In late March or early April 2016, the Department of Health and Human Services’ Office for Civil Rights, without much fanfare, posted an updated audit protocol. A PDF version of the document is 212 pages long. The format and content differs significantly from the prior version, and contains additional detail for certain criteria. For example, the old protocol required auditors to “[o]btain and review documentation of how the covered entity has verified the identity of several recent requestors of PHI.”
The new protocol has language that is not limited to covered entities, and it requires auditors to "[o]btain and review sample documentation, consistent with the established performance criterion, of how the covered entity has verified the identity of several recent requestors of PHI." The protocol lists documents that may satisfy the criterion, including "a copy of or notification of the official credentials, a completed verification checklist, a copy of the request on official letterhead, etc." The protocol appears to be a very useful tool that covered entities and business associates could use to assess their level of HIPAA compliance.