HIPAA Investigation Scam Threatens Patient Privacy

As if we don’t live in challenging enough times already, there’s a fake HIPAA investigator on the loose.

The Department of Health and Human Services (HHS) has issued a notice to all HIPAA Covered Entities, warning of an individual p0sing as an inspector with the Office for Civil Rights (OCR). The OCR is the investigative branch of HHS responsible for HIPAA enforcement.

According to HHS, the “investigator” contacts victims by phone, informing them that a HIPAA investigation has been launched involving their organization. The fraudster then asks a series of questions about patients. The HHS warning says that the goal of the fraud is to collect patient Protected Health Information (PHI).

The fake investigator provides no OCR complaint number or any other verifiable information.

A HIPAA Investigation Scam Can Be Easily Identified

All legitimate OCR investigators will provide their email address, which ends with “@hhs.gov.” Covered entities should always demand a verification email from the investigator using their official HHS email address. The email should also include a valid OCR Complaint Transaction Number.

The investigation can be authenticated by contacting HHS by email at OCRMail@hhs.gov.

If you suspect a fraudulent investigation, HHS encourages you to contact the Federal Bureau of Investigation (FBI). According to the FBI, scams are on the rise as a result of the COVID-19 pandemic.

HIPAA Investigation Scam Among Many COVID-19 Pandemic Frauds

In addition to attempts at collecting PHI from HIPAA Covered Entities and Business Associates, email scams have been identified from people claiming to be from the Centers for Disease Control (CDC). The emails may containing malware embedded in links that purport to contain helpful information about the Coronavirus and COVID-19.

The FBI also warns of phishing schemes designed to defraud email recipients. Phishing is the practice of sending emails designed to appear as legitimate messages from banks, businesses, governmental agencies, employers, and friends. These scams include fake donation requests and offers of crisis relief services such as:

  • Charitable contributions
  • General financial relief
  • Airline carrier refunds
  • Fake cures and vaccines
  • Fake testing kits

You can spot a phishing scheme by comparing the sender’s name to the email address at the top of the message. If the sender doesn’t match the email address, it could be a phishing scheme.

The FBI has created a list of common COVID-19 scams.

Photo by Marília Castelli on Unsplash

Free HIPAA Checklist
What best describes you?