August 7, 2020 – The United States Office for Civil Rights (OCR) has issued an alert on postcards being sent to healthcare organizations disguised as official OCR communications claiming to be notices of a mandatory Health Insurance Portability and Accountability Act of 1996 (HIPAA) compliance risk assessment.
The postcards have a Washington, D.C., return address, and the sender uses the title “Secretary of Compliance, HIPAA Compliance Division.” The postcard is addressed to the health care organization’s HIPAA compliance officer. It prompts recipients to visit a URL, call, or e-mail to take immediate action on a HIPAA Risk Assessment. The link directs individuals to a non-governmental website marketing consulting services. The postcard is not from OCR. All HIPAA covered entities and business associates should alert their workforce members to this misleading communication. This communication is from a private body – it is NOT an OCR communication. Covered entities and business associates can verify that a communication is from OCR by looking for the OCR address or e-mail address on any communication that purports to be from OCR. The addresses for OCR’s Headquarters and Regional Offices are available on the OCR Web site at: https://www.hhs.gov/ocr/about-us/contact-us/index.html and all OCR e-mail addresses will end in @hhs.gov. If organizations have additional questions or concerns, send an e-mail to [email protected].
Please report suspected incidents of individuals posing as federal law enforcement to the Federal Bureau of Investigation. (fbi.gov)