§164.306(a): Covered entities and business associates must do the following: (1)Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits. (2)Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3)Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part; and (4) Ensure compliance with this subpart by its workforce. Audit Inquiry General requirements, not a part of an audit inquiry: The Security Rule compliance practices of covered entities and business associates will be audited against the specific requirements described in the following sections. These specific requirements will be assessed based on the overarching principles set forth in the general requirements that pertain to all the security standards. Specifically, does the covered entity or business associate: 1. Ensure confidentiality, integrity and availability of ePHI? 2. Protect against reasonably anticipated threats or hazards to the security or integrity of ePHI? 3. Protect against reasonably anticipated uses or disclosures of ePHI that are not permitted or required by the Privacy Rule? 4. Ensure compliance with Security Rule by its workforce?

§164.530(h) Standard: Waiver of rights. A covered entity may not require individuals to waive their rights under § 160.306 of this subchapter, this subpart, or subpart D of this part, as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits. Audit Inquiry Has the covered entity required individuals to waive their right to complain to the Secretary of HHS about a covered entity or business associate not complying with these Rules, as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits? Obtain and review policies and procedures and patient/health plan member intake information to ensure that waiver is not required.