April 28, 2021
You’ve got mail! The Office for Civil Rights (OCR) just issued an alert warning of a potential HIPAA scam hitting your mailbox that you should be on the lookout for. The government was recently made aware that postcards disguised as official OCR communication were being sent to health care organizations informing recipients that they needed to complete a “Required Security Risk Assessment” and directing that completed assessments be sent to a non-governmental marketing consulting website that has since been taken down. This hand-delivered scare tactic came from a private entity and should NOT be mistaken as an official notification from the OCR or the U.S. Department of Health and Human Services (HHS).
In addition to keeping an eye out for these counterfeit postcards, the OCR recommends verifying any and all “government” communications to ensure they’re actually official and alerting all staff members to do the same. They suggest looking for the OCR email address, which will end in @hhs.gov, and recommend asking for a verification email from the OCR investigator’s hhs.gov email address. The OCR also provides the addresses for their HQ and Regional Offices which can be found at https://www.hhs.gov/ocr/about-us/contact-us/index.html and should be confirmed are properly listed in any communications received.
This isn’t the first and probably won’t be the last time we receive alerts of these types of HIPAA scams. Back in August of last year, a similar incident occurred where fraudulent postcards labeled on the OCR’s behalf were notifying healthcare organizations to complete a mandatory HIPAA compliance risk assessment and directing them to another marketing consulting service website. So while fake postcards seem to be a common approach, it’s important to be aware of any and all types of HIPAA scams, especially as hackers and other organizations with malicious intent get more and more creative in their efforts.
Though this postcard is by no means an official communication from the government, the mandatory Security Risk Analysis (SRA) at its focus should not be overlooked. So if fulfilling this HIPAA requirement brings more cause for concern than the scam itself, you’re not alone. In fact, the OCR’s latest audit industry report found that only 14% of covered entities and 17% of business associates had a proper SRA in place. So if your practice falls into the large majority of those that aren’t up to these HIPAA standards, this OCR alert should give you even more reason to do so and a software solution like Abyde gives you all the tools and resources needed to get there.