During the 2016 Practice Administrator Seminar, ProAssurance staff informed insureds of upcoming HIPAA compliance audits conducted by the DHHS’ Office of Civil Rights (OCR). Initial contact for these audits is being made by OCR via email rather than standard mail.
We have recently been made aware of a phishing email being circulated purporting to be from the OCR relating to the HIPAA compliance audits. A recent article from Data Breach Today provides more detailed information on how to determine whether you have received a legitimate email from OCR.
OCR notes that the phishing email originates from the email address "OSOCRAudit@hhs-gov.us," while the legitimate OCR audit email address is "OSOCRAudit@hhs.gov." Thus, the phishing email originates from an “.us” email address while the legitimate OCR email originates from a “.gov” email address.
Also, OCR warns future phishing emails are possible with other minor changes to a seemingly legitimate email. Contact OCR directly to confirm an email’s authenticity prior to opening it if you have doubts.