HIPAA Audit Emails: Are They Legitimate?

May 20, 2016

TMLT has received questions about the authenticity of the recent emails from Health and Human Services (HHS), the Office for Civil Rights (OCR). Earlier this year HHS announced that the OCR was launching Phase 2 of the HIPAA Audit Program.  The announcement stated:

The 2016 audit process begins with verification of an entity’s address and contact information. An email is being sent to covered entities and business associates requesting that contact information be provided to OCR in a timely manner.  OCR will then transmit a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools.

Below is a sample of an actual OCR HIPAA audit email (with the identifying information removed.) 

The first email is to verify that the person receiving the email is the correct contact.

<image 1>

The second email explains the audit process and asks the organization to complete a screening questionnaire.

<image 2>

<image 3>

Here are a few tips to help you spot a phishing attempt or spoofed email:

  • Emails with generic greetings (not your name)
  • Emails requesting personal information 
  • Emails requesting an urgent response
  • Emails with spoofed links. To check, move your cursor and hover over the hyperlink to display the link (see below)

<image 4>


  • Verify the email by calling the sender.
  • Contact your security officer, IT staff or consultant if you have questions about the legitimacy of an email.   



Previous Article
Update: TMLT Website Services are Back and Fully Available

Website services, including online payments, the myTMLT members-only site, and online CME are once again av...

Next Article
AMA Assembles Convenient Location for Latest Ebola Information

The American Medical Association has assembled an Ebola Resource Center so physicians and the public have o...