Receiving an email that your practice has been identified for participating in the HIPAA Privacy, Security, and Breach Rules Audit Program is enough to raise anyone’s blood pressure. The likely response is to open the email immediately, determine the scope of the audit, and mobilize a team to prepare for the response.

​Opening the email, however, may not direct the email recipient to information regarding a governmental HIPAA audit. Instead, some providers are finding that the link directs to a non-governmental company’s marketing efforts for a cybersecurity service. The Office of Civil Rights (OCR) of the Department of Health and Human Services (the entity responsible for HIPAA audits and enforcement) has published alerts (available here) regarding the scam emails.

Although nothing in the most-recent alerts suggests that the current scam emails will result in a malware attack, covered entities and business associates must remain on guard regarding the potential risks of opening a communication that may appear to come from the OCR. Providers who have a question regarding whether an email is an official communication from OCR regarding a HIPAA audit may contact the OCR at OSOCRAudit@hhs.gov. Official communications from the OCR original from the same address.

​Parker Poe has developed a number of tools to assist our clients to perform self-audits regarding compliance with the privacy, security and breach notification rules under HIPAA. We also advise clients routinely regarding responses to HIPAA audits. More information regarding our team can be found here.