The HHS Office for Civil Rights (OCR) published an alert on November 28 describing a phishing email being circulated on mock HHS departmental letterhead under the signature of OCR Director Jocelyn Samuels. The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. The link takes the recipient to a nongovernmental website marketing a firm’s cybersecurity services. The HHS OCR stated that it is in no way associated with the firm. The email is targeting employees of covered entities and their business associates. Covered entities and business associates should, therefore, make their workforce members aware of this phishing campaign and remind workforce members to be vigilant and not click on links or attachments that seem suspicious. The HHS OCR has stated that you can reach out to them at OSOCRAudit@hhs.gov if you have a question as to whether a communication you receive from them regarding a HIPAA audit is legitimate.

OCR shared in another alert on November 30 that the phishing email originates from the email address OSOCRAudit@hhs-gov.us and directs individuals to a URL at http://www.hhs-gov.us. This is a subtle difference from the official email address for OCR’s HIPAA audit program, OSOCRAudit@hhs.gov. Covered entities and business associates should alert their workforce members of this issue and take note that official communications regarding the HIPAA audit program are sent to selected auditees from the email address OSOCRAudit@hhs.gov.