New Mail SCAM Targeted at HIPAA Security, Privacy, and Compliance Officers: HIPAA & HITECH Act Blog by Jonathan P. Tomes

The Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) has warned health care organizations about a potential phishing scam conducted by mail that was designed to scare compliance officers into visiting a website or taking other immediate action with respect to an alleged mandatory HIPAA risk assessment.

The scammers sent postcards appearing to be from OCR, specifically from the nonexistent Secretary of Compliance of the HIPAA Compliance Division, stating that covered entities had to complete a compliance risk analysis or face a fine for noncompliance. The card noted the range of civil money penalties (“CMPs”) with the maximum of $1.5 million a year for identical violations.

The  communication requests that HIPAA compliance officers visit a link to a market consulting service that is a nongovernmental entity. OCR has advised all covered entities to alert their workforce members about the misleading communication, which appears to have been sent by a private company. OCR stressed that this communication was not sent by HHS or OCR.

OCR advised HIPAA covered entities and business associates to take steps to verify the legitimacy of any communication that claims to be from HHS or OCR, and explained that any written communications from OCR will include the following address:

Office for Civil Rights
U.S. Department of Health and Human Services
200 Independence Avenue, SW
Room 509F, HHH Building
Washington, D.C. 20201

Any legitimate request to make contact via email will provide an email address for contact that has an suffix.

The impersonation of federal law enforcement is a crime, and those suspecting such a communication should report it to the Federal Bureau of Investigation.

Having defended a number of covered entities and business associates for alleged HIPAA violations, I can attest that OCR will not use a postcard to inform a covered entity of a HIPAA compliance issue, and even a letter should be viewed with suspicion and its authenticity verified.

Getting such a notice can be scary, but treat it the same as getting a new, apparently seriously ill patient. Do an assessment before taking action!

Alice here: Thank you for reading our blog posts, listening to Jon’s webinars, and buying our HIPAA compliance books and other tools at We appreciate your business. Please stay safe out there!


On August 23rd, 2020, posted in: HIPAA Compliance Blog by
seo by: k.c. seo