The Office of Civil Rights in the US Department of Health and Human Services notified its OCR-Privacy-Listserve of fraudulent communications to health care organizations last week. Health care groups are receiving postcards claiming to be official OCR notifications of mandatory HIPAA compliance risk assessments that prompt the provider to visit a URL, call, or email.

HIPAA covered entities and business associates should alert their team members, including compliance departments, about this scam. As with all phishing scams, sensitive information can be stolen and your organization may be exposed to large monetary penalties for failing to maintain HIPAA compliant protections.

Always remember that requests for information from OCR come from their HQ and Regional Offices, which you can confirm on their website: https://www.hhs.gov/ocr/about-us/contact-us/index.html, and all OCR emails end with @hhs.gov. So check any communications twice.

To see how we can review, audit, create, and advise on your organization’s HIPAA compliance, please contact us at Newmeyer Dillion https://www.newmeyerdillion.com/savera-sandhu/.

Savera Sandhu is a partner in the Las Vegas office of Newmeyer Dillion. Savera Sandhu counsels a wide range of corporate and healthcare clients on business and litigation matters throughout the state and nationwide.  You can reach Savera at savera.sandhu@ndlf.com.