The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) has posted an alert (and a follow-up alert) warning health plans, health care providers, and their vendors of a mock communication involving the OCR audit program under the Health Insurance Portability and Accountability Act (HIPAA). The email falsifies HHS departmental letterhead and the signature of the OCR Director and directs individuals to a non-governmental website marketing the cybersecurity services of a firm that is not associated with HHS or OCR.

Even before it launched its new wave of HIPAA audits, OCR warned about the prospect of such fraudulent communications. Those who are subject to HIPAA need to be particularly vigilant to confirm that official-looking emails they receive about the HIPAA audit program actually do come from—and refer to—the appropriate OCR email address.

The follow-up alert also notes that OCR has begun contacting business associates as part of its HIPAA audit program. Business associates should be looking out for any emails they receive from OCR and, after first confirming that they are genuine, take prompt measures to meet audit response deadlines.