OCR Issues Alert About Phishing Email Scam


By: David Cole

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has published an alert notifying HIPAA covered entities and business associates of a phishing email being circulated on fake HHS letterhead and under the alleged signature of OCR’s Director, Jocelyn Samuels. The email suggests to recipients that they are being included in the current HIPAA Audit Program and directs them to click on a link. The link then takes recipients to a nongovernmental website marketing a firm’s cybersecurity services.

OCR states that the phishing email originates from the email address and directs individuals to a URL at This is very similar to the official email address for OCR’s HIPAA Audit Program, which is However, OCR has stated that it is in no way associated with the cybersecurity firm apparently behind these emails, and that these emails are not part of the HIPAA Audit Program. Actual communications from OCR about the HIPAA Audit Program are sent to selected auditees from the email address

Covered entities and business associates should make their workforce members aware of this phishing campaign and remind them to be vigilant and not click on links or attachments that seem suspicious or come from unknown sources. OCR has stated that you can contact it at if you have a question about whether a communication you receive about a HIPAA audit is legitimate.