HIPAA Fraud, HIPAA OCR, HIPAA Communication

HIPAA Fraud Postcard: Communication Alert from HIPAA OCR for Organizations


Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.

A HIPAA fraud postcard is being sent out, first-class, to healthcare organizations. It has recently come to light that healthcare organizations have been receiving postcards appearing to be from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), the enforcement arm for HIPAA. The postcard addressed as “ATTN: HIPAA Compliance Officer,” directs recipients to call, email, or visit a website in regards to a mandatory security risk assessment. Further details on the false HIPAA OCR communication are discussed below.

HIPAA Fraud OCR Communication: What Does the Postcard Contain?

The HIPAA fraud enforcement (OCR) postcard sent to healthcare providers seems to be coming from the Secretary of Compliance of the HIPAA Compliance Division. The problem is, there is no such entity. In addition, the fraudulent HIPAA postcard has a return address that, upon further investigation, belongs to a UPS store in Washington DC, although the postcard was actually postmarked in California. The OCR warned recipients, “Though the postage is marked first class, the mailer’s intent is not. In fact, it is another low-class act by scammers.”

The HIPAA Fraud Postcard Looks Like This:

Fraudulent OCR Communication Alert

What Happens When Recipients Visit the Listed Site?

The postcard from the fraud HIPAA communication lists a website that recipients can visit to complete their required security risk assessment. When recipients visit the listed site, the link does not direct users to a government website. It does, however, direct to a consulting service’s website. The fraudulent OCR postcard is not an OCR communication, but rather a sales attempt. What the consulting service likely failed to realize is that not only is impersonating a government entity unethical, it is also illegal.

What Actions Should Postcard Recipients Take?

Any entity posing as a government agency should be reported to the FBI. Reporting these fraud HIPAA OCR communication incidents prevents further false communications from being sent in the future, thus preventing more organizations from being victimized by illegal business practices.

Basic Telehealth Legal & Ethical Rules: HIPAA, Privacy, Working Across State Lines, Malpractice Insurance

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x