On June 26, 2012, the Department of Health and Human Services' Office of Civil Rights ("OCR") released the audit protocols it is using in auditing covered entities under HIPAA, which is relevant to increased enforcement of the privacy rules. The information, located here, includes audit protocols for both the Security Rule and the Privacy Rule (including the Breach Notification provisions), broken down by Federal Regulation section. For example, when auditing covered entities with respect to their use of de-identified information, auditors are instructed to ask the covered entity’s management team whether a policy or procedure exists to de-identify protected health information, to review such policies and procedures in relation to regulatory criteria, and to verify that they are updated and presented to the covered entity’s workforce. This release provides insight into the OCR’s concerns regarding HIPAA and can assist covered entities in developing their own HIPAA compliance programs. Since even small physician practices have been subjects of enforcement, compliance with the privacy and security rules is yet a new imperative.