On April 3, the Office for Civil Rights (OCR) issued an alert that an individual posing as an OCR Investigator has contacted HIPAA covered entities in an attempt to obtain protected health information (PHI). The individual identifies themselves on the telephone as an OCR investigator, but does not provide an OCR complaint transaction number or any other verifiable information relating to an OCR investigation.
HIPAA covered entities and business associates should immediately alert their workforce members and take action to verify that someone is an OCR investigator by asking for the investigator’s email address, which will end in @hhs.gov, and asking for a confirming email from the OCR investigator’s hhs.gov email address.
Verification should be a regular step in the process of making disclosures of PHI. There is no time like the present, however, for HIPAA covered entities and business associates to remind their workforce members of the basic verification requirement. They also should provide some easy to follow tips for verification, such as:
- Do not provide any PHI information based solely on a telephone request until verified.
- Ask for the name and transaction number for the matter the caller is calling about.
- Ask for the caller to provide his or her email address, it should end in @hhs.gov.
- Ask the caller’s name, title, and what OCR office they are calling from.
- Ask for an email from the OCR investigator confirming the nature and scope of the request.
- Ask the caller if he or she has communicated with anyone else at the organization about the matter.
- Ask for a copy of any prior written request(s) for the information, there usually is one.
- Remind workforce members about best practices for responding to phishing and spoofing attacks.
It’s recommended that covered entities and business associates centralize the function of responding to such requests to one person, a small group of workforce members, or a third party. Typically, that person, group, or third party is better trained to follow these and other best practices for verification.
Suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation (FBI). The FBI issued a public service announcement about COVID-19 fraud schemes.
PrivaPlan is here to help. For questions about this latest OCR alert or HIPAA, email or call our office at 505-466-1432.