Highlights from the 2021 HFMA and NEHIA Compliance & Internal Audit Conference

The HFMA MA-RI Chapter teamed up with the New England Healthcare Internal Auditors (NEHIA) organization last week to put on the joint annual Compliance and Internal Audit Conference.  The conference was attended in-person by more than 75 participants and was a great success!  Thank you to all attendees, speakers, and sponsors!

Highlights from two of the speakers at the conference included:

  • Timothy Stark, Investigator for the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) provided an informational overview on areas of emphasis for HIPAA compliance. Key takeaways included:
    • Based on the HHS February 2021 bulletin on Health Insurance Portability and Accountability Act (HIPAA) and COVID-19, various updates and related guidance were provided on:
      • How patient information may be shared without a HIPAA authorization:
        • Treatment
        • Public Health Activities
        • Family, Friends, and Others Involved in an Individual’s Care or Payment for Care
        • To Prevent or Lessen a Serious and Imminent Threat
      • Cautions against disclosures to the media
      • Reminds about the minimum necessary standard and reasonable safeguards
    • OCR will not impose HIPAA penalties against covered health care providers for noncompliance in connection with the good faith provision of telehealth using remote communication technologies (permissible communication applications include FaceTime or Skype; Public facing communication apps like Facebook Live, Twitch, and TikTok should not be used).
    • As of July 31, 2021, OCR has received more than 28,000 HIPAA complaints, 14% more than last year’s complaints. This significant uptick in the number of complaints is mainly due to allowance of online submission instead of by mail.


  • Linn Freedman, is a Partner at Robinson + Cole where she practices in data privacy and security law, cybersecurity, and complex litigation and chairs the firm’s Data Privacy & Cybersecurity team. Linn kicked off the conference with an enlightening albeit, as she self-described, scary, look into cyberattacks, ransomware, and the current state of cyber risks. Key takeaways included:
    • On average it takes an organization 208 days to identify and address a cyberattack.
    • The average attack costs an organization $3.9M, but in healthcare that cost is much higher, at $7M on average.
    • Healthcare is consistently in the top three industries targeted by bad actors.
    • Organizations should consider performing more phishing testing in today’s world of remote work as well as make employees aware of emerging schemes such as vishing (fraud that uses voice/phone calls), smishing (fraud that uses SMS/text messaging), and QRishing/quishing (where QR codes bring users to a malicious link).
    • Linn noted she has seen more organizations pay ransoms (including seven figure ransoms) in the last two years than in the last twenty.
    • Bad actors are becoming increasingly well organized. Maze, a notorious ransomware group, sent out a press release about their retirement, after a “successful” year in 2020.
    • According to one statistic, for 77% of all threats in Q1 2021, the bad actors had already exfiltrated information/data before contacting the organization.
    • In the U.S. the first case was just filed where the organization is claiming that a patient died as a result of a ransomware attack.

Save the date for next year’s Conference!

Wednesday, November 30 – Friday, December 2, 2022
Mystic Marriott, Groton, CT