- HHS is currently conducting HIPAA compliance audits.
- HHS uses email to communicate with HIPAA entities that have been selected for audit.
- HHS issued an alert notifying HIPAA entities about a phishing email purporting to be from OCR, which directs individuals to a non-governmental website.
- Carefully review any communications you receive that appear to be from OCR.
- If you are questioning whether an email is legitimate, contact OCR.
- If the email is from OCR, respond promptly in order to meet audit deadlines.
The Department of Health and Human Services (HHS) is warning HIPAA covered entities and business associates about a phishing email that disguises itself as an official communication from HHS’ Office for Civil Rights (OCR) regarding its HIPAA audit program.
According to OCR’s alert, the phishing email appears to be an official government communication, and targets employees of HIPAA covered entities and business associates. The email prompts recipients to click a link regarding possible inclusion in the HIPAA audit program. The link directs individuals to a non-governmental website marketing a firm’s cyber security services. This firm is not associated with HHS or OCR.
The phishing email originates from the email address OSOCRAudit@hhs-gov.us and directs individuals to a URL at http://www.hhs-gov.us. This is a subtle difference from the official email address for the HIPAA audit program, OSOCRAudit@hhs.gov, but this subtlety is typical in phishing scams.
Covered entities and business associates should be aware of this issue and take note that official communications regarding the HIPAA audit program are sent from the email address OSOCRAudit@hhs.gov. If you have a question as to whether you have received an official communication from OCR regarding a HIPAA audit, you should contact OCR via email at OSOCRAudit@hhs.gov.
© 2016 Zywave, Inc. All rights reserved.
Material posted on this website is for informational purposes only and does not constitute a legal opinion or medical advice. Contact your legal representative or medical professional for information specific to your legal or medical needs.