Beware of OCR Scam Asking for Personal Health Information
Monday, April 13, 2020
Last September, we warned you about a DEA scam that was prevalent in the healthcare industry. Not to be outdone, the scammers are now posing as investigators from the OCR seeking PHI (Protected Healthcare Information). While scams are always unsettling, now with every healthcare provided stretched to their limits physically or mentally, this scam is especially taxing to an overworked, stressed-out staff.
On April 3, the OCR issued an alert to covered entities (CE) and business associates (BA) advising that individuals are reaching out via telephone posing as an OCR investigator. However, here is what to recognize: They are not providing an OCR complaint transaction number or any other verifiable information regarding an OCR investigation.
Take Appropriate Action
HIPAA-covered entities should alert their staff and be sure to take the appropriate action if/when they receive a call from someone alleging they are an OCR investigator. Ask the investigator to provide their email address (which should end in @hhs.gov) and request a confirmation email from that specific email address. Suspected incidents of individuals posing as federal law enforcement should be reported to the FBI at www.ic3.gov. You can reach out the OCR at OCRMail@hhs.gov if you have additional questions.
Be sure your staff asks for the:
- Name, title, office location and OCR-complaint transaction number
- Caller’s email address; make sure it has an hhs.gov extension
- Email from the alleged investigator detailing the nature and scope of the request