On April 3, 2020 the U.S Department of Health and Human Services Office for Civil Rights (OCR) issued a warning to HIPAA-covered entities that an individual posing as an OCR Investigator is contacting health care organizations and attempting to obtain access to sensitive information (presumably for purposes of identity theft).
Covered entities and their business associates should be wary of individuals who claim to be OCR investigators but are not able to provide an OCR complaint transaction number or any other verifiable information relating to an OCR investigation.
When a request for information is received from an investigator or other official, that person should be able to provide sufficient information to verify the reason for their request and their status as an investigator/official. Below are a few key tips:
- Remember to review and follow HIPAA policies and procedures with respect to permitted uses and disclosures of patients’ PHI when responding to investigators. Consider providing a quick refresher course on this topic to your employees and notifying business associates regarding how to avoid this scam.
- Seek to verify that someone is an OCR investigator by asking for the investigator’s email address, which will end in @hhs.gov, then ask for a confirmation email from the OCR investigator’s hhs.gov email address.
- Ask that the investigator submit the request in writing to your compliance officer or legal department or contact them by phone.
- Follow similar procedures as above for any other agency when someone claims to be an “investigator” or other agent.
- Report suspected incidents of individuals posing as federal law enforcement to the Federal Bureau of Investigation (FBI), which has reported a rise in fraud schemes related to COVID-19 and has issued a Public Service Announcement available here.