'It ain't me': OCR warns of phishing email masquerading as official OCR contact
by Julia Kyles, CPC on Nov 29, 2016
Employees at your organization may have received an email that appeared to be from the HHS Office for Civil Rights that invites them to click on a link for inclusion in the “HIPAA Privacy, and Breach Rules Audit Program.” However, there is no such thing (although it does sound a lot like
the OCR's HIPAA Privacy, Security and Breach Notification Audit Program)
and the email isn’t from the OCR. It’s from a website that is marketing the services of a cybersecurity firm.
“In no way is this firm associated with the U.S. Department of Health and Human Services or the Office for Civil Rights. We take the unauthorized use of this material by this firm very seriously,” OCR stated in an email alert about the email. The agency encouraged people who want to verify communications from about HIPAA audits to use the official email:
OSOCRAudit@hhs.gov. To subscribe to the OCR’s security list go to:
https://list.nih.gov/cgi-bin/wa.exe?A0=ocr-security-list\.
Even if the email is simply a clumsy marketing ploy, the cybersecurity firm could have committed a major compliance faux pas.
Social Security Act §1140 forbids the use of Social Security Administration, Medicare and HHS symbols, letters logos and words "in a manner which such person knows or should know would convey, or in a manner which reasonably could be interpreted or construed as conveying, the false impression that such item is approved, endorsed or authorized by the Social Security Administration, the Centers for Medicare and Medicaid Services or the Department of Health and Human Services or that such person has some connection with, or authorization from, the Social Security Administration, the Centers for Medicare and Medicaid Services or the Department of Health and Human Services."