By Mike Miliard
Healthcare IT News
August 11, 2020
The Office for Civil Rights at the U.S. Department of Health and Human Services has warned health systems about what appears to be something of an old-fashioned and low-tech phishing attempt: fraudulent postcards, most addressed to hospital privacy officers, that warn of noncompliance with a mandatory risk assessment.
According to a report in the National Law Review, OCR on August 9 sent a listserv alert that it had become “aware of postcards being sent to health care organizations disguised as official OCR communications, claiming to be notices of a mandatory HIPAA compliance risk assessment.”
The American Hospital Association, meanwhile, notes that the cards, addressed to “HIPAA Compliance Officer,” purport to be from someone with a nonexistent title at HHS (“Secretary of Compliance, HIPAA Compliance Division”) and bear a D.C. return address that doesn’t belong to HHS.