June 13, 2021

Volume XI, Number 164


June 11, 2021

Subscribe to Latest Legal News and Analysis

HHS Advises on Fraudulent Postcard Disguised as Official OCR Communication

On April 26, 2021, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced on its OCR Security List Digest that OCR had been made aware of misleading postcards being sent to health care organizations.  The postcards inform recipients that they must participate in a “Required Security Risk Assessment.,” It directs them to send their risk assessment to hsaudit.org,  a non-governmental website marketing consulting service.  The postcard notification does not come from OCR or HHS.

OCR has recommended that HIPAA-covered entities and business associates should alert their workforce members to this misleading communication. According to OCR, covered entities and business associates can verify that a communication is from OCR by looking for the OCR address or email address, which will end in @hhs.gov. They can also ask for a confirming email from the OCR investigator’s hhs.gov email address. The addresses for OCR’s HQ and regional offices are available on the OCR website.

This is a good reminder to all HIPAA-covered entities and business associates to be on the lookout for phishing schemes. Typically, a bad actor engaging in a phishing scheme will attempt to dupe their potential victim by posing as a trusted individual, such as a government agency, or personal contact. In the event that you are ever suspicious that such a communication is a phishing scheme, verify that email addresses are indeed from the entities that they purport to be representing as suggested by OCR above.

© 2021 Dinsmore & Shohl LLP. All rights reserved.National Law Review, Volume XI, Number 130



About this Author

Jared Bruce, Dinsmore Law Firm, Cincinnati, Corporate and Health Care Law Attorney

Jared focuses his practice on various health care law matters, including regulatory compliance, transactional matters and cybersecurity.  His prior experience includes serving as in-house counsel for a large non-profit managed care plan.

He drafts and negotiates complex health care-related contracts involving information technology (software licenses and professional service agreements), provider agreements, data sharing agreements and Business Associate Agreements. Jared’s practice includes advising payers, hospitals and providers on compliance...

Jennifer Mitchell, health care practice group partner, Dinsmore Shohl, law firm,

Jennifer is a Partner in the Health Care Practice Group and leads the firm’s HIPAA Privacy and Security practice and initiatives. In her HIPAA practice, she works with clients to minimize the risk of privacy and data security issues, assisting with all aspects of HIPAA privacy and security compliance, governance, audits/investigations, breach analyses, training and strategic planning. She has a thorough understanding of federal and state privacy and confidentiality laws and has served as a health care privacy expert witness. 

Within the...