The U.S Department of Health and Human Services Office of Civil Rights (OCR) is currently conducting Phase 2 of its audit program to assess covered entities and business associates for compliance with the HIPAA Privacy, Security, and Breach Notification Rules. Those selected for inclusion in the audit are notified via email.
However, on November 28th, the OCR posted an alert on its website warning HIPAA covered entities and their business associates about a phishing email that has been circulating. This email, boasting a fake HHS letterhead and signature of OCR’s director, Jocelyn Samuels, can be easily mistaken for a legitimate government correspondence.
In the phishing email, recipients are directed to click on a link to see if they have been chosen for the audit program. Yet clicking on the link takes recipients to a third party website for cyber security services. This company is not affiliated with the OCR.
Per the alert, the OCR points out that the phishing email address comes from OSOCRAudit@hhs-gov.us, instead of its official email address, OSOCRAudit@hhs.gov. Phishing scams often rely on minor changes that the typical recipient will not recognize.
Though the OCR points out that all covered entities and business associates selected for Phase 2 audits have already been notified, employees should still be warned about this phishing email. If there is any question whether an email is legitimate, organizations should contact the OCR directly at OSOCRAudit@hhs.gov.