The Office for Civil Rights (OCR) in the US Department of Health and Human Services issued an alert on Friday, April 3, 2020, regarding an individual who has been contacting HIPAA covered entities posing as an OCR investigator in an attempt to obtain protected health information.

The imposter does not provide an OCR compliant transaction number or any other verifiable information relating to an OCR investigation.

The OCR advises that covered entities and business associates notify their workforces immediately and take action to verify that someone is an OCR investigator by:

  • asking for the investigator’s email address, which will end in, and
  • ask for a confirming email from the OCR investigator’s email address prior to disclosing PHI.

If organizations have additional questions or concerns, please send an email to