The Office of Civil Rights (OCR) issued an alert on August 6, 2020 reporting postcards are being sent impersonating the OCR to coerce compliance officers into visiting a website regarding HIPAA risk assessments. This is a marketing ploy to trick the victim into engaging in services under the guise of a directive from OCR. A risk assessment is a requirement of HIPAA as defined in §164.308(a)(1); however, it does not specifically state how often it is needed or how it is to be done. Best practice is to conduct risk assessments annually or when significant changes or threats occur within or to the environment.
It is recommended by OCR that all covered entities alert their workforce about this misleading communication. For more information and an example of the postcard, CLICK HERE.