News & Resources

Publications & Media

Misleading Postcards Regarding Security Risk Assessments are NOT from OCR

Health & Life Sciences Rachel Weiss

Risk Management and Assessment for Business

The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) issued an alert on April 26, 2021 warning that a private entity has circulated postcards instructing health care organizations to participate in a “Required Security Risk Assessment” and send their risk assessments to www.hsaudit.org. OCR is warning health care entities that the postcard notification was not sent or sanctioned by OCR, and the website link will take individuals to a non-governmental marketing website. OCR recommends that covered entities notify their workforce members about this misleading communication.

As a general matter, covered entities and business associates can always verify whether a communication is from OCR by:

  • Looking for the OCR address or email address, which will always end in @hhs.gov, on the communication; and
  • Asking for a confirming email from the OCR investigator’s hhs.gov email address.

If you have any additional questions about OCR’s alert or when a risk assessment is required, contact your Quarles & Brady attorney or: