Misleading Postcards Regarding Security Risk Assessments are NOT from OCR
Health & Life Sciences 04/26/21 Rachel Weiss
The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) issued an alert on April 26, 2021 warning that a private entity has circulated postcards instructing health care organizations to participate in a “Required Security Risk Assessment” and send their risk assessments to www.hsaudit.org. OCR is warning health care entities that the postcard notification was not sent or sanctioned by OCR, and the website link will take individuals to a non-governmental marketing website. OCR recommends that covered entities notify their workforce members about this misleading communication.
As a general matter, covered entities and business associates can always verify whether a communication is from OCR by:
- Looking for the OCR address or email address, which will always end in @hhs.gov, on the communication; and
- Asking for a confirming email from the OCR investigator’s hhs.gov email address.
If you have any additional questions about OCR’s alert or when a risk assessment is required, contact your Quarles & Brady attorney or:
- Rachel Weiss: (414) 277-5829 / [email protected]