Shhh….OCR Releases New HIPAA Audit Protocol

Akerman LLP - Health Law Rx

Just in time for the Phase 2 audits, the Department of Health and Human Services Office for Civil Rights (OCR) quietly posted the updated HIPAA Audit Protocol on its website. The new audit protocol has been updated to include business associates who became subject to HIPAA following the 2013 HIPAA Omnibus Final Rule. The protocol covers Privacy Rule, Security Rule and Breach Notification Rule requirements and consists of a table that references the relevant rule section, established performance criteria and the audit inquiry. The protocol is available for public view at and is searchable by key words. The revised protocol will be used by OCR in conducting Phase 2 audits and expands the areas of compliance that will be examined to reflect the Omnibus Final Rule. OCR will accept “feedback” on the audit protocol at this email address,, but the agency will not be publishing the protocol in the Federal Register and there is no comment period.

OCR representatives have said that covered entities will receive letters about the audits in May and business associates will receive the letters in June or July. While only 200 entities will be subject to the audits, the audit protocol is a helpful tool to business associates and covered entities that would like to assess their HIPAA compliance or which are the subject of an audit or investigation following a HIPAA breach.

Within the last week, the OCR also posted a copy of the pre-screening questionnaire that is being sent to business associates and covered entities to create the pool of audit subjects (see – prior blog post). The pre-screening questionnaire may be accessed at

Additionally, the OCR posted a sample business associate list template for covered entities and business associates to use in compiling a list of their business associates and subcontractors. The sample template may be accessed at

The HIPAA Audit Protocol is very detailed and complex, covering approximately 180 areas of potential review by OCR. 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Akerman LLP - Health Law Rx | Attorney Advertising

Written by:

Akerman LLP - Health Law Rx

Akerman LLP - Health Law Rx on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.