The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) enforces the HIPAA regulations through investigations, civil monetary penalties, and settlements. On April 26, 2021, OCR announced that it had been made aware of postcards being sent to healthcare organizations informing the recipients that they are required to participate in a “Required Security Risk Assessment.” The postcards instruct recipients to send the risk assessment to “hsaudit.org”. This website is a non-governmental website, marketing consulting services. Details of the OCR fraud alert are discussed below.
What Actions to Take If You Receive the Postcard
As noted in the OCR fraud alert, the postcard notification did not come either from OCR or the Department of Health and Human Services (HHS). OCR does not issue postcards to individuals – let alone healthcare postcards “requiring” people to send sensitive information to an unknown third party. OCR communication is not made through mail blasts.
OCR advises that covered entities and business associates verify that a communication is from OCR by looking for the OCR address or email address. Straightforwardly enough, the email address ends in “@hhs.gov”.
Providers and business associates can also verify OCR communication by emailing the OCR investigator’s hhs.gov email address for confirmation. The addresses for OCR’s HQ and Regional Offices are available on the OCR website. If an organization has additional questions or concerns, the organization can reach OCR by sending an email to [email protected].
OCR has also announced that suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation, through the FBI’s Internet Crime Complaint Center. Individuals who falsely assume or pretend to be U.S. officers or employees, are subject to criminal fines, and imprisonment of up to three years.
Mail fraud is defined as the use of the mail system to conduct a scheme or plan to defraud someone of money, property, or services. Suspected mail fraud may be reported to the U.S. Postal Service. Fraud may also be reported to the Federal Trade Commission (FTC).
Fraudulent postcards from individuals posing as the HHS and OCR are not new. In November of 2020, OCR warned that misleading postcards were being mailed, first-class, to individuals designated as “HIPAA Compliance Officers.” OCR warned that the postcards contained misleading information. The postcards claimed to be notices of required HIPAA compliance risk assessments coming from the “Secretary of HIPAA Compliance, HIPAA Compliance Division” – a non-existent entity. The return address on the postcard was that of a UPS Store in Washington, D.C. – not OCR or HHS.
Don’t Fall Victim to OCR Fraud, This is How OCR Actually Investigates
Under the HIPAA Security Rule requirements, covered entities and business associates must complete a security risk assessment. If a complaint is made about a covered entity’s or a business associate’s privacy or security practices, OCR can then investigate. OCR’s investigation may find that an entity likely violated the requirement to complete a security risk assessment. All of this is another way of saying that OCR has a process for informing someone about security risk assessments. This postcard is not that process.