Phishing Scam Targets HIPAA Compliance Officers

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) recently warned healthcare providers and organizations about a new phishing scam that targets HIPAA Compliance Officers. Postcards are being mailed to various healthcare organizations that appear to be an official communication from OCR, stating that a mandatory HIPAA compliance risk assessment must be completed. The postcards are addressed to the organizations’ HIPAA Compliance Officers and claim to come from the Secretary of Compliance of the HIPAA Compliance Division, which does not actually exist.

The postcards advise recipients to visit a website to complete the “mandatory” risk assessment, but the website is a non-government site that appears to market consulting services. The postcards also include a warning that “HIPAA violations cost your practice. The federal fines for noncompliance are based on perceived negligence found within your organization at the time of the HIPAA violation.” Although the warning is somewhat valid (albeit exaggerated), the postcards are fraudulent and should be disregarded.

Healthcare organizations should remind their HIPAA Compliance Officers and other workforce members to stay vigilant about misleading communications and phishing scams. OCR also reminded healthcare organizations that any official communication from OCR would come from the following address: Office for Civil Rights, U.S. Department of Health and Human Services, 200 Independence Avenue, SW, Room 509F, HHH Building, Washington, D.C. 20201. Any requests to contact OCR via email would provide an email address ending with “@hhs.gov”. If an organization receives any suspect communication, it should report it to the Federal Bureau of Investigation.