April 3, 2020
The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a warning that it has received reports that someone has been impersonating an OCR inspector in an effort to access HIPAA Protected Health Information (PHI).
According to the agency: “The individual identifies themselves on the telephone as an OCR investigator, but does not provide an OCR complaint transaction number or any other verifiable information relating to an OCR investigation. HIPAA covered entities and business associates should alert their workforce members, and can take action to verify that someone is an OCR investigator by asking for the investigator’s email address, which will end in @hhs.gov, and asking for a confirming email from the OCR investigator’s hhs.gov email address. If organizations have additional questions or concerns, please send an email to: OCRMail@hhs.gov.”
HIPAA Covered Entity and Business Associate clients interested in receiving security and privacy updates directly from OCR can sign up here.