April 27, 2021 – The U.S. Department of Health and Human Services (HHS) Office for Civil Rights in Action (OCR) is responsible for enforcement of HIPAA privacy and security regulations, and was recently made aware of fraudulent postcards being sent to health care organizations. While the “risk analysis” mentioned in the fake posting described below is a federal requirement for those involved in handling protected health information, these postcards were not sent from OCR or HHS. For more information, see the official HHS OCR alert:
“OCR has been made aware of postcards being sent to health care organizations informing the recipients that they are required to participate in a “Required Security Risk Assessment” and they are directed to send their risk assessment to www.hsaudit.org. The link directs individuals to a non-governmental website marketing consulting services.
Please be advised that this postcard notification did not come from OCR or the U.S. Department of Health and Human Services. This communication is from a private entity – it is NOT an HHS/OCR communication. HIPAA covered entities and business associates should alert their workforce members to this misleading communication. Covered entities and business associates can verify that a communication is from OCR by looking for the OCR address or email address, which will end in @hhs.gov, on any communication that purports to be from OCR, and asking for a confirming email from the OCR investigator’s hhs.gov email address. The addresses for OCR’s HQ and Regional Offices are available on the OCR website here, and all OCR email addresses will end in @hhs.gov. If organizations have additional questions or concerns, please send an email to: OCRMail@hhs.gov.
Suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation.”
Ulmer’s Health Care Practice Group keeps a close eye on ever-changing federal and state health care regulations and other important matters affecting the health care industry. Please reach out to our attorneys if you have any questions.