MEMBER ALERT - Postcard Disguised as Official OCR Communication

April 27, 2021

OCR has been made aware of postcards being sent to health care organizations informing the recipients that they are required to participate in a “Required Security Risk Assessment” and they are directed to send their risk assessment to www.hsaudit.org. The link directs individuals to a non-governmental website marketing consulting services.

Please be advised that this postcard notification did not come from OCR or the U.S. Department of Health and Human Services. This communication is from a private entity – it is NOT an HHS/OCR communication.

HIPAA covered entities and business associates should alert their workforce members to this misleading communication. Covered entities and business associates can verify that a communication is from OCR by looking for the OCR address or email address, which will end in @hhs.gov, on any communication that purports to be from OCR, and asking for a confirming email from the OCR investigator’s hhs.gov email address.

The addresses for OCR’s HQ and Regional Offices are available on the OCR website, and all OCR email addresses will end in @hhs.gov. If organizations have additional questions or concerns, please send an email to: OCRMail@hhs.gov.

Suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation.