Keenan Briefings


Misleading HIPAA Postcard Warning

August 10, 2020

The HHS Office for Civil Rights (OCR) is warning business about a misleading postcard that is being directed specifically to those designated as HIPAA Privacy Officers. To quote the OCR's press release:

“OCR has been made aware of postcards being sent to health care organizations disguised as official OCR communications, claiming to be notices of a mandatory HIPAA compliance risk assessment. The postcards have a Washington, D.C. return address, and the sender uses the title "Secretary of Compliance, HIPAA Compliance Division." The postcard is addressed to the health care organization's HIPAA compliance officer and prompts recipients to visit a URL, call, or email to take immediate action on a HIPAA Risk Assessment. The link directs individuals to a non-governmental website marketing consulting services.

…This communication is from a private entity -- it is NOT an HHS/OCR communication.”

Below is an image of what one such communication looked like:


Although they currently seem to be aimed primarily at hospitals and other health care organizations with publicly listed Privacy Officers, there is no reason why similar attempts to contact other types of employer entities could not also occur. If you receive this communication or any similar such message, the OCR asks that you report it to the Federal Bureau of Investigation. Additional questions or concerns can be directed to

Finally, it should go without saying that any time you are contacted for information about your health plan's coverage, claims, or participants, you should always be extra careful to confirm that the request is legitimate and that the use or disclosure is otherwise compliant with HIPAA.

For more information, please contact your Account Manager.

Keenan & Associates is not a law firm and no opinion, suggestion, or recommendation of the firm or its employees shall constitute legal advice. Clients are advised to consult with their own attorney for a determination of their legal rights, responsibilities and liabilities, including the interpretation of any statute or regulation, or its application to the clients’ business activities.