HIPAA Audit Emails: Are They Legitimate?

May 20, 2016

TMLT has received questions about the authenticity of the recent emails from Health and Human Services (HHS), the Office for Civil Rights (OCR). Earlier this year HHS announced that the OCR was launching Phase 2 of the HIPAA Audit Program.  The announcement stated:

The 2016 audit process begins with verification of an entity’s address and contact information. An email is being sent to covered entities and business associates requesting that contact information be provided to OCR in a timely manner.  OCR will then transmit a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools.

Below is a sample of an actual OCR HIPAA audit email (with the identifying information removed.) 

The first email is to verify that the person receiving the email is the correct contact.

<image 1>

The second email explains the audit process and asks the organization to complete a screening questionnaire.

<image 2>

<image 3>

Here are a few tips to help you spot a phishing attempt or spoofed email:

  • Emails with generic greetings (not your name)
  • Emails requesting personal information 
  • Emails requesting an urgent response
  • Emails with spoofed links. To check, move your cursor and hover over the hyperlink to display the link (see below)

<image 4>


  • Verify the email by calling the sender.
  • Contact your security officer, IT staff or consultant if you have questions about the legitimacy of an email.   



Previous Article
New Format for Closed Claim Studies

Next Article
Syphilis Alerts Issued in Lubbock County and Amarillo

Two Syphilis Alerts have been issued in as many days in Texas.

WEBINAR: It's time for your annual (HIPAA) checkup