The Office of Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”) has posted an alert warning employers, and others, of a fake communication involving the OCR audit program under HIPAA. The email falsifies HHS departmental letterhead and the signature of the OCR Director and directs individuals to a non-governmental website marketing the cybersecurity services of a firm that is not associated with HHS or OCR.
This phishing email originates from the email address OSOCRAudit@hhs-gov.us and directs individuals to a URL at http://www.hhs-gov.us. This is a subtle difference from the official email address for the real HIPAA audit program, OSOCRAudit@hhs.gov
Phishing is a scam typically carried out through unsolicited email and/or websites that pose as legitimate sites and lure unsuspecting victims to provide personal and financial information.
Employers should alert their employees of this issue and take note that official communications regarding the HIPAA audit program are sent to selected auditees from the email address OSOCRAudit@hhs.gov
If you question any communication regarding a HIPAA audit, please contact OCR at: OSOCRAudit@hhs.gov.