HIPAA Phishing Email Alert

phishingSocial work practitioners should be aware of a recent phishing scam. On November 28, 2016, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a listserv announcement warning covered entities and their business associates about a phishing email that disguises itself as an official communication from the Department. The phishing email is being circulated on mock HHS Departmental letterhead under the signature of OCR’s Director, Jocelyn Samuels.

The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program, and directs individuals to a non-governmental website that is marketing a firm’s cybersecurity services. That firm is NOT associated with the U.S. Department of Health and Human Services or the Office for Civil Rights.

OCR states that this phishing email originates from the email address OSOCRAudit@hhs-gov.us and directs individuals to a URL at http://www.hhs-gov.us. This is a subtle difference from the official email address for our HIPAA audit program, OSOCRAudit@hhs.gov, but such subtlety is typical in phishing scams.

Covered entities and business associates should alert their employees of this issue and take note that official communications regarding the HIPAA audit program are sent to selected auditees from the email address OSOCRAudit@hhs.gov. In the event that you or your organization has a question as to whether it has received an official communication from our agency regarding a HIPAA audit, please contact OCR via email at OSOCRAudit@hhs.gov


  1. Thank you for posting this informative article! The email address is so close that it may have got me!

  2. Thank you so much for posting this notice! Way to go, NASW!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.