The U.S. Office for Civil Rights (OCR) is warning of a scam in which health care organizations receive postcards disguised as OCR communications that claim to be notices of a mandatory HIPAA compliance risk assessment. The postcards have a Washington, D.C. return address, and the sender uses the title “Secretary of Compliance, HIPAA Compliance Division.” The postcards are addressed to health care organizations’ HIPAA compliance officers and prompt recipients to visit a URL, call or email to take immediate action on a HIPAA risk assessment. The link directs individuals to a non-governmental website marketing consulting services. 

HIPAA-covered entities and business associates should alert their workforce members to this misleading communication. This communication is from a private entity – it is NOT an HHS/OCR communication. Covered entities and business associates can verify that a communication is from OCR by looking for the OCR address or email address on any communication that purports to be from OCR. The addresses for OCR’s HQ and Regional Offices are available on the OCR website and all OCR email addresses will end in @hhs.gov. Questions and concerns should be emailed to OCRMail@hhs.gov.