As part of the Health Information Technology for Economic and Clinical Health Act (HITECH), the OCR is charged with conducting periodic audits of covered entities and business associates for compliance with the HIPAA Privacy, Security, and Breach Notification Rules. During 2011 and 2012, as part of Phase 1 of its audit program, the OCR assessed the controls and processes implemented by 115 covered entities. This initial phase was considered a pilot program to be followed by Phase 2. In Phase 2 of the OCR’s audit program, covered entities received notification of their selection for inclusion in the audit pool on July 11, 2016 and business associates began receiving similar notifications shortly thereafter. For more on Phase 2, see our previous post HHS Launches Phase 2 HIPAA Audits.

Recently, HHS issued an alert about phishing emails disguised as an OCR audit notification. These phishing emails are designed to target employees of covered entities and their business associates by using HHS letterhead and the signature of the Director of the OCR, similar to an actual notice. However, the red flag in these phishing emails is a link that directs recipients to non-government websites (not ending in .gov), which market cybersecurity services.

Importantly, it’s not safe to assume all email notifications are a scam. Legitimate OCR audit notices are also sent via email and include a letter from the Director of the OCR that appears on HHS letterhead. As we noted in our previous blog post, HHS expects you to check your junk and spam email folders for communications from HHS. As a friendly reminder, just because your employees do not respond to these legitimate inquiries does not mean that you will not be placed in the audit pool; in fact it may increase your chances of being selected for an audit.