Phishing Email Disguised as official OCR HIPAA Audit Communication

 December 8 2016     Diane Cross
We would like to share the following information from the Department of Health and Human Services' (HHS) Office for Civil Rights with our clients sponsoring self-funded health benefit plans. As a reminder, HHS OCR is the entity responsible for auditing covered entities for compliance with the Health Insurance Portability and Accountability Act (HIPAA). Earlier this year, HHS announced its intention to expand its audit program with HIPAA Level II audits.

Last week, OCR issued a warning notifying HIPAA covered entities and their business associates about a phishing email appearing to be an OCR official communication. Recipients of the phishing email are asked to click on a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program and directs individuals to a non-governmental website that markets a firms cybersecurity services. The phishing email originates from the email address and directs individuals to a URL at; the firm is not associated with the HHS OCR.

Please be aware that all official communications regarding the HIPAA Audit Program are sent to selected auditees from the email address If a covered entity or business associate has a question as to whether it has received an official communication from OCR regarding a HIPAA audit, contact OCR via email at

The official HHS site for information about the HIPAA Privacy, Security, and Breach Notification Audit Program is

Please contact your HORAN account representative with additional questions.