U.S. OCR Issues Warning to HIPAA-Covered Entities about Fake Email – HIPAA

On November 28 and November 30, the United States Department of Health and Human Services (HHS) Office of for Civil Rights in Action (OCR) released multiple alerts warning HIPAA-covered entities and their business associates about a phishing email claiming to be from the OCR. According to the alerts, the email appears to be an official government communication, but in actuality directs individuals to a non-governmental website advertising a firm’s cybersecurity services.

The phishing email originates from an email address that is remarkably similar to OCR’s email address, and directs individuals to the URL at http://hhs-gov.us which is also deceptively similar to HHS’s website. This is typical in phishing scams. OCR is requesting HIPAA-covered entities to notify their employees of this issue and to be cautious when opening suspicious email. Note that all official email and URLs related to OCR end in the domain extension “gov”.

However, not every OCR audit notice is fake. OCR is in the process of emailing selected auditees as part of OCR’s Phase II of the HIPAA audits. Official communications regarding the HIPAA audit program are sent from the email address – OSOCRAudit@hhs.gov. If you have any questions as to whether you have received an official communication from OCR regarding a HIPAA audit, please contact OCR via email at OSOCRAudit@hhs.gov.

Since 1992, OSHA Review, Inc. has provided dental professionals with comprehensive programs to support regulatory compliance and infection control. We are a registered continuing education provider in the state of California, specializing in Dental Practice Act, infection control, and OSHA training.