As reported earlier this year, the Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) has increased their audit efforts and are targeting covered entities and business associates. As is often the case with many new government initiatives, it was suspected that hackers would attempt to disguise as an official government inquiry in their efforts to obtain secure information.
Unfortunately, it did not take long for the first reported incident of phishing emails to be reported, and on November 28, 2016 the OCR released an official alert. The phishing email, which appears to be on HHS Department letterhead and signed by director of the OCR, instructs recipients to click on a link that directs them to a non-governmental website marketing a firm’s cybersecurity services. HHS officials want employers to be aware that this organization is not associated with HHS or the OCR and encourage organizations to email their office if they have any questions regarding whether they have received an official Health Insurance Portability and Accountability Act (HIPAA) audit communication.
In addition to contacting the OCR, clients of HCW are encouraged to reach out to your consultant or client manager to discuss the validity of any governmental inquiry. This is also a good reminder to employers and plan sponsors that you should review your current HIPAA privacy and security practices to ensure compliance with regulations. If you have questions about your current HIPAA efforts, you can contact HCW and speak with a member of our Compliance team.