Indiana Policyholders: Notice to policyholders recently affected by severe weather. 

Beware of HIPAA Scam: Compliance Risk Assessment Postcards

The OCR has issued a warning about scam postcards being sent to practices claiming they are required to participate in a mandatory HIPAA compliance risk assessment. Don't take the bait.

Posted in Articles on Monday, August 24, 2020

Recently, a number of practices have received scam postcards disguised as official Office of Civil Rights (OCR) communications and claiming to be notices of a mandatory HIPAA compliance risk assessment. They even look official with a Washington, D.C., return address, and the title “Secretary of Compliance, HIPAA Compliance Division.” The postcard prompts recipients to visit a URL, call, or email to take immediate action on a HIPAA Risk Assessment. The fake OCR communication suggests you committed a HIPAA violation that could cost you anywhere from $100 to $1.5 million dollars. Don’t let this fool you! The link provided is to a non-governmental private company website marketing consulting services. Alert your team to this scam.

Verify Information

As with any email phishing scheme, it’s important to verify suspect information. First of all, do not use the links or phone numbers provided on the postcard. Instead, visit the HHS/OCR website (do not use the provided URL) to check the postcard’s validity. Here are a few ways to verify that a communication is from OCR:

  • Look for the OCR address or email address on the communication.
  • The addresses for OCR’s HQ and Regional Offices are available on the OCR website
  • All OCR email addresses will end in @hhs.gov.
  • If you have additional questions or concerns, please send an email to: OCRMail@hhs.gov
  • Suspected incidents of individuals or companies posing as federal law enforcement should be reported to the Federal Bureau of Investigation.

There Are No "Sneak Fines"

Finally, only OCR conducts investigations of alleged HIPAA violations; only OCR can fine an entity; and OCR gives an entity the opportunity to contest any proposed fine before it is issued. When OCR decides to conduct nationwide audits, OCR informs the public of the details of the audit in advance, including what OCR will look for. In other words, there are no “sneak fines,” contrary to what the fake postcard suggests. 

Other HIPAA-Related Resources

Resources by Profession

Knowledge to keep you sharp

The articles, videos, webinars, tools and resources you need to do your job.

Photos and Protected Health Information: What Qualifies? Photos and Protected Health Information: What Qualifies? Article | Articles Photos that show individually identifiable information are considered protected health information (PHI). Are you showing or sharing too much? When a Friend Crosses a Professional Boundary When a Friend Crosses a Professional Boundary Article | Articles Ever had a friend ask for medical advice outside the privacy of an office setting? Here's what you can do when a friend crosses that professional boun... Communication in the Workplace Communication in the Workplace Article | Articles When employees are satisfied with their workplace, they are present for work, feel appreciated, and are more productive employees. When a Patient Refuses Care When a Patient Refuses Care Article | Articles Patients have the right to refuse care. What do you do when they don't want to follow your advice?

Read more articles

This website uses first party and third party cookies to improve your experience and anonymously track site visits. By visiting this website, you opt-in to the use of cookies. OK