It has come to OCR’s attention that an individual posing as an OCR Investigator has contacted HIPAA covered entities in an attempt to obtain protected health information (PHI). The individual identifies themselves on the telephone as an OCR investigator, but does not provide an OCR complaint transaction number or any other verifiable information relating to an OCR investigation.
HIPAA covered entities and business associates should alert their workforce members, and can take action to verify that someone is an OCR investigator by asking for the investigator’s email address, which will end in @hhs.gov, and asking for a confirming email from the OCR investigator’s hhs.gov email address. If organizations have additional questions or concerns, please send an email to: OCRMail@hhs.gov.
Suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation (FBI). The FBI issued a public service announcement about COVID-19 fraud schemes at: https://www.ic3.gov/media/2020/200320.aspx.
This notice is from the OCR-Privacy-List listserv, operated by the Office for Civil Rights (OCR) in the US Department of Health and Human Services. This is an announce-only list, a resource to distribute information about the HIPAA Privacy and Security Rules. For additional information on a wide range of topics about the Privacy and Security Rules, please visit the OCR Privacy website at https://www.hhs.gov/ocr/privacy/index.html.
You can also call the OCR Privacy toll-free phone line at (866) 627-7748. Information about OCR’s civil rights authorities and responsibilities can be found on the OCR home page at https://www.hhs.gov/ocr/office/index.html.
If you believe that a person or organization covered by the Privacy and Security Rules (a “covered entity”) violated your health information privacy rights or otherwise violated the Privacy or Security Rules, you may file a complaint with OCR. For additional information about how to file a complaint, visit OCR’s web page on filing complaints at https://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.
To subscribe to or unsubscribe from the list serv, go to https://list.nih.gov/cgi-bin/wa.exe?SUBED1=OCR-PRIVACY-LIST&A=1.