In our November 30, 2011 and March 7, 2012 posts, we discussed the HHS Office for Civil Rights (OCR) audit pilot program, which began in November 2011 and is expected to conclude in December 2012. The audit program has been developed pursuant to the requirements of the HITECH Act. Under the audit pilot program, OCR conducted an initial 20 audits, with on-site field work completed in March 2012. It will conduct an additional 95 audits as part of the pilot program, for a total of 115 audits through December 2012.

Today, OCR released on its website the comprehensive audit protocol that it developed for the audit program. According to OCR, the audit program is designed to analyze key processes, controls and policies of the audited covered entities. OCR’s audit protocol contains the requirements to be assessed in the audits, and is organized around modules that represent separate elements of the Privacy, Security and Breach Notification Rules. It covers the requirements of the Breach Notification Rule; the Security Rule requirements for administrative, physical and technical safeguards; and the Privacy Rule requirements for (1) a notice of privacy practices, (2) right of an individual to request privacy protection for protected health information (PHI), (3) right of an individual to access his/her PHI, (4) administrative requirements, (5) uses and disclosures of PHI; (6) amendment of PHI and an individual’s right to request amendment of PHI; and (7) accounting of disclosures.