OCR Issues Warning About Misleading Postcards Sent to Compliance Officers About HIPAA Security Risk Assessments

The Department of Health and Human Services’ Office for Civil Rights has issued an alert about a potential compliance scam after multiple healthcare providers have received postcards in the mail informing them that they must conduct a HIPAA security risk assessment or risk a significant financial penalty for noncompliance.

The postcards have been sent for the attention of HIPAA compliance officers and demand immediate action be taken to avoid a HIPAA penalty. The postcards state that per 164.308(a)(1) of the HIPAA Security Rule, a security risk assessment is mandatory and must be performed. While a security risk assessment is a requirement of HIPAA, the postcards are written in a manner that suggests OCR or the HHS has sent the correspondence.

The postcards explain that noncompliance with this aspect of HIPAA would be in violation of the HIPAA Security Rule and could attract a penalty of between $100 and $50,000 per violation – or per record – with a maximum penalty of $1.5 million per year for each violation count.

The postcards claim to have been sent by the “Secretary of Compliance, HIPAA Compliance Division,” and the postcards have a Washington D.C postal address. OCR confirmed that there is no such position at the HHS or Office for Civil Rights and that the postcards have not been sent by OCR or the HHS.

The postcards advise HIPAA compliance officers to take immediate action and visit a URL, call, or email regarding conducting a HIPAA risk assessment. The URL supplied does not link to a governmental website, but a web page marketing consulting services.

It is unclear whether this is an attempt by a private company to attract more business or if this is part of a phishing scam. OCR is advising healthcare providers and business associates to make their workforce aware of this misleading communication and stresses that a private entity has sent the communication, not the HHS/OCR.

Any communication from HHS/OCR will clearly state the sender, will include the correct postal address, and email addresses for contact will end with the suffix @hhs.gov. OCR advises all HIPAA covered entities and business associates to report any suspected impersonation of federal law enforcement agencies to the Federal Bureau of Investigation and to take steps to verify the legitimacy of any communication.