START
The Phase 2 HIPAA Audit Program reviews the policies and procedures adopted and employed by covered entities and business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. These analyses are conducted using a comprehensive audit protocol that has been updated to reflect the Omnibus Final Rule. The audit protocol is organized by Rule and regulatory provision and addresses separately the elements of privacy, security, and breach notification. The audits performed assess entity compliance with selected requirements and may vary based on the type of covered entity or business associate selected for review. You may submit feedback about the audit protocol to OCR at OSOCRAudit@hhs.gov.
The protocol is available for public review and searchable by keyword(s) in the table below; export options will be made available soon. (in 5 years they still have not done that, so they do mean soon in the context of how fast the government moves.)
General Instructions:
- Where the document says "entity," it means both covered entities and business associates unless identified as one or the other;
- Management refers to the appropriate privacy, security, and breach notification official(s) or person(s) designated by the covered entity or business associate for the implementation of policies and procedures and other standards;
- Entities must provide only the specified documents, not compendiums of all entity policies of procedures. The auditor will not search for relevant documentation that may be contained within such compilations;
- Unless otherwise specified, all document requests are for versions in use as of the date of the audit notification and document request;
- Unless otherwise specified, selected entities should submit documents via OCR's secure online web portal in PDF, MS Word or MS Excel formats;
- If the requested number of documentations of implementation is not available, the entity must provide instances from equivalent previous time periods to complete the sample. If no documentation is available, the entity must provide a statement to that effect.
- Workforce members include entity employees, on-site contractors, students, and volunteers; and,
- Information systems include hardware, software, information, data, applications, communications, and people.
Here is a link to a usable excel file:
DOWNLOAD