The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published an alert on Nov. 28 describing a phishing email being circulated on mock HHS departmental letterhead under the signature of OCR Director Jocelyn Samuels. The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. The link takes the recipient to a nongovernmental website marketing a firm’s cybersecurity services. The HHS OCR stated that it is in no way associated with the firm. The email is targeting employees of covered entities and their business associates. Covered entities and business associates should, therefore, make their workforce members aware of this phishing campaign and remind workforce members to be vigilant and not click on links or attachments that seem suspicious. The HHS OCR has stated that you can reach out to them at OSOCRAudit@hhs.gov. if you have a question as to whether a communication you receive from them regarding a HIPAA audit is legitimate.