On August 10, 2012, the Office for Civil Rights (“OCR”) of the Department of Health and Human Services (“DHHS”) published its audit protocol for assessing compliance with the Privacy, Security, and Breach Notification Rules under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”). OCR plans to conduct a total of 115 audits of covered entities by the end of 2012, and it is expected that the protocol will be refined and clarified as additional audits are completed.

The protocol covers 165 areas of performance evaluation, including 88 related to the Privacy Rule and Breach Notification Rule and 77 related to the Security Rule. With respect to the Privacy Rule, the audit protocol addresses the following specific areas:

•Notice of privacy practices.

•Rights to request privacy protection.

•Access of individuals to protected health information.

•Administrative requirements.

•Uses and disclosures of protected health information.

•Amendment of protected health information.

•Accounting of disclosures.

The audits are also focused on technical safeguards under the Security Rule, such as the use of encryption technology, and requirements related to the Breach Notification Rule, including risk assessment processes and the content and timeliness of notifications.

To access the audit protocol, click here.