The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has posted the Health Insurance Portability and Accountability Act (HIPAA) audit protocol on its website. The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act audit mandate, which is legislation created to stimulate the adoption of electronic health records and supporting technology.
According to the HHS website, OCR established an audit protocol that contains the requirements to be assessed through the performance audits. The audit protocol is organized around modules, which represent separate elements of privacy, security, and breach notification. There are 77 audit procedures for the HIPAA Security Rule and 88 procedures for the combined Privacy and Breach Notification Rules. The combination of these multiple requirements may vary based on the type of covered entity selected for review.