Postcards sent to health care organizations disguised as official communications from the U.S. Health & Human Services’ Office of Civil Rights informing the recipients that they are to complete a “Required Security Risk Assessment” did not come from the office, the HHS advised April 26 in an email blast.
The postcards informed the recipients that they are required to participate in a “Required Security Risk Assessment” and they are directed to send their risk assessment to a non-governmental website marketing consulting service.
OCR advises entities covered by the Health Insurance Portability and Accountability Act and business associates to alert their workforce members to the misleading communication, the office said.
HIPAA-covered entities can verify that a communication is from the office by looking for the Office of Civil Rights’ address or email address — which will end in @hhs.gov — on any communication that purports to be from the office, as well as asking for a confirming email from the OCR investigator’s hhs.gov email address.
If organizations have additional questions, they can email OCRMail@hhs.gov.