The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) has been conducting HIPAA privacy, security and breach audits since early this year and today released the protocol that is has being using to inform the audit process.

The Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 required HHS to conduct audits to determine how well companies are complying with the privacy, security and breach notification rules stemming from the Health Insurance Portability and Accountability Act (HIPAA). Late last year, HHS and OCR contracted with accounting and consulting firm KPMG to commence the audits.

According to the HHS Web site detailing the protocol for the auditing process:

  • The audit protocol covers Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
  • The protocol covers Security Rule requirements for administrative, physical, and technical safeguards
  • The protocol covers requirements for the Breach Notification Rule.