ELEVATE YOUR HIPAA COMPLIANCE: Explore Our Enhanced Toolkit Today
Access Toolkit
Purchase Toolkit
Back to Blog

OCR Warns There is an Individual Posing as OCR Investigator

On April 3, the Office for Civil Rights (OCR) issued an alert that an individual posing as an OCR Investigator has contacted HIPAA covered entities in an attempt to obtain protected health information (PHI). The individual identifies themselves on the telephone as an OCR investigator, but does not provide an OCR complaint transaction number or any other verifiable information relating to an OCR investigation.

HIPAA covered entities and business associates should immediately alert their workforce members and take action to verify that someone is an OCR investigator by asking for the investigator’s email address, which will end in @hhs.gov, and asking for a confirming email from the OCR investigator’s hhs.gov email address.

Verification should be a regular step in the process of making disclosures of PHI. There is no time like the present, however, for HIPAA covered entities and business associates to remind their workforce members of the basic verification requirement. They also should provide some easy to follow tips for verification, such as:

  • Do not provide any PHI information based solely on a telephone request until verified.
  • Ask for the name and transaction number for the matter the caller is calling about.
  • Ask for the caller to provide his or her email address, it should end in @hhs.gov.
  • Ask the caller’s name, title, and what OCR office they are calling from.
  • Ask for an email from the OCR investigator confirming the nature and scope of the request.
  • Ask the caller if he or she has communicated with anyone else at the organization about the matter.
  • Ask for a copy of any prior written request(s) for the information, there usually is one.
  • Remind workforce members about best practices for responding to phishing and spoofing attacks.

It’s recommended that covered entities and business associates centralize the function of responding to such requests to one person, a small group of workforce members, or a third party. Typically, that person, group, or third party is better trained to follow these and other best practices for verification.

Suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation (FBI). The FBI issued a public service announcement about COVID-19 fraud schemes.

PrivaPlan is here to help. For questions about this latest OCR alert or HIPAA, email or call our office at 505-466-1432.

Related Posts

Recent Posts

Categories
Tags
AI Articles artificial intelligence Blog board Breach business associate CISO cyber risk cybersecurity cybersecurity awareness training electronic medical records email breach executive order Federal HIPAA Changes Final Rule health care health privacy HIPAA hipaa compliance HIPAA Training Meaningful Use Medicare multi-factor authentication OCR ONC passwords PHI phishing Policies & Procedures policies and procedures Privacy Quotes Ransomware Security Security Risk Analysis security training Service Technology Testimonials toolkit Training Materials two-step authentication website analytics website trackers

Get Started Today

Email us at info@privaplan.com or submit the form below:

Sign Up for Updates

Contact PrivaPlan

Telephone Sales & Support
505-466-1432  or
Toll Free: 1-877-218-7707
Fax: 505-466-3942

E-Mail Sales & Support
Customer Support: support@PrivaPlan.com
Sales: orders@PrivaPlan.com

Mailing Address:
PrivaPlan
5 Caliente Rd, Ste 3,
Santa Fe, NM 87508

© 2024 PrivaPlan Associates, Inc, all rights reserved.

FOLLOW US

Linkedin Envelope

Access PrivaPlan Toolkit

Click here to access

Access CMA-PrivaPlan Toolkit

Click here to access

Sign up for updates

  • Be Proactive In Compliance

Sign up. Learn about Compliance

Subscribe now for up-to-date information about privacy & security compliance! You’ll receive emails regarding news about compliance & alerts for new blog posts.