Beware of HIPAA Scam: Compliance Risk Assessment Postcards

The OCR has issued a warning about scam postcards being sent to practices claiming they are required to participate in a mandatory HIPAA compliance risk assessment. Don't take the bait.

Recently, a number of practices have received scam postcards disguised as official Office of Civil Rights (OCR) communications and claiming to be notices of a mandatory HIPAA compliance risk assessment. They even look official with a Washington, D.C., return address, and the title “Secretary of Compliance, HIPAA Compliance Division.” The postcard prompts recipients to visit a URL, call, or email to take immediate action on a HIPAA Risk Assessment. The fake OCR communication suggests you committed a HIPAA violation that could cost you anywhere from $100 to $1.5 million dollars. Don’t let this fool you! The link provided is to a non-governmental private company website marketing consulting services. Alert your team to this scam.

Verify Information

As with any email phishing scheme, it’s important to verify suspect information. First of all, do not use the links or phone numbers provided on the postcard. Instead, visit the HHS/OCR website (do not use the provided URL) to check the postcard’s validity. Here are a few ways to verify that a communication is from OCR:

  • Look for the OCR address or email address on the communication.
  • The addresses for OCR’s HQ and Regional Offices are available on the OCR website
  • All OCR email addresses will end in
  • If you have additional questions or concerns, please send an email to:
  • Suspected incidents of individuals or companies posing as federal law enforcement should be reported to the Federal Bureau of Investigation.

There Are No "Sneak Fines"

Finally, only OCR conducts investigations of alleged HIPAA violations; only OCR can fine an entity; and OCR gives an entity the opportunity to contest any proposed fine before it is issued. When OCR decides to conduct nationwide audits, OCR informs the public of the details of the audit in advance, including what OCR will look for. In other words, there are no “sneak fines,” contrary to what the fake postcard suggests. 

Other HIPAA-Related Resources

This website uses first party and third party cookies to improve your experience and anonymously track site visits. By visiting this website, you opt-in to the use of cookies. OK