The HHS Office of Civil Rights (“OCR”), which is charged with implementing and overseeing HIPAA, recently alerted providers of a potential scam being perpetrated by postcards falsely purporting to be from OCR. These postcards were directed to the attention of the provider’s “Compliance Officer” with a sender purporting to be “Secretary of Compliance, HIPAA Compliance Division,” and referenced a “Required Security Risk Assessment.” The postcard prompts recipients to visit a URL, call, or email to take immediate action on a HIPAA Risk Assessment. A copy of the alert and postcard may be found here: https://list.nih.gov/cgi-bin/wa.exe?A2=ind2008&L=OCR-PRIVACY-LIST&P=67
The link, however, directs individuals to a non-governmental website marketing consulting services. Such a scam also could have directed the user to a link, which allowed malware to be inserted into the provider’s system.
Providers always should verify that a communication purporting to be from OCR is from OCR by looking for the OCR address or email address on any such communication. The addresses for OCR’s Headquarters and Regional Offices are available on the OCR website at https://www.hhs.gov/ocr/about-us/contact-us/index.html and all OCR email addresses will end in @hhs.gov.
The attorneys at Chilivis Grubman represent healthcare providers of all types and sizes in connection with HIPAA and cybersecurity matters. If you need assistance with such a matter, please contact us today.