[May 2021] HHS OCR Warning
The HHS Office for Civil Rights (OCR) has issued an alert on postcards being sent to some health care organizations disguised as official OCR communications. The postcards claim to be a notice of mandatory HIPAA compliance risk assessment. The postcards prompt the recipient to visit a URL, call or email to take immediate action on a HIPAA Risk Assessment. The link directs individuals to a non-govenmental web site marketing consulting services. Do not respond to this request.
Here is the message received from OCR:
Alert: Postcard Disguised as Official OCR Communication
OCR has been made aware of postcards being sent to health care organizations informing the recipients that they are required to participate in a “Required Security Risk Assessment" and they are directed to send their risk assessment to www.hsaudit.org. The link directs individuals to a non-governmental website marketing consulting services.
Please be advised that this postcard notification did not come from OCR or the U.S. Department of Health and Human Services. This communication is from a private entity – it is NOT an HHS/OCR communication. HIPAA covered entities and business associates should alert their workforce members to this misleading communication. Covered entities and business associates can verify that a communication is from OCR by looking for the OCR address or email address, which will end in @hhs.gov, on any communication that purports to be from OCR, and asking for a confirming email from the OCR investigator's hhs.gov email address. The addresses for OCR's HQ and Regional Offices are available on the OCR website at https://www.hhs.gov/ocr/about-us/contact-us/index.html, and all OCR email addresses will end in @hhs.gov. If organizations have additional questions or concerns, please send an email to: OCRMail@hhs.gov.
Suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation.