Most people are aware of misleading communications from third parties. They are created to look as official as possible, and many are under the impression that these communications are from official government entities and require action be taken to ensure compliance. While most of these communications are sent via digital media like email, a new scam has arisen utilizing a less sophisticated avenue.
According to an article on Health IT News, on August 9th, 2020, the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services sent a warning out to hospitals and health systems regarding a HIPAA compliance scam involving postcards. It notes that OCR is "aware of postcards being sent to health care organizations disguised as official OCR communications, claiming to be notices of a mandatory HIPAA compliance risk assessment."
How The Scam Works and What to Watch For
It is important for hospitals and healthcare systems to know how the details of the scam and what to watch for. Here are the details:
- Postcard is addressed to "HIPAA Compliance Officer"
- Postcard claims that the hospital or healthcare system must perform a "required" HIPAA compliance risk assessment
- Recipient is prompted to utilize the URL provided, or to contact them via email or phone
- The link provided directs the individuals to a non-governmental website marketing consulting services
OCR officials note some key indications to look for:
According to OCR officials, "HIPAA covered entities and business associates should alert their workforce members to this misleading communication. This communication is from a private entity – it is NOT an HHS/OCR communication."
The agency notes that covered entities and business associates should check to verify that any communication claiming to be from OCR is legitimate by looking for the OCR address or email address.
"The addresses for OCR’s HQ and Regional Offices are available on the OCR website and all OCR email addresses will end in @hhs.gov," officials said. "If organizations have additional questions or concerns, please send an email to: OCRMail@hhs.gov. Suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation."
While these attempt to scam companies looking to generate new business, it a lesson for hospitals and healthcare systems to be vigilant on suspicious communications as they have lead to data breaches and hefty fines. Healthcare fraud, especially during the COVID-19 pandemic, remains prevalent and affects both healthcare providers and patients. On our OrboNation Healthcare blog, we recently featured two videos from the U.S. Department of Health and Human Services: