OCR Releases HIPAA Audit Protocol

July 23, 2012

Protocol provides clues regarding areas of focus for ongoing HIPAA audits assessing compliance with the Privacy, Security, and Breach Notification Rules.

The Office for Civil Rights (OCR) at the Department of Health and Human Services recently published its audit protocol for assessing compliance with the Privacy, Security, and Breach Notification Rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH). The audit protocol can be accessed here. As required under HITECH, OCR has increased its HIPAA enforcement efforts by implementing a new audit program. Employer-sponsored group health plans are among the HIPAA-covered entities that may be selected for audit by OCR in the initial stages of its audit program.

Areas Covered by Audit Protocol

The protocol was developed in conjunction with the audit of the first 20 covered entities selected for OCR's audit program, including health plans, doctor groups, and hospitals. OCR plans to conduct a total of 115 audits of covered entities by the end of 2012, and it is expected that the protocol will be refined and clarified as additional audits are completed.

The protocol covers 165 areas of performance evaluation, including 88 related to the Privacy Rule and Breach Notification Rule and 77 related to the Security Rule. With respect to the Privacy Rule, the audit protocol addresses the following specific areas:

  • Notice of privacy practices
  • Rights to request privacy protection
  • Access of individuals to protected health information
  • Administrative requirements
  • Uses and disclosures of protected health information
  • Amendment of protected health information
  • Accounting of disclosures

The protocol also shows that the OCR audits are focused on technical safeguards under the Security Rule, such as the use of encryption technology, and requirements related to the Breach Notification Rule, including risk assessment processes and the content and timeliness of notifications.

OCR Senior Advisor David Mayer stated recently that money has been appropriated for the audit program to continue in 2013 and 2014, and he expects it will be expanded to include business associates some time after the new HIPAA omnibus regulations are released this summer.


While the HIPAA audit protocol does not contain any major surprises, its publication serves as a reminder of the increased enforcement activity in this area. We recommend that group health plan sponsors and their business associates conduct periodic self-audits of their HIPAA privacy policies and procedures to ensure they are best positioned to demonstrate compliance if confronted with an OCR audit. HIPAA training should be provided on a regular basis to all employees with access to protected health information, and sufficient resources should be allocated to designated HIPAA privacy officers so that they may respond to complaints, conduct breach investigations, and take other actions required of them under HIPAA and HITECH.

For more information about the HIPAA services for group health plan sponsors and their business associates offered by Morgan Lewis's Employee Benefits and Executive Compensation Practice, review the HIPAA Privacy Compliance Initiative brochure here.


If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis attorneys:

Saghi "Sage" Fattahian

New York
Craig A. Bitman

Robert L. Abramowitz
Georgina L. O'Hara
Steven D. Spencer

Lauren B. Licastro

San Francisco
W. Reece Hirsch

Washington, D.C.
Althea R. Day