Originally published in Compliance Today on December 1, 2012.

..Covered entities are now subject to privacy and security audits by OCR.

..OCR published audit protocols regarding its standards for such audits.

..The audit protocols cover the HIPAA Privacy Rule, Security Rule, and Breach Notification requirements.

..Policies and procedures and documentation are of utmost importance to auditors.

..The audit protocols should be used as a compliance tool.

In order to ensure that covered entities comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and Breach Notification requirements, and as mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH), the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) has begun performing privacy and security audits of covered entities. OCR initiated a pilot audit program to perform 115 audits of covered entities between November 2011 and December 2012, and this pilot program has helped OCR refine the HIPAA requirements that it will assess during its audits. In June 2012, OCR published audit protocols that provide more clarity on auditors’ standards for performing HIPAA compliance audits of covered entities and business associates.