Be Aware: Current Phishing Email is Disguised as Official OCR Audit Communication
As many HIPAA covered entities and their business associates are aware, the Office for Civil Rights (“OCR”) division of the United States Department Health and Human Services (“HHS”) has begun a second-round of audits to examine compliance with the HIPAA Privacy, Security and Breach Notification Rules. Specifically, the audits are intended to review the policies and procedures adopted and employed by covered entities and business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.
In an alert issued today, the HHS announced that it has come to their attention that a phishing email is being circulated on mock HHS Departmental letterhead under the signature of the OCR’s Director, Jocelyn Samuels. The email appears to be an official government communication and targets employees of HIPAA covered entities and their business associates. The email prompts recipients to click a link regarding possible inclusion in the HIPAA audit program. The link then directs individuals to a website marketing cybersecurity services. The HHS is taking the unauthorized use of its material very seriously and stresses that the site is in no way associated with the HHS or OCR. Anyone wondering if they have, in fact, received an official HHS or OCR communication may send an email to OSOCRAudit@hhs.gov to seek verification.
IRS Deadline for Providing 2016 ACA Statements to Employees Extended to March 2, 2017
Under the Affordable Care Act’s information reporting rules, an “applicable large employer” (meaning an employer with at least 50 full-time, including full-time equivalent employees) must file a Form 1095-C with the IRS for each employee who was a full-time employee for any month of the calendar year. The employer also must provide each full-time employee a completed Form 1095-C (or a satisfactory substitute for such form).
Larger employers must also provide a Form 1095-C (or substitute form) to each of its full-time employees, regardless of whether the employer offered health coverage to all, some, or none of its full-time employees.
In Notice 2016-70, the IRS recently offered a 30-day extension of the (otherwise applicable) January 31, 2017 deadline to furnish the Form 1095-C statements to employees. The new due date for providing the ACA statements to employees is March 2, 2017. This is a hard deadline; no 30-day extension may be obtained.
Note that there is no extension of the deadline to provide the Forms 1095-C to the IRS under cover of transmittal Form 1094-C. The deadline for paper filing is February 28, 2017 and the electronic filing deadline is March 31, 2017. (Electronic filing is required for applicable large employers filing 250 or more employee statements.)