Industry News

OCR’s Audit Protocol for the HIPAA Audit Program

The Department of Health and Human Services Office for Civil Rights (OCR) recently released the audit protocol that is used in the Health Insurance Portability and Accountability Act (HIPAA) Audit Program.

The HIPAA audit program protocol is organized into two modules and incorporates elements of the HIPAA privacy, security, and breach notification rules to assess covered entities’ compliance.

The protocol includes audit procedures related to the following:

  • HIPAA Privacy requirements for notices of privacy practices for protected health information (PHI); rights to request privacy protection for PHI; access of individuals to PHI; administrative requirements; uses and disclosures of PHI; amendment of PHI; and account of disclosures.
  • HIPAA Security requirements for administrative, physical, and technical safeguards.
  • Breach notification requirements.

According to OCR, the audit protocol may be tailored to better suit the various types of covered entities under review.  Organizations may access the HIPAA audit protocol on the OCR website.

The OCR audit protocol is available at:


“Audit Protocol” Jun. 2012.  Department of Health and Human Services Office for Civil Rights.  27 Jun. 2012.  <>.