The Department of Health and Human Services Office for Civil Rights (“OCR”) has posted an audit protocol on its website to provide information about the procedures currently being used by OCR as part of its new audit program.

The protocol is presented in a sortable table format listing the applicable sections of the relevant rules and the established performance criteria, key activities and audit procedures associated with each section. The audit protocol for the HIPAA Security Rule also lists whether the implementation specification is required or addressable pursuant to that Rule.

There are a total of 77 audit procedures for the HIPAA Security Rule and 88 procedures for the combined Privacy and Breach Notification Rules.

As we previously reported, OCR Director Leon Rodriguez has indicated that he expects the audit program will become “permanent and robust.” Accordingly, covered entities and business associates should use this new tool provided by OCR to evaluate their compliance posture with respect to the HIPAA Rules.