QUESTION: We received a postcard in the mail notifying us of a mandatory HIPAA compliance risk assessment from the Secretary of Compliance, HIPAA Compliance Division. What caused our practice to be scrutinized and how should we respond?
Question from San Francisco, California subscriber
ANSWER: Unfortunately – or fortunately, you have been the target of an attempted phishing scam, not an actual government audit. The postcards are trying to lure recipients to set up risk assessments with a private company. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently warned about the HIPAA compliance fraudulent mailings.
Healthcare organizations, like yours, have been reporting receiving the fraudulent communications over the past weeks. The postcards are deceptively disguised as official notice from OCR. The alert is addressed to HIPAA Privacy and Security Officers and direct the recipient to immediately take steps to address the HIPAA noncompliance. The directives include calling, emailing or visiting a website. The website link, however, goes to a non-government website that promotes a private company’s consulting services.
Here is an example from OCR alerting practices of the HIPAA fraud scam that features a postcard with a DC return address. It is NOT from HHS/OCR.
You can protect your practice from becoming victims of fraud in the future by alerting staff to the misleading communication and its signs of abuse. An official OCR communication would include OCR’s physical address or its email address ending in @HHS.gov. Also, in the event, you receive any follow-up regarding the postcard, you should report the suspected incident to the Federal Bureau of Investigation (FBI).
For more ways to reduce your risk of getting targeted for a HIPAA audit or penalty, HIPAA compliance expert and consultant, Jay Hodes, can help. OCR Alert HIPAA Fraud.
During his online training session, “Prevent Most Common HIPAA Violations and Massive Penalties,” he will breakdown the most common reasons physician practices get into HIPAA trouble.
Additional HIPAA Resources To Help Your Practice Stay Out of Trouble
|HIPAA and Ransomware: Protect Against Attacks and Violation Penalties
||HIPAA: Risk Assessment Requirements
||Prevent Most Common HIPAA Violations and Massive Penalties