Phishing Email disguised as official OCR Audit communication (article)
The HHS Office for Civil Rights (OCR) is currently in the process of conducting Phase 2 audits of covered entities and business associates to ensure compliance with the HIPAA privacy and security rules (see HIPAA Audit Program - Phase 2 Begins, Benefit Beat, 4/7/16).
The OCR’s audit process generally commences by way of sending an email to the covered entity informing it of a potential audit, and may be followed by additional communications through an email process. The OCR recently announced an apparent phishing email scam wherein some recipients receive what appears to be an official communication from OCR but, in fact, leads the recipient to a website (unaffiliated with OCR) that is marketing a company’s cybersecurity services. The phishing email originates from the email address “OSOCRAudit@hhs-gov.us” and directs individuals to a URL at “http://www.hhs-gov.us”. The OCR’s official email address for the HIPAA audit program is OSOCRAudit@hhs.gov.
If there is a question about whether an email communication is valid and official, the OCR recommends the covered entity or business associate to contact them directly via email at OSOCRAudit@hhs.gov.
The information contained in this article is provided as general guidance and may be affected by changes in law or regulation. This article is not intended to replace or substitute for accounting or other professional advice. Please consult a CBIZ professional. This information is provided as-is with no warranties of any kind. CBIZ shall not be liable for any damages whatsoever in connection with its use and assumes no obligation to inform the reader of any changes in laws or other factors that could affect the information contained herein.