Postcard Disguised as Official OCR Communication

The U.S. Department of Health & Human Services Office for Civil Rights has put out a warning following the discovery that misleading postcards are being sent to health care organizations under the guise of an official OCR announcement. This communication is from a private entity – it is NOT endorsed or affiliated with HHS/OCR.

The postcards in question have a Washington, D.C. return address, directed to the attention of “Secretary of Compliance, HIPAA Compliance Division” and claim to be notices of a mandatory HIPAA compliance risk assessment. Typically, the postcard is addressed to the health care organization’s HIPAA compliance officer and prompts recipients to visit a URL, call, or email to take immediate action on a HIPAA Risk Assessment.  The link directs individuals to a non-governmental website marketing consulting services.

Covered entities and business associates should alert their employees of this issue and take note that official communications regarding the HIPAA audit program are sent to selected auditees from the email address [email protected]

In the event that you or your organization has a question as to whether it has received an official communication from the OCR regarding a HIPAA audit, always verify that the communication is indeed from OCR by looking for the website, return address, etc. The addresses for OCR’s HQ and Regional Offices are available on the OCR website at, and all OCR email addresses will end in

The Spectra Networks team is here to assist your organization with the tools and training needed to help employees identity phishing, vishing, and smishing attacks. To learn more about our security awareness training, audits, and managed cybersecurity offering please get in touch with us today.


Need Support? Schedule your Free Consultation Today.