The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) issued a scam alert August 6 warning of postcards disguised as official OCR communications. The postcards claim to be notices of a mandatory HIPAA compliance risk assessment. Be aware that the postcard is NOT from OCR and seem to originate from a private non-governmental website marketing consulting entity according to the alert.
Medical practices should be aware of this new scam and notify their workforce about the misleading communication. OCR provided an example of the postcards, below, which can by identified by:
- Appears to be sent from the Secretary of Compliance, HIPAA Compliance Division
- Washington, D.C. return address
- Addressed to recipient organization’s HIPAA Compliance Officer
- Asks recipient to visit a URL, call or email to take immediate action on a HIPAA Risk Assessment
- The link directs individuals to a non-governmental website
HIPAA Security Rule
The HIPAA Security Rule requires organizations to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” Annually performing an accurate and thorough risk analysis, as defined in HIPAA, is one of four required implementation specifications under this standard.
When performing these analyses, organizations may wish to consider some or all of the following questions:
- Have you identified the e-PHI within your organization, including PHI that you create, receive, maintain or transmit?
- What are the external sources of e-PHI? For example, do your vendors or consultants create, receive, maintain or transmit e-PHI?
- What are the human, natural, and environmental threats to your information systems that contain e-PHI?
These risk analyses are not only required to be performed annually, but they are useful tools in reaching substantial compliance with many other HIPAA standards and specifications. For example, organizations may use the information gathered from their risk analyses to:
- Design appropriate personnel screening processes
- Identify what data to backup, and how
- Decide whether and how to use encryption
- Address what data must be authenticated in particular situations to protect data integrity
- Determine the appropriate manner of protecting health information transmissions
If you’d like to make this easier on your team, or have any questions or concerns on these requirements, please feel free to reach out to Jeff Miller, Director-in-Charge of Granite GRC. We’re happy to talk through your questions and challenges!