On April 26, 2021, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced on its OCR Security List Digest that OCR had been made aware of misleading postcards being sent to health care organizations. The postcards inform recipients that they must participate in a “Required Security Risk Assessment.,” It directs them to send their risk assessment to hsaudit.org, a non-governmental website marketing consulting service. The postcard notification does not come from OCR or HHS.
OCR has recommended that HIPAA-covered entities and business associates should alert their workforce members to this misleading communication. According to OCR, covered entities and business associates can verify that a communication is from OCR by looking for the OCR address or email address, which will end in @hhs.gov. They can also ask for a confirming email from the OCR investigator’s hhs.gov email address. The addresses for OCR’s HQ and regional offices are available on the OCR website.
This is a good reminder to all HIPAA-covered entities and business associates to be on the lookout for phishing schemes. Typically, a bad actor engaging in a phishing scheme will attempt to dupe their potential victim by posing as a trusted individual, such as a government agency, or personal contact. In the event that you are ever suspicious that such a communication is a phishing scheme, verify that email addresses are indeed from the entities that they purport to be representing as suggested by OCR above.