Alert: Postcard Disguised as Official OCR Communication

Situation Report | August 24, 2020

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) is alerting providers of postcards being sent to health care organizations disguised as official OCR communications and claiming to be notices of a mandatory HIPAA compliance risk assessment.

The postcards have a Washington, D.C. return address, and the sender uses the title “Secretary of Compliance, HIPAA Compliance Division.”

The postcard is addressed to the health care organization’s HIPAA compliance officer and prompts recipients to visit a URL, call, or e-mail to take immediate action on a HIPAA Risk Assessment. The link directs individuals to a non-governmental website marketing consulting services.

HIPAA-covered entities and business associates should alert their workforce members to this misleading communication. Covered entities and business associates can verify that a communication is from OCR by looking for the OCR address or e-mail address on any communication that purports to be from OCR.

The addresses for OCR’s headquarters and Regional Offices are here. If organizations have additional questions or concerns, they should send an e-mail to