Misleading Postcards Regarding Security Risk Assessments are NOT from OCR

Newsletter

The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) issued an alert on April 26, 2021 warning that a private entity has circulated postcards instructing health care organizations to participate in a “Required Security Risk Assessment” and send their risk assessments to www.hsaudit.org. OCR is warning health care entities that the postcard notification was not sent or sanctioned by OCR, and the website link will take individuals to a non-governmental marketing website. OCR recommends that covered entities notify their workforce members about this misleading communication.

As a general matter, covered entities and business associates can always verify whether a communication is from OCR by:

  • Looking for the OCR address or email address, which will always end in @hhs.gov, on the communication; and
  • Asking for a confirming email from the OCR investigator’s hhs.gov email address.

If you have any additional questions about OCR’s alert or when a risk assessment is required, contact your Quarles & Brady attorney or:

Follow Quarles

Subscribe Media Contact
Back to Main Content

We use cookies to provide you with the best user experience on our website and to analyze statistics related to our website. To understand more about how we use cookies, or for instructions to change your preference and browser settings, please see our Privacy Notice. Please note that if you choose to reject cookies, doing so may impair some of our website's functionality.