OCR Releases Comprehensive Audit Protocol for HIPAA Audit Pilot Program

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has released a comprehensive audit protocol for the audit pilot program of its health information privacy and security compliance program. Mandated by the Healthcare Information Technology for Economic and Clinical Health (HITECH) Act, the audit program provides for periodic audits to ensure covered entities and business associates are complying with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules and breach notification standards. The protocol, which contains the requirements to be assessed during OCR’s performance audits, is organized around modules that represent the separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review.