Phishing Email Disguised as OCR HIPAA Audit Notification
A new phishing scam targeting covered entities (CE) and business associates (BA) is disguised as an official communication from the Office for Civil Rights (OCR). In an alert released November 28, OCR advised CEs and BAs that a phishing email is being circulated on fake HHS letterhead with the signature of Jocelyn Samuels, OCR’s director. The email directs recipients to click a link regarding the CE or BA’s inclusion in phase two of the HIPAA audit program. The link allegedly leads to a website marketing a private firm’s cybersecurity services, OCR said. The firm is not associated with OCR or the federal government.
Individuals who have received the phishing email or are not certain an email from OCR is an official email should contact OCR at OSOCRAudit@hhs.gov.
Phase two of the HIPAA audit program was announced in March. Phase two will consists of three rounds of audits:
- Desk audits of CEs
- Desk audits of BAs
- Comprehensive onsite audits of CEs and BAs
Audited CEs had 10 days to submit requested documentation to auditors. Auditors will review the documentation and prepare a draft audit report. The draft report will be sent to the audited CE. The CE will be able to read to the draft report and attach comments. Auditors will then create the final report with the CE’s comments attached.
Desk audits of CEs occurred in July but the program has stalled since then. Desk audits of BAs were originally set for October and comprehensive onsite audits were planned for early 2017. But the 160 audited CEs still have not received their draft audit reports and there is no sign when rounds two or three will begin, Chris Apgar, CISSP, president of Apgar and Associates, LLC, in Portland, Oregon, says. The recent presidential election may have put HIPAA audits on temporary hold.
“I think all will be on hold until March or so next year because of the change in leadership at the top,” he says.
In the meantime, CEs and BAs should remain alert for genuine OCR communications.