The Department of Health & Human Services (HHS) is required under Section 13411 of the HITECH Act to conduct periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. To implement this mandate, HHS’ Office for Civil Rights (responsible for enforcing the HIPAA Privacy and Security Rules) piloted an audit program of covered entities to assess privacy and security compliance. The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate. OCR has now published audit protocols for HIPAA Security and HIPAA Privacy and Breach. The protocols may be found at: The audit protocols cover Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures. The protocols also cover Security Rule requirements for administrative, physical, and technical safeguards. In addition, the protocols cover requirements for the Breach Notification Rule. Covered entities and business associates should review the OCR protocols and self-assess their data privacy and security program against them to better assess their own HIPAA compliance and implement enhancements or corrective actions that may be necessary to improve their programs.