HHS Warns HIPAA Entities About Phishing Email

The Department of Health and Human Services (HHS) is warning HIPAA covered entities and business associates about a phishing email that disguises itself as an official communication from HHS’ Office for Civil Rights (OCR) regarding its HIPAA audit program.

According to OCR’s alert, the phishing email appears to be an official government communication, and targets employees of HIPAA covered entities and business associates. The email prompts recipients to click a link regarding possible inclusion in the HIPAA audit program. The link directs individuals to a non-governmental website marketing a firm’s cyber security services. This firm is not associated with HHS or OCR.

The phishing email originates from the email address OSOCRAudit@hhs-gov.us and directs individuals to a nongovernmental website. This is a subtle difference from the official email address for the HIPAA audit program, OSOCRAudit@hhs.gov, but this subtlety is typical in phishing scams.

Covered entities and business associates should be aware of this issue and take note that official communications regarding the HIPAA audit program are sent from the email address OSOCRAudit@hhs.gov. If you have a question as to whether youhave received an official communication from OCR regarding a HIPAA audit, you should contact OCR via mail at OSOCRAudit@hhs.gov.


The information provided herein is intended solely for the use of our clients. You may not display, reproduce, copy, modify, license, sell or disseminate in any manner any information included herein, without the express permission of the Publisher or Publishers of articles within.

The information provided is for informational purposes only and does not constitute legal advice. The information above contains only a summary of the applicable legal provisions and does not purport to cover every aspect of any particular law, regulation or requirement. Depending on the specific facts of any situation, there may be additional or different requirements. This is to be used only as a guide and not as a definitive description of your compliance obligations.