Read More

Beware: HIPAA Phase II Audit Phishing Email


In 2011, the Department of Health and Human Services (HHS), through the Office of Civil Rights (OCR) implemented a HIPAA audit program—to examine mechanisms for compliance, identify best practices, and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews. Phase II of the program, which began in July 2016, audits HIPAA covered entities and expanded to business associates in fall of 2016.

Audit Phishing Email

Entities selected as auditees receive a communication from OCR via email. Many employers have bemoaned the fact that this communication may be erroneously classified as spam, but OCR expects entities to check their spam and junk folders for these communications. To complicate the matter, on November 28, HHS announced that they have discovered phishing emails that appear to be a part of the HIPAA Phase II audit program. As a result, HIPAA covered entities and business associates should monitor communications that appear to come from OCR even closer than before to ensure that it is an official OCR communication.

Covered entities and businesses associates should look for the following:

Phishing Email

Official HHS Email

Mock HHS letterhead under the signature of OCR’s Director, Jocelyn Samuels Official HHS letterhead under the signature of OCR’s Director, Jocelyn Samuels. See sample
Targets employees of HIPAA covered entities and business associates Targets individuals administering the health plan of HIPAA covered entities and business associates
Prompts recipient to click a link regarding possible inclusion in the audit program Provides covered entities information regarding contact information verification
Link redirects recipient to non-governmental website marketing cybersecurity services Any links direct recipient to official HHS website


Sender: [email protected]


Action Steps

Covered entities and business associates should notify their employees and take appropriate security measures to respond to this issue— being mindful that despite the potential for confusion with the phishing email and erroneous spam designation, covered entities and business associates still must reply to audit program communications from OCR.

If an entity does not respond, OCR will use publically available information to develop its audit pool. An entity that does not respond may still be selected for an audit.