Skip to main content


Resource Library

Postcard disguised as OCR communication invites health care entities to participate in required risk assessment

April 27, 2021 4163

Health care organizations are receiving postcards disguised as official communications from the Department of Health and Human Services’ Office for Civil Rights, according to an alert the OCR issued yesterday. 

The misleading postcard informs recipients that they are required to participate in a “required security risk assessment” and directs recipients to send their risk assessment to a nongovernmental website that markets consulting services. The website address contains the words “hsaudit” and the .org domain name extension.

“Please be advised that this postcard notification did not come from the OCR or the U.S. Department of Health and Human Services,” the OCR alert states. 

Software installed on some users’ computers may recognize the nongovernmental website address as a phishing attempt and block users’ access to the website for the organization’s security.

OCR adds that HIPAA-covered entities and business associates should alert their employees about the misleading communication. Recipients of any postcard or email that claims to be from the OCR should examine the communication for the OCR physical address or email address, which will end in

The Federal Trade Commission offers small businesses tips and advice for spotting and avoiding phishing.

CDA has resources to help HIPAA-covered dental practices understand and comply with the HIPAA security rule and required risk analysis.

Comments are only visible to subscribers.