David Holtzman

David Holtzman

About David Holtzman

Considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules, David Holtzman was a senior advisor at OCR before joining the team at CynergisTek. He also previously served as the privacy & security officer for Kaiser Permanente’s Mid-Atlantic Region.

THE CHS Breach: What You Need to Know & What You Should Do Today

By Mac McMillan and David Holtzman On August 19th we awoke to the news from Community Health System (CHS) the health records of 4.5 million individuals were disclosed when a cyber criminal was able to penetrate their information system. CynergisTek believes that healthcare organizations should use the CHS breach as a call for action on steps to prevent a similar event from occurring elsewhere. 

August 25th, 2014|

Florida Passes New Data Security Law That Is More Stringent Than HIPAA

Florida Information Protection Act of 2014 As of July 1st, healthcare providers, vendors and health plans doing business in Florida will have to follow the Florida Information Protection Act of 2014 (FIPA). The new law changes what information must be protected, increases who it applies to and requires different breach notification than HIPAA. The new regulation is more stringent than HIPAA and must be complied with in addition to HIPAA. CynergisTek CEO Mac McMillan recently told InformationWeek, “The law includes

July 22nd, 2014|

Are Medicaid Transportation Brokers Considered Business Associates?

HIPAA Requirements and the Medicaid Transportation Broker  The Omnibus Rule defined a number of businesses and quasi-governmental agencies that provide services to support public health care safety net programs as HIPAA Business Associates because of the protected health information they receive, create and/or maintain while performing services on behalf of a HIPAA covered entity. The changes to the HIPAA Rules to implement the provisions of the HITECH Act are still being felt. A case in

July 1st, 2014|

Is an Online Risk Analysis That Pays for Fines & Penalties a Bad Bet?

A recent marketing come-on to healthcare practices and business associates from a company that provides an online HIPAA Security Rule risk assessment triggered some old memories. You know the ad, “Give us two hours of your time and we will give you a risk analysis.” If you buy into their online risk assessment, they promise that they will pay the first $100,000 of any fine or penalty levied by OCR or CMS.

June 23rd, 2014|

OCR Continues to Ramp Up for Audits

Office for Civil Rights Seeks a Senior Auditor Earlier this year OCR announced that they are launching the HIPAA/HITECH Audit Program this year and have been ramping up efforts to kick off the program. They added staff to execute the audits, announced the scope of the next phase and now are taking another step towards launching Phase II by inviting applications to fill the position of a new Senior Auditor to lead the project. What is interesting is that the posting on the

June 20th, 2014|

OIG Calls for Tighter Controls on PHI Sent to Offshore Vendors

Report to OCR and CMS Says Reliance on BA Agreements is Not Enough Healthcare, like many other industries, allows offshore outsourcing of information technology help desk functions, healthcare claims processing and medical transcription services. However, organizations that are considering the offshoring of health information should consider the liability associated with managing business agreements meant to provide satisfactory assurance that patient information is protected against unauthorized use or disclosure. 

June 18th, 2014|

Third Anniversary of Proposed HIPAA Access Reports Passes While Healthcare Waits

The third anniversary of the release by the Department of Health and Human Services (“HHS”) proposed regulations implementing changes to the accounting of disclosures provisions under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) has passed without much notice. The proposed regulations arose from requirements in the Health Information Technology for Economic and Clinical Health Act (“HITECH”), passed as part of the American Recovery and Reinvestment Act of 2009.

June 9th, 2014|

ONC & OCR Release Risk Assessment Tool

New HIPAA Security Risk Assessment Tool Is Designed For Small Providers & Business Associates A new security risk assessment (SRA) tool has been developed by the Department of Health & Human Services Office of the National Coordinator for Health IT (ONC) and the Office for Civil Rights (OCR). The tool is designed to help small and medium size health providers and business associates practices conduct and document a risk assessment in a thorough, organized fashion at their

April 2nd, 2014|