Information Services > Security > News & Updates > HHS OCR Warning - 05/01/21

HHS OCR Warning - 05/01/21



[May 2021] HHS OCR Warning

​The HHS Office for Civil Rights (OCR) has issued an alert on postcards being sent to some health care organizations disguised as official OCR communications. The postcards claim to be a notice of mandatory HIPAA compliance risk assessment. The postcards prompt the recipient to visit a URL, call or email to take immediate action on a HIPAA Risk Assessment. The link directs individuals to a non-govenmental web site marketing consulting services. Do not respond to this request.

Here is the message received from OCR:

Alert: Postcard Disguised as Official OCR Communication

OCR has been made aware of postcards being sent to health care organizations informing the recipients that they are required to participate in a “Required Security Risk Assessment" and they are directed to send their risk assessment to www.hsaudit.org.  The link directs individuals to a non-governmental website marketing consulting services.

Please be advised that this postcard notification did not come from OCR or the U.S. Department of Health and Human Services.  This communication is from a private entity – it is NOT an HHS/OCR communication.  HIPAA covered entities and business associates should alert their workforce members to this misleading communication.  Covered entities and business associates can verify that a communication is from OCR by looking for the OCR address or email address, which will end in @hhs.gov, on any communication that purports to be from OCR, and asking for a confirming email from the OCR investigator's hhs.gov email address.  The addresses for OCR's HQ and Regional Offices are available on the OCR website at https://www.hhs.gov/ocr/about-us/contact-us/index.html, and all OCR email addresses will end in @hhs.gov.  If organizations have additional questions or concerns, please send an email to: OCRMail@hhs.gov.

Suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation. 

​​​​