Do HIPAA auditors call your office and perform a free risk assessment for you? No way – beware of deceptive phone marketing.
It’s recently come to our attention that some of our offices are receiving phone calls from solicitors that sound like they are from the Department of Health and Human Services.
The call goes something like this:
“I’m calling today to do your mandatory HIPAA Risk Assessment as required from the Department of Health and Human Service for 2016”
Now this doesn’t outright say they are from HHS, who by the way doesn’t audit or enforce HIPAA, that task is for the Office for Civil Rights (OCR), but this is carefully crafted to insinuate that they are a federal agency.
Phone marketing like this is nothing new — scammers claiming to be the IRS demand wire transfers or gift card payments all the time. People claiming to be from Microsoft that “monitored error messages and need to remote in to fix them right now” while installing malware that steals your bank information are happening constantly. What is unique about this call is that unlike the IRS or Microsoft examples, this one is a legitimate business attempting to sell a HIPAA Risk Assessment Program using deceptive sales techniques. Again, this is nothing new. We see this with credit card processors and website/email hosting providers. They come in or send an invoice and by paying it, you have authorized the deceptive company to steal your business from the vendor you were working with. While what they are doing is not illegal, it certainly raises many concerns about ethics and quality of the product(s) you are being switched to.
So how do you know if it’s fake?
1. With HIPAA, neither state or federal agencies will contact you by phone — ever. All correspondence will be done either by physical mail or by email.
2. Read the fine print. With other scams and deceptive marketing, it may be more difficult to spot. All printed solicitations MUST have printed somewhere on it that it is a solicitation.
3. Be Aware. There are lots of scams out there, especially ones aimed at small businesses. If you are in doubt, get the person’s name and number and give us a call to verify. An ounce of prevention is a pound of cure. It takes a few minutes to verify vs hours of headache, loss of services, downtime, and extra costs.
4. Know what you currently have in place as far as HIPAA services. If you are an active participant of ACS’s HIPAA Program, you already have one of the industry’s most thorough and complete risk assessments, in addition to all other required documentation. If you don’t, what are you waiting for?
**August 2020 Update: For an example of what this might look and sound like; take a look at our newest post HERE. You can also see what the Office of Civil Rights (OCR) has to say about it!