The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published an alert on Monday describing a phishing campaign disguised as an email from OCR. The email is being circulated on mock HHS letterhead under the signature of OCR’s Director Jocelyn Samuels and is being sent to HIPAA covered entities and their business associates. The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. When clicked, the link takes the recipient to a non-governmental website marketing a firm’s cybersecurity services. In its alert, HHS clarified that it is in no way associated with the firm.

Covered Entities and Business Associates should be aware of this email and should make their workforces aware of it. This can also serve as an important reminder of the importance of being vigilant about phishing campaigns and not clicking links in any email that seems suspicious or unexpected.

While the firm’s specific claims of inclusion in the audit program are not based in fact, OCR’s audit program is itself quite real. This past July we discussed the audit letters that were sent to health care providers and health care clearinghouses alerting them to their inclusion in the audit. We also described how OCR would be auditing businesses associates during the fall season. Given that fall is upon us, it is now more critical than ever for business associates to review their compliance efforts.