The Office for Civil Rights at the U.S. Department of Health and Human Services has warned health systems about what appears to be something of an old-fashioned and low-tech phishing attempt: fraudulent postcards, most addressed to hospital privacy officers, that warn of noncompliance with a mandatory risk assessment.
According to a report in the National Law Review, OCR on August 9 sent a listserv alert that it had become “aware of postcards being sent to health care organizations disguised as official OCR communications, claiming to be notices of a mandatory HIPAA compliance risk assessment.”
The American Hospital Association, meanwhile, notes that the cards, addressed to “HIPAA Compliance Officer,” purport to be from someone with a nonexistent title at HHS (“Secretary of Compliance, HIPAA Compliance Division”) and bear a D.C. return address that doesn’t belong to HHS.
The postcards prompt recipients to “visit a URL, call or email to take immediate action on a HIPAA Risk Assessment,” according to AHA. “The link directs individuals to a non-governmental website marketing consulting services.”
According to OCR officials, “HIPAA covered entities and business associates should alert their workforce members to this misleading communication. This communication is from a private entity – it is NOT an HHS/OCR communication.”
The agency notes that covered entities and business associates should check to verify that any communication claiming to be from OCR is legitimate by looking for the OCR address or email address.
“The addresses for OCR’s HQ and Regional Offices are available on the OCR website and all OCR email addresses will end in @hhs.gov,” officials said. “If organizations have additional questions or concerns, please send an email to: OCRMail@hhs.gov. Suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation.”