CaCPA) could make on health care organizations and their business partners. The California legislature quickly passed an amendment and technical correctionthat rolled back some of CaCPA’s provisions exempting data that is regulated by the HIPAA privacy standards and the Common Rule, sparing some health care businesses from CaCPA’s requirements. CaCPA requires that starting in January 2020, businesses that have some role in the processing

Ohio Creates Incentives to Proactively Adopt Cybersecurity Programs

A new Ohio law, the Data Protection Act, incentivizes businesses and not-for-profit organizations that proactively put into place cybersecurity programs to safeguard electronic information containing identifiable information of consumers that could be used for identity theft or fraud if it were disclosed in a security breach. The law which takes effect on November 2, 2018, will provide organizations a safe harbor from consumer lawsuits if they can demonstrate that a cybersecurity program was in place when the security breach

OCR Updates Audit Protocol Emphasizing its Role for Compliance and Enforcement

The US Department of Health and Human Services, Office for Civil Rights (OCR) has without fanfare updated its comprehensive audit protocol, making substantive changes to inquiries to demonstrate how an organization applies it workforce sanctions policy and more broadly, compliance with the Breach Notification Rule. Released in 2016 for use by HIPAA covered entities and business associates to prepare for the Phase 2 Audit Program, the Audit Protocol is now used by health care organizations, as well as OCR’s

Colorado Breach Law Uses Long Arms to Protect Health Information Not Covered by HIPAA

Colorado has put into place a new law that will require organizations handling digital personal information of Colorado residents have security safeguards in place to protect information from unauthorized disclosure and misuse, as well as breach notification requirements that will apply in addition to any other state or federal requirements. Some other provisions in the bill: Sets new standards for breach notification to require notice by any organization to affected Colorado residents, and in some cases the Colorado Attorney

OCR Says Gap Analysis Does Not Meet HIPAA Requirements

The HHS Office for Civil Rights (OCR) has issued guidance answering the question that performing a gap analysis of an information system’s safeguards is not enough to meet the minimum requirements of the HIPAA Security Rule. While a gap analysis can be used to discover where problems exist in securing electronic protected health information (ePHI), it does not satisfy the risk analysis obligations under the Security Rule. Under the HIPAA rule, a covered entity or business associate must perform