On November 28, 2016, the HHS Office for Civil Rights issued a listserv announcement warning covered entities and their business associates about a phishing email that disguises itself as an official communication from the Department. The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program, and directs individuals to a non-governmental website, marketing a firm’s cybersecurity services.
OCR would like to further share that this phishing email originates from the email address OSOCRAudit@hhs-gov.us and directs individuals to a URL at http://www.hhs.gov. This is a subtle difference from the official email address for our HIPAA audit program, OSOCRAudit@hhs.gov, but such subtlety is typical in phishing scams.
Covered entities and business associates should alert their employees of this issue and take note that official communications regarding the HIPAA audit program are sent to selected auditees from the email address OSOCRAudit@hhs.gov.
In addition, OCR has notified select business associates of their inclusion in the Phase 2 HIPAA audits. For more information on the Phase 2 HIPAA audit program, please visit our website at http://www.hhs.gov/hipaa/for-