The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) has posted an alert (and a follow-up alert) warning health plans, health care providers, and their vendors of a mock communication involving the OCR audit program under the Health Insurance Portability and Accountability Act (HIPAA). The email falsifies HHS departmental letterhead and the signature of the OCR Director and directs individuals to a non-governmental website marketing the cybersecurity services of a firm that is not associated with HHS or OCR.

Even before it launched its new wave of HIPAA audits, OCR warned about the prospect of such fraudulent communications. Those who are subject to HIPAA need to be particularly vigilant to confirm that official-looking emails they receive about the HIPAA audit program actually do come from—and refer to—the appropriate OCR email address.

The follow-up alert also notes that OCR has begun contacting business associates as part of its HIPAA audit program. Business associates should be looking out for any emails they receive from OCR and, after first confirming that they are genuine, take prompt measures to meet audit response deadlines.

Ballard Spahr formed a HIPAA Compliance Team of attorneys from various disciplines to advise health care providers, health plans, and their business associates on the privacy and security requirements under HIPAA. Members of the team offer guidance and training on HIPAA rules; prepare HIPAA policies and procedures, notices and forms, business associate agreements, and other compliance documentation; perform security risk assessments; and otherwise help clients prepare for the eventuality of an OCR HIPAA audit.

If you have questions about the OCR alert, the HIPAA audit program, or HIPAA privacy and security requirements, please contact any member of our HIPAA Compliance Team. For more information about our team visit us at