The HHS Office for Civil Rights, which enforces the HIPAA privacy and security rules, is warning of a phishing email being sent to healthcare organizations and purported to come from OCR.

The email has a mock HHS department letterhead under the signature of OCR Director Jocelyn Samuels, and appears to be legitimate. It prompts recipients to click on a link that indicates the recipient may be selected for a HIPAA audit, but the link goes to a private cybersecurity firm marketing its services.

Also See: Why OCR is turning up the heat on business associates

The cybersecurity firm, which OCR is not identifying, has no association with the agency.

“We take the unauthorized use of this material by this firm very seriously,” OCR says in an alert email released to the industry. “In the event that you or your organization has a question as to whether it has received an official communication from our agency regarding a HIPAA audit, please contact us via email at

OCR is unable to comment further on the incident, according to a spokesperson, who notes that official communication of a HIPAA audit also comes from the same email address.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access