Skip to Content

OCR HIPAA Audit Protocol

The HITECH Act mandates that HHS perform periodic audits of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules. To comply with this mandate, the HHS Office of Civil Rights (OCR) established a pilot audit program in 2011 to assess the controls, processes, and policies that covered entities have implemented to comply with the HIPAA Rules. OCR developed and utilizes a protocol to measure the efforts of covered entities, which contains the requirements to be assessed during performance audits. The protocol covers the following:

  • All requirements for the Breach Notification Rule;
  • All Security Rule requirements for administrative, physical, and technical safeguards; and
  • Privacy Rule requirements for:
    • Notice of Privacy Practices for PHI;
    • Rights to request privacy protections for PHI;
    • Individual access to PHI;
    • Administrative requirements;
    • Uses and disclosures of PHI;
    • Amendment of PHI; and
    • Accounting of disclosures

The protocol can be downloaded in full or by each separate rule as as an Excel file (CSV or XML) and is available online ( Note that the protocol has not yet been updated to reflect the requirements in the 2013 HIPAA Omnibus Final Rule, but will be updated in the future.  

View all resources on HIPAA here.