Misleading Postcards Being Sent as Official Communication

OCR has been made aware of postcards being sent to health care organizations informing the recipients that they are required to participate in a “Required Security Risk Assessment” and they are directed to send their risk assessment to www.hsaudit.org.  This link directs individuals to a non-governmental website marketing consulting services.

Please be advised that this postcard notification did not come from OCR or the U.S. Department of Health and Human Services.  This communication is from a private entity – it is NOT an HHS/OCR communication.  HIPAA covered entities and business associates should alert their workforce members to this misleading communication.  Covered entities and business associates can verify that a communication is from OCR by looking for the OCR address or email address, which will end in @hhs.gov, on any communication that purports to be from OCR, and asking for a confirming email from the OCR investigator’s hhs.gov email address.  The addresses for OCR’s HQ and Regional Offices are available on the OCR website at https://www.hhs.gov/ocr/about-us/contact-us/index.html, and all OCR email addresses will end in @hhs.gov.  If organizations have additional questions or concerns, please send an email to: OCRMail@hhs.gov.

Suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation. 

OCR Right of Access Enforcement

The Office for Civil Rights (OCR) has been aggressively pursuing enforcement actions, with civil monetary penalties, regarding patients’ right of access to their records.  As part of OCR’s Phase 2 audits, the agency has fulfilled its promise to vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged. 

A 2019 study published by medRxiv (https://www.medrxiv.org/content/10.1101/19004291v1) found that more than 50% of the providers evaluated were not fully compliant with access requirements or it took multiple requests to obtain records as required. Additionally, 24% did not appear to be aware of fee limitations for providing medical record copies.

Pending Regulatory Actions

While studies and increased enforcement have uncovered issues with patients being able to obtain copies of records, HHS has published proposed changes to the Privacy Rule that will enhance requirements for timeliness of access, allowable fees for copies of medical records, strengthened right of inspection, and advance notice for access and fees.  HHS’ proposed modifications to the Privacy Rule will provide patients with more and stronger rights for obtaining information in their medical records.

Practices need to familiarize themselves with current rights that are granted to patients and their representatives.  Additionally, there is a need to monitor changes that will be implemented in the next 12 to 18 months. Eagle Associates will be publishing updates in the Advisor® as well as providing new policies and procedures to ensure compliance. Now is the time to review existing procedures to ensure compliance with right of access requirements.


Note:  If you subscribe to Eagle Associates’ HIPAA Compliance System, there are policies for Right of Access (Section 3.15) and Copies of Protected Health Information (Section 3.15d).

For detailed information about the right of access, refer to the article “OCR Enforcement of Patient Right of Access” on page 9 of the February 2020 issue of the Advisor®.