HIPAA Updates Audit Protocol

The Phase 2 HIPAA Audit Program reviews the policies and procedures adopted and employed by covered entities and business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. These analyses are conducted using a comprehensive audit protocol that has been updated to reflect the Omnibus Final Rule.



The changes to the HIPAA policy are outlined here, and general instructions are available below. 

General Instructions:

  1. Where the document says “entity,” it means both covered entities and business associates unless identified as one or the other;
  2. Management refers to the appropriate privacy, security, and breach notification official(s) or person(s) designated by the covered entity or business associate for the implementation of policies and procedures and other standards;
  3. Entities must provide only the specified documents, not compendiums of all entity policies of procedures. The auditor will not search for relevant documentation that may be contained within such compilations;
  4. Unless otherwise specified, all document requests are for versions in use as of the date of the audit notification and document request;
  5. Unless otherwise specified, selected entities should submit documents via OCR’s secure online web portal in PDF, MS Word or MS Excel formats;
  6. If the requested number of documentations of implementation is not available, the entity must provide instances from equivalent previous time periods to complete the sample. If no documentation is available, the entity must provide a statement to that effect.
  7. Workforce members include entity employees, on-site contractors, students, and volunteers; and,
  8. Information systems include hardware, software, information, data, applications, communications, and people.