Beware: HIPAA Phase II Audit Phishing Email

Background

In 2011, the Department of Health and Human Services (HHS), through the Office of Civil Rights (OCR) implemented a HIPAA audit program—to examine mechanisms for compliance, identify best practices, and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews. Phase II of the program, which began in July 2016, audits HIPAA covered entities and expanded to business associates in fall of 2016.

Audit Phishing Email

Entities selected as auditees receive a communication from OCR via email. Many employers have bemoaned the fact that this communication may be erroneously classified as spam, but OCR expects entities to check their spam and junk folders for these communications. To complicate the matter, on November 28, HHS announced that they have discovered phishing emails that appear to be a part of the HIPAA Phase II audit program. As a result, HIPAA covered entities and business associates should monitor communications that appear to come from OCR even closer than before to ensure that it is an official OCR communication.

Covered entities and businesses associates should look for the following:

Action Steps

Covered entities and business associates should notify their employees and take appropriate security measures to respond to this issue— being mindful that despite the potential for confusion with the phishing email and erroneous spam designation, covered entities and business associates still must reply to audit program communications from OCR.

If an entity does not respond, OCR will use publically available information to develop its audit pool. An entity that does not respond may still be selected for an audit.