First, let's all acknowledge the tragic irony of exposing HIPAA protected information because of phony HIPAA audit program correspondence. It is, however, a pretty common strategy. Most of these scams attempt to scare users so they will hastily click a malicious link. For example, say you get a message that appears to be from your bank that reads, "We recently closed your account per your request. If this is incorrect, click here."
"WAIT A MINUTE?!" you may think. "I didn't close my account. I should click here and get this straightened out right away. Ok, I see all I need to do to clear up this matter is enter my social security number, my birthday, my mother's maiden name, my favorite pet's name, and the model of my first car...seems reasonable."
This scam is particularly tricky because it copies legitimate correspondence from OCR that also contains links. To be clear, I would not click on those links, either. Instead, you can verify the correspondence by going to the OCR website manually and using contact information obtained independently of any links in the questionable email message.
If you retain nothing else from this article, remember this: do not click on any links in any email message. If you must, then only click on verified links in expected messages from trusted sources.
If you want more information on how to educate your staff and help protect your company from phishing scams and other security threats, consider the MiraVista on-demand training DME Security: Keep Current Without Breaking the Bank.