In recent months, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) notified business associates of their inclusion in Phase 2 HIPAA Audits. On November 28, 2016, and November 30, 2016, the OCR issued listserv announcements warning covered entities and their business associates about a phishing email disguised as an OCR official communication.
The phishing email asks recipients to click on a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program and directs individuals to a non-governmental website that markets a firm’s cybersecurity services. The phishing email originates from the email address OSOCRAudit@hhs-gov.us and directs individuals to a URL at http://www.hhs-gov.us; the firm is not associated with the HHS OCR.
Be aware that all official communications regarding the HIPAA Audit Program are sent to selected auditees from the email address OSOCRAudit@hhs.gov. If a covered entity or business associate has a question as to whether it has received an official communication from OCR regarding a HIPAA audit, please contact OCR via email at OSOCRAudit@hhs.gov.
The official HHS site for information about the HIPAA Privacy, Security, and Breach Notification Audit Program is http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/.
11/30/2016