David Holtzman

David Holtzman is an executive advisor for CynergisTek. He is considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules. Prior to CynergisTek, Holtzman served on the health information privacy team at the Department of Health & Human Services, Office for Civil Rights (OCR/HHS), where he led many OCR initiatives including the effort to integrate the administration and enforcement of the HIPAA Security Rule, and health information technology policies. David has nearly two-decades of experience in developing, implementing and evaluating health information privacy and security compliance programs from both government and private sector organizations. He is a member of the HHS “CISA 405-d Workgroup”, the Joint Cybersecurity Working Group of the Healthcare Sector Coordinating Council and Co-Chair of the Privacy and Security Workgroup for North Carolina Healthcare Information & Communications Alliance (NCHICA).

  • New York’s Sweeping Data Protection & Breach Notification Law Will Have National Impact

    New York’s Sweeping Data Protection & Breach Notification Law Will Have National Impact

    Recently, the New York State Legislature passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act to amend the state’s breach notification law and to add mandates for organizations...

    Read More
  • OCR Business Associate Fact Sheet Sets Floor and AMCA Breach Shows Why We Must Do More

    OCR Business Associate Fact Sheet Sets Floor and AMCA Breach Shows Why We Must Do More

    Why Having a Vendor Security Management Program is Necessary News of a cybersecurity incident compromising the personally identifiable information of the American Medical Collections Agency...

    Read More
  • HHS Proposed Information Blocking Rules and OCR FAQs

    HHS Proposed Information Blocking Rules and OCR FAQs

    The Office of the National Coordinator (ONC) released its long-awaited proposed rule on interoperability and information blocking, the 21st Century Cures Act, by identifying conduct that is not...

    Read More
  • Changes to New California Privacy Law Exempts Some Healthcare Organizations

    Changes to New California Privacy Law Exempts Some Healthcare Organizations

    Much has been written about the potential impacts that the California Consumer Privacy Act of 2018 (CaCPA) could make on health care organizations and their business partners. The California...

    Read More
  • OCR Updates Audit Protocol Emphasizing its Role for Compliance and Enforcement

    OCR Updates Audit Protocol Emphasizing its Role for Compliance and Enforcement

    The US Department of Health and Human Services, Office for Civil Rights (OCR) has without fanfare updated its comprehensive audit protocol, making substantive changes to inquiries to demonstrate...

    Read More
  • Colorado Breach Law Uses Long Arms to Protect Health Information Not Covered by HIPAA

    Colorado Breach Law Uses Long Arms to Protect Health Information Not Covered by HIPAA

    Colorado has put into place a new law that will require organizations handling digital personal information of Colorado residents have security safeguards in place to protect information from...

    Read More
  • OCR Says Gap Analysis Does Not Meet HIPAA Requirements

    OCR Says Gap Analysis Does Not Meet HIPAA Requirements

    The HHS Office for Civil Rights (OCR) has issued guidance answering the question that performing a gap analysis of an information system’s safeguards is not enough to meet the minimum requirements...

    Read More
  • HIPAA Enforcement: 2017 Year in Review

    HIPAA Enforcement: 2017 Year in Review

    2017 will go down as a change year for Health Insurance Portability and Accountability Act (HIPAA) enforcement of the Privacy, Security, and Breach Notification Rules. This comes on the heels of...

    Read More
  • OCR Says Desk Audits Rates Many HIPAA Efforts to be Inadequate or Worse

    OCR Says Desk Audits Rates Many HIPAA Efforts to be Inadequate or Worse

    The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) released preliminary results from Phase 2 of the HIPAA Audit Program. The data was drawn from limited scope desk...

    Read More
  • OCR Tells Healthcare Organizations: A WannaCry Ransomware Attack is a HIPAA Breach

    OCR Tells Healthcare Organizations: A WannaCry Ransomware Attack is a HIPAA Breach

    The Office for Civil Rights (OCR) has issued advisories that a HIPAA covered entity or business associate that is affected by the “WannaCry” ransomware attack or other malware should respond to...

    Read More
  • OCR Enforcement Actions: Prioritize HIPAA Security & Vendor Management Requirements

    OCR Enforcement Actions: Prioritize HIPAA Security & Vendor Management Requirements

    Thus far in 2017, the Office for Civil Rights (OCR) has announced that they have negotiated settlements or levied penalties in seven cases that have resulted in covered entities and business...

    Read More
  • Organizations Subject to HIPAA Get a Pass from New Mexico Breach Notification Law

    Organizations Subject to HIPAA Get a Pass from New Mexico Breach Notification Law

    Earlier this month, New Mexico became the forty-eighth state to enact a data breach notification law. Only Alabama and South Dakota remain without such requirements. The Data Breach Notification...

    Read More
  • CMS Proposes EHR Incentive Program Changes and Affirms Stage 3 Effective in 2018

    CMS Proposes EHR Incentive Program Changes and Affirms Stage 3 Effective in 2018

    CynergisTek is alerting you to a number of changes the Centers for Medicare & Medicaid Services (CMS) is proposing to the requirements of the EHR Incentive Program that would apply to the program...

    Read More
  • Death, Taxes … and Breach Reporting

    Death, Taxes … and Breach Reporting

    It is said that the only two certainties in life are death and taxes. If you are a HIPAA covered entity, you can add reporting breaches of unsecured protected health information (PHI) to the...

    Read More
  • OCR Penalizes Health System for Multiple HIPAA Violations

    OCR Penalizes Health System for Multiple HIPAA Violations

    On February 1, 2017, OCR announced that it levied a $3.2 million civil money penalty against Children’s Medical Center of Dallas (Children’s). The enforcement action ends a nearly six-year long...

    Read More
  • OCR Issues Guidance Emphasizing Importance of Audit Controls

    OCR Issues Guidance Emphasizing Importance of Audit Controls

    OCR recently published its January Cyber Awareness Newsletter that provides guidance on how organizations should comply with the audit controls standard. The HIPAA Security Rule (45 CFR...

    Read More
  • UMass HIPAA Settlement is a Clarion Call to Colleges and Universities

    UMass HIPAA Settlement is a Clarion Call to Colleges and Universities

    The University of Massachusetts at Amherst (UMass) agreed to a settlement with the Office for Civil Rights (OCR) over allegations that it had violated the HIPAA Privacy and Security Rules after a...

    Read More
  • OCR Plans to Expand Compliance Reviews of Small Healthcare Breaches

    OCR Plans to Expand Compliance Reviews of Small Healthcare Breaches

    The Office for Civil Rights (OCR) of the Department of Health and Human Services has announced a new initiative, expanding review and investigations into the causes of breaches that affect fewer...

    Read More
  • Handling Multiple Requests From OCR Audit Program

    Handling Multiple Requests From OCR Audit Program

    Last week OCR reported that it had faced challenges in identifying and selecting a diverse pool of organizations to participate in the Phase 2 HIPAA Audit Program. In an effort to expand the...

    Read More
  • CMS Proposed MIPS/MACRA Would Have Little Impact on Privacy & Security

    CMS Proposed MIPS/MACRA Would Have Little Impact on Privacy & Security

    The Centers for Medicare & Medicaid Services (CMS) is proposing changes to how the Medicare program provides incentives and bonuses that could be paid to physicians and other clinicians beginning...

    Read More
  • loading
    Loading More...