From Nan Gallagher, Esq.
I wanted to make you aware of a new scam making the rounds. Be careful out there!
The OCR (the Office for Civil Rights, the HIPAA enforcement agency) sent an alert regarding a scheme involving postcards being sent to health care organizations informing the recipients that they are required to participate in a “Required Security Risk Assessment”. These postcard notifications DID NOT come from OCR or the U.S. Department of Health and Human Services.
The postcard directs recipients to send your risk assessment to www.hsaudit.org; this is a private website marketing consulting service which is NOT affiliated or contracted with any government agency.
This is not an authorized OCR communication. HIPAA covered entities and business associates should alert workforce members to this misleading communication. Any suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation.
Please forward this reminder to your HIPAA Compliance Officer or Security Officer. Covered entities and business associates can verify that a communication is from OCR by looking for the OCR address or email address, which will end in @hhs.gov. If organizations have additional questions or concerns, please send an email to: OCRMail@hhs.gov.
If you have additional questions, feel free to call the office, (973) 998-8494.