Though the postage is marked first class, the mailer’s intent is not. In fact, it is another low-class act by scammers. The United States Office for Civil Rights (OCR) released a statement on August 6 about postcards that are being sent to health care organizations disguised as official OCR communications, claiming to be notices of a mandatory HIPAA compliance risk assessment.

The return address might fool you because it is from Washington, D.C. and the sender uses the title “Secretary of Compliance, HIPAA Compliance Division.” However, since the postcard is addressed to the health care organization’s HIPAA compliance officer, it is hopeful this individual would not be fooled into following the prompts to visit a URL, call, or email to take immediate action on a HIPAA Risk Assessment. The links — which reportedly do not end in “.gov” — go to a non-governmental website marketing consulting service.

“Just like with any email phishing scheme, it’s important to verify suspect information,” said PrivaPlan’s Michaela Kahn, PhD. “Don’t use the links or phone numbers provided. In this case, you’d want to go directly to the HHS/OCR website (not using the provided URL) to check the postcard’s validity.”

The OCR advices HIPAA covered entities and business associates to alert their workforce members to this misleading communication. This communication is from a private entity and is NOT an HHS/OCR communication. Covered entities and business associates can verify that a communication is from OCR by looking for the OCR address or email address on any communication that purports to be from OCR. The addresses for OCR’s HQ and Regional Offices are available on the OCR website at https://www.hhs.gov/ocr/about-us/contact-us/index.html, and all OCR email addresses will end in @hhs.gov. The OCR said that organizations can send additional questions or concerns to: OCRMail@hhs.gov.

PrivaPlan is also here to help you. Please contact our first-class HIPAA experts at 1-877-218-7707 or info@privaplan.com.