Yesterday, the Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”), sent an alert to its listservs regarding fraudulent communications that are being sent to health care organizations around the country. OCR states that it became “aware of postcards being sent to health care organizations disguised as official OCR communications, claiming to be notices of a mandatory HIPAA compliance risk assessment.” The postcards have a Washington, D.C., return address, and the imposter uses the non-existent title description of “Secretary of Compliance, HIPAA Compliance Division.” OCR further explains that these postcards are being addressed to HIPAA Privacy and Security Officers and indicates that recipients should visit a website link, call or email to take immediate action on HIPAA requirements. Importantly, the website link directs individuals to a non-governmental website. 

OCR provides the following example and states that “[t]he postcard below is not from HHS/OCR.”

Further, OCR indicates that HIPAA covered entities and business associates “should alert their workforce members to this misleading communication,” and that OCR would not send a communication without an address from OCR itself, or an email address from OCR including a @hhs.gov suffix. The addresses for OCR’s Offices are available on the OCR website at https://www.hhs.gov/ocr/about-us/contact-us/index.html. Finally, OCR requests that any suspected incidents of individuals posing as federal law enforcement be reported to the Federal Bureau of Investigation (“FBI”).