HHS Addresses Recent Fraudulent HIPAA Communications

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently sent an alert to its listservs regarding fraudulent communications that are being sent to health care organizations around the country. OCR states that it became “aware of postcards being sent to health care organizations disguised as official OCR communications, claiming to be notices of a mandatory HIPAA compliance risk assessment.” The postcards have a Washington, DC return address, and the imposter uses the non-existent title description of “Secretary of Compliance, HIPAA Compliance Division”. OCR goes on to explains that these postcards are being addressed to HIPAA Privacy and Security Officers and indicates that recipients should visit a website link, call or email to take immediate action on HIPAA requirements. The link directs individuals to a non-governmental website marketing consulting services.
OCR provides the following example and states that the postcard is NOT from HHS/OCR:

OCR recommends that HIPAA covered entities and business associates alert their workforce members of this misleading communication and that OCR would never send a communication without an address from OCR itself, or an email address from OCR including a @hhs.gov suffix. The addresses for OCR’s Offices are available on the OCR website at https://www.hhs.gov/ocr/about-us/contact-us/index.html. Finally, OCR requests that any suspected incidents of individuals posing as federal law enforcement be reported to the Federal Bureau of Investigation (FBI).