The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) is warning healthcare entities to beware of phony postcards disguised as official OCR communications concerning HIPAA. These postcards, claiming to be notices of “mandatory HIPAA compliance risk assessment,” are not from the OCR and are part of the troubling trend of private entities and individuals posing as federal law enforcement to obtain business and/or gain access to sensitive information. For example, OCR previously issued alerts about individuals posing as OCR investigators.

Q: What does this latest “OCR” postcard look like?
A: The postcards have a Washington, D.C. return address, and the sender uses the title “Secretary of Compliance, HIPAA Compliance Division.” The postcard is addressed to the healthcare organization’s “HIPAA COMPLIANCE OFFICER” and prompts recipients to visit a URL, call, or email to take immediate action on a HIPAA Risk Assessment. (In fact, the link directs individuals to a non-governmental website marketing consulting services.)

Q: How can I verify whether a correspondence is from the OCR?
A: Typically, you can verify that a communication is from OCR by looking for the OCR address or email address on any communication that purports to be from OCR. The addresses for OCR’s HQ and Regional Offices are available on the OCR website at https://www.hhs.gov/ocr/about-us/contact-us/index.html, and all OCR email addresses will end in @hhs.gov. If organizations have additional questions or concerns, they are encouraged to email [email protected].

Q: What should I do if I receive this postcard or a similarly suspicious correspondence?
A: Do not visit any URLs or make calls or emails to any of the contact information provided.  Do not reveal confidential or any sensitive information. Generally, suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation.

This article is provided for educational purposes only and is not offered as, and should not be relied on as, legal advice. Any individual or entity reading this information should consult an attorney for their particular situation.

For more information, please contact:
Lara Compton, Partner
[email protected]

Kristina Sherry, Attorney at Law 
[email protected]

Posted on August 10, 2020

Recent Posts

Hacking and Healing: Nation-States, Cyber Attacks, and Healthcare LawReproductive Rights Attorney: This Is Why Right-Wing Interest Are Attempting To Ban MifepristoneDecades in the Making: 42 CFR Part 2’s Transformation After 50 YearsHarry Nelson on Forbes News: Impact of the Alabama Supreme Court’s Frozen Embryo RulingCalifornia’s Corporate Healthcare Law, Practice of Medicine (CPOM)