The U.S. Department of Health & Human Services’ Office for Civil Rights (OCR) has made public its long-awaited HIPAA audit protocol, posting it on its website June 26.

The Health Information Technology for Economic and Clinical Health (HITECH) Act, which amended the Health Insurance Portability and Accountability Act in 2009, required OCR to conduct a pilot audit program to assess HIPAA compliance. OCR established the audit protocol, which is searchable and organized around modules, to conduct the audits. The first 20 preliminary audits have been conducted; in all, 115 covered entities will be audited in the pilot program, which will end in December 2012.

The audit protocol covers the following requirements:

  • The Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
  • The Security Rule requirements for administrative, physical, and technical safeguards.
  • The requirements for the Breach Notification Rule.

The goal of the audits is to analyze trends, improve overall compliance and identify best practices, according to Linda Sanches, senior advisor for health information privacy at OCR, reporting on the audits at an OCR/NIST conference in early July. OCR does not plan to penalize auditees found in violation, though it will do so if it uncovers “serious compliance issues,” she said.

Source:; Marla Durben Hirsch; June 27, 2012.