The phishing email originates from the email address OSOCRAudit@hhs-gov.us and directs individuals to a URL at www.hhs-gov.us. This is a subtle difference from the official email address for the HIPAA audit program, OSOCRAudit@hhs.gov. Such deviousness is typical in phishing scams.
In no way is the firm associated with HHS or OCR. In the event that you or your organization has a question about the legitimacy of an apparently official communication from the agency regarding a HIPAA audit, please contact OCR via email OSOCRAudit@hhs.gov.