On April 26, 2021, the OCR (Office of Civil Rights) issued an alert to healthcare providers of a potential scam circulating via postcard. Here's what you need to know.
Posted in Risk Management on Thursday, April 29, 2021
This most recent scam is in the in form of a postcard which is disguised as an office OCR communication advising them they are required to complete a Security Risk Assessment and directing them to a particular website.
This website does not actually belong to the OCR or Department of Health and Human Services (HHS), but a marketing consulting website. To make it more confusing and possibly make you question the authenticity, the website does have an “.org” extension. Fortunately, the site has since been taken down; however, the postcards could still be circulating in the mail.
Important to Know:
- Any correspondence from the OCR will have the extension of @hhs.gov.
- If you receive official-looking inquiries, ask for a verifying email from the OCR investigator’s hhs.gov email address.
- You can also find all the OCR offices on their official website.
Remember and Reinforce
A similar scam was run last summer. In that attempt, the notices were regarding a mandatory HIPAA Compliance Risk Assessment and even had a Washington D.C. return address and the title of the Secretary of Compliance, HIPAA Compliance Division. This isn’t the first and probably won’t be the last time we receive alerts of these types of HIPAA scams, so always remember:
You can find more information and guidance about the HHS/OCR Security Risk analysis as well as a tool from the U.S. Department of Health & Human Services.
Reference: ADA