The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has warned individuals and businesses about a misleading postcard being mailed, first-class, to individuals designated as “HIPAA Compliance Officers.” As OCR has warned, “Though the postage is marked first class, the mailer’s intent is not. In fact, it is another low-class act by scammers.” The postcards contain misleading information, claiming to be notices of required HIPAA compliance risk assessments coming from the “Secretary of HIPAA Compliance, HIPAA Compliance Division” – a non-existent entity. The return address is that of a UPS Store in Washington, D.C. Details on this scam posing as an OCR communication are discussed below.

Is your organization secure?

Find out now with our HIPAA compliance checklist.

What are the Contents of the Fake OCR Communication?

A fake postcard that has been circulating can be viewed here:


Fake OCR Communication

The postcard contains a “NOTICE” that HIPAA violations “cost your practice.” The fake OCR communication then falsely (and illegally) suggests that the entity to whom a postcard has been mailed has committed a HIPAA violation that could cost the organization anywhere from $100 to $1.5 million dollars. The fake OCR communication “instructions” prompt recipients, who are addressed with the label, “Mandatory Compliance HIPAA Entity,” to visit a URL, call, or email to take immediate action on a “Required Security HIPAA Risk Assessment.” The link, in fact, directs individuals to a non-governmental website marketing consulting service. 

What Actions Should Individuals Take?

The fake postcard attempts to lure individuals into a scheme. Recipients should not take the bait. Instead, as OCR has advised, covered entities and business associates should alert their workforce members about this misleading communication. 

Workforce members should be alerted to the fact that the communication is from a private entity, and is NOT an HHS/OCR communication. Covered entities and business associates can verify that a communication is from OCR by looking for the OCR address or email address on any communication that purports to be from OCR. The addresses for OCR’s HQ and Regional Offices are available by clicking here. OCR has stated that organizations can send additional questions or concerns to [email protected].

Furthermore, only OCR conducts investigations of alleged “HIPAA violations”; only OCR can fine an entity; and OCR gives an entity the opportunity to contest any proposed fine before it is issued. When OCR decides to conduct nationwide audits, OCR informs the public of the details of the audit in advance, including what OCR will look for. In other words, there are no “sneak fines,” contrary to what the fake postcard suggests.