HIPAA Postcard Scam: Communication Alert from OCR for Organizations

hipaa postcard scamHIPAA Postcard Scam: Communication Alert from OCR for Organizations

A fraudulent HIPAA postcard scam is being sent out, first-class, to healthcare organizations. 

It has recently come to light that healthcare organizations have been receiving postcards appearing to be from the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), the enforcement arm for HIPAA. The postcard, addressed as “ATTN: HIPAA Compliance Officer,” directs recipients to call, email, or visit a website in regards to a mandatory security risk assessment. Further details on the false HIPAA OCR communication are discussed below.

Fraudulent HIPAA Communication: What Does the Postcard Contain?

The fraudulent HIPAA enforcement (OCR) postcard sent to healthcare providers seems to be coming from the Secretary of Compliance of the HIPAA Compliance Division. The problem is, there is no such entity. In addition, the fraudulent HIPAA postcard has a return address that, upon further investigation, belongs to a UPS store in Washington DC, although the postcard was actually postmarked in California. The OCR warned recipients, “Though the postage is marked first class, the mailer’s intent is not. In fact, it is another low-class act by scammers.”

The fraudulent HIPAA postcard looks like this:

Fraudulent OCR Communication Alert

What Happens When Recipients Visit the Listed Site?

The postcard from the fraudulent HIPAA communication lists a website that recipients can visit to complete their required security risk assessment. When recipients visit the listed site, the link does not direct users to a government website. It does, however, direct to a consulting service’s website. The fraudulent OCR postcard is not an OCR communication, but rather a sales attempt. What the consulting service likely failed to realize is that not only is impersonating a government entity unethical, it is also illegal.

What Actions Should Postcard Recipients Take?

Any entity posing as a government agency should be reported to the FBI. Reporting these fraudulent OCR communication incidents prevents further false communications from being sent in the future, thus preventing more organizations from being victimized by illegal business practices.

HIPAA Resources

Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!


Telehealth Training or Telemedicine Training?

If you are developing a hybrid telehealth model, now might be the right time to get serious about telehealth training. TBHI offers competency-based training from the convenience of your home or office Internet connection. Whatever your need, from basic telehealth to specialty topics, TBHI is the industry leader with online training to help you develop your evidence-based protocols, learn to be compliant with state, provincial and national laws, implement practical documentation shortcuts to legal and ethical compliance, and find the best technology to maximally protect your clients or patients. Enjoy a step-by-step learning path that teaches you how to prevent as well as handle even the most difficult of clinical scenarios. All training is evidence-based and available online 24/7 through any device. Individual courses and webinars, as well as two micro certifications:

Rate this post!

(3 raters, 15 scores, average: 5.00 out of 5)

Leave a Reply

Name and email are required. Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.