The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; the HIPAA Breach Notification Rule, which requires covered entities and business associates to provide notification following a breach of unsecured protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.

The Department of Health and Human Services Office for Civil Rights (OCR) recently released the audit protocol that is used in the Health Insurance Portability and Accountability Act (HIPAA) Audit Program.

The HIPAA audit program protocol is organized into two modules and incorporates elements of the HIPAA privacy, security, and breach notification rules to assess covered entities’ compliance.

The protocol includes audit procedures related to the following:

  • HIPAA Privacy requirements for notices of privacy practices for protected health information (PHI); rights to request privacy protection for PHI; access of individuals to PHI; administrative requirements; uses and disclosures of PHI; amendment of PHI; and account of disclosures.
  • HIPAA Security requirements for administrative, physical, and technical safeguards.
  • Breach notification requirements.

According to OCR, the audit protocol may be tailored to better suit the various types of covered entities under review.  Organizations may access the HIPAA audit protocol on the OCR website.

The OCR audit protocol is available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html.