HIPAA Audits: OCR Warns of Phishing Email

phishing emails

On November 28, 2016, the HHS Office for Civil Rights (OCR) published the following Alert on its website:

Alert: Phishing Email Disguised as Official OCR Audit Communication—November 28, 2016

It has come to our attention that a phishing email is being circulated on mock HHS Departmental letterhead under the signature of OCR’s Director, Jocelyn Samuels. This email appears to be an official government communication, and targets employees of HIPAA covered entities and their business associates. The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. The link directs individuals to a non-governmental website marketing a firm’s cybersecurity services. In no way is this firm associated with the U.S. Department of Health and Human Services or the Office for Civil Rights. We take the unauthorized use of this material by this firm very seriously.  In the event that you or your organization has a question as to whether it has received an official communication from our agency regarding a HIPAA audit, please contact us via email at OSOCRAudit@hhs.gov

On November 30th, HHS OCR issued additional clarification regarding the Phishing Email Alert:

 OCR advices that covered entities and business associates should alert their employees of this issue and take note that official communications regarding the HIPAA audit program are sent to selected auditees from the email address OSOCRAudit@hhs.gov.

 In addition, the November 30th announcement from OCR states that OCR has notified select business associates of their inclusion in the Phase 2 HIPAA audits.  Additional information on the Phase 2 HIPAA audit program is at OCR’s webpage http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html.

 You can also follow OCR on Twitter http://twitter.com/HHSOCR