OCR has also announced that suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation, through the FBI’s Internet Crime Complaint Center. Individuals who falsely assume or pretend to be U.S. officers or employees, are subject to criminal fines, and imprisonment of up to three years.
Mail fraud is defined as the use of the mail system to conduct a scheme or plan to defraud someone of money, property, or services. Suspected mail fraud may be reported to the U.S. Postal Service. Fraud may also be reported to the Federal Trade Commission (FTC).
Fraudulent postcards from individuals posing as the HHS and OCR are not new. In November of 2020, OCR warned that misleading postcards were being mailed, first-class, to individuals designated as “HIPAA Compliance Officers.” OCR warned that the postcards contained misleading information. The postcards claimed to be notices of required HIPAA compliance risk assessments coming from the “Secretary of HIPAA Compliance, HIPAA Compliance Division” – a non-existent entity. The return address on the postcard was that of a UPS Store in Washington, D.C. – not OCR or HHS.
Don’t Fall Victim to OCR Fraud, This is How OCR Actually Investigates
Under the HIPAA Security Rule requirements, covered entities and business associates must complete a security risk assessment. If a complaint is made about a covered entity’s or a business associate’s privacy or security practices, OCR can then investigate. OCR’s investigation may find that an entity likely violated the requirement to complete a security risk assessment. All of this is another way of saying that OCR has a process for informing someone about security risk assessments. This postcard is not that process.