Privacy Officer's Roundtable

OCR Alert - phony postcard

  • 1.  OCR Alert - phony postcard

    Posted 08-06-2020 03:08 PM

    Alert: Postcard Disguised as Official OCR Communication

    August 6, 2020

    OCR has been made aware of postcards being sent to health care organizations disguised as official OCR communications, claiming to be notices of a mandatory HIPAA compliance risk assessment.  The postcards have a Washington, D.C. return address, and the sender uses the title "Secretary of Compliance, HIPAA Compliance Division." The postcard is addressed to the health care organization's HIPAA compliance officer and prompts recipients to visit a URL, call, or email to take immediate action on a HIPAA Risk Assessment.  The link directs individuals to a non-governmental website marketing consulting services.


    The postcard below is not from HHS/OCR.

     Phoney OCR Postcard


    HIPAA covered entities and business associates should alert their workforce members to this misleading communication.  This communication is from a private entity – it is NOT an HHS/OCR communication.  Covered entities and business associates can verify that a communication is from OCR by looking for the OCR address or email address on any communication that purports to be from OCR.  The addresses for OCR's HQ and Regional Offices are available on the OCR website at, and all OCR email addresses will end in  If organizations have additional questions or concerns, please send an email to:

    Suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation.

    Carl Russell
    Compliance Analyst, CHPC
    Delta Dental of Idaho

    Anything I say is my sole opinion and not of my company.
    SCCE Membership

  • 2.  RE: OCR Alert - phony postcard

    Posted 08-06-2020 03:31 PM

    Wow!  Thank you Carl!


    ******************************************* This message and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

    SCCE Membership

  • 3.  RE: OCR Alert - phony postcard

    Posted 08-07-2020 08:22 AM
    I saw this yesterday and thought that some companies/individuals will try anything to get a client.  Not very professional.

    Lloyd Hemmert
    Compliance & Ethics Officer
    Hill Country MHDD Centers

    SCCE Membership