HHS has released its protocol for conducting HIPAA privacy and security audits. The protocol identifies the specific questions that will be asked and documents that will be requested of audited organizations.
The audit protocol covers Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
The protocol covers Security Rule requirements for administrative, physical, and technical safeguards
The protocol covers requirements for the Breach Notification Rule.
The protocol is available for public review and searchable by keyword(s) in the table at the URL below.
See on ocrnotifications.hhs.gov