A HIPAA audit is a formal review conducted by the federal government to check whether healthcare organizations and their partners are properly protecting patient health information. The Office for Civil Rights (OCR), a division of the U.S. Department of Health and Human Services, runs the audit program. These audits evaluate compliance with three core HIPAA rules: the Privacy Rule, the Security Rule, and the Breach Notification Rule.
Why HIPAA Audits Exist
The HITECH Act of 2009 requires HHS to periodically audit organizations that handle protected health information (PHI). Before the audit program, OCR primarily learned about compliance failures after something went wrong, through patient complaints or data breach reports. Audits flip that approach. They let regulators examine how organizations protect health data before a breach happens, identifying risks and vulnerabilities that complaint investigations would never surface.
OCR also uses audits to identify best practices across the industry. The goal isn’t purely punitive. The program helps regulators understand the real-world compliance landscape, from large hospital systems down to small physician practices and the vendors they work with.
Who Gets Audited
Two categories of organizations fall under the audit program: covered entities and business associates. Covered entities include health plans, healthcare providers who transmit information electronically, and healthcare clearinghouses. Business associates are the companies and contractors that handle protected health information on behalf of covered entities, such as cloud storage providers, billing companies, IT firms, and shredding services.
OCR selects a range of entity types and sizes for audit. The program is designed to assess compliance efforts across the full spectrum of organizations subject to HIPAA, not just the largest or most visible ones. If your organization creates, receives, maintains, or transmits protected health information, it could be selected.
Business associates are held to HIPAA standards through business associate agreements (BAAs) they sign with covered entities. While HIPAA doesn’t require a business associate to let its customers audit its security practices directly, many covered entities negotiate that right into their contracts as part of their own risk management.
What Auditors Evaluate
The audit protocol covers three pillars of HIPAA compliance, and auditors may focus on specific requirements within each one depending on the type of organization being reviewed.
Privacy Rule
This covers how your organization handles patient information in day-to-day operations. Auditors look at whether you have policies governing who can access health records, how you respond to patient requests for their own data, and whether you limit the information you share to the minimum necessary for a given purpose.
Security Rule
The Security Rule applies specifically to electronic protected health information (ePHI) and breaks down into three types of safeguards:
- Administrative safeguards: These are the management-level protections. Auditors check whether you’ve conducted a thorough risk analysis, assigned a specific person to oversee security, trained your workforce on security practices, established incident response procedures, and created contingency plans for emergencies.
- Physical safeguards: These address the physical environment. Auditors look at how you restrict access to facilities and equipment that store ePHI, whether workstations are properly secured, and how you handle the disposal of hardware and electronic media that once contained patient data.
- Technical safeguards: These are the digital protections. Auditors verify that only authorized people can access ePHI, that systems log and track activity, that data integrity controls prevent improper alteration or destruction of records, that identity verification is in place, and that data transmitted over networks is encrypted or otherwise protected.
Breach Notification Rule
This evaluates whether your organization has a process for identifying breaches and notifying affected individuals, HHS, and in some cases the media, within the required timeframes. Auditors want to see that you have written procedures and that your staff knows how to follow them.
How the Audit Process Works
The audit program reviews the policies and procedures an organization has adopted to meet selected HIPAA standards. Not every audit covers every single HIPAA requirement. OCR may focus on a subset of rules, and the scope can vary depending on whether the organization is a covered entity or a business associate.
When selected, you’ll receive notification from OCR and be asked to submit documentation demonstrating your compliance. This typically includes written policies, training records, risk analysis documentation, incident response plans, and evidence that safeguards are actually in place and functioning. The audit protocol has been updated to reflect the Omnibus Final Rule, which expanded HIPAA requirements to business associates and strengthened several privacy and security provisions.
The review itself is a desk audit or on-site examination. OCR assessors compare your documentation and practices against the audit protocol, then produce findings. Organizations receive a draft report and have an opportunity to respond before final findings are issued.
How a HIPAA Audit Differs From a Risk Assessment
These two terms get confused frequently, but they serve different purposes. A HIPAA audit is an external review conducted by OCR or a third party to evaluate your overall compliance with HIPAA rules. A security risk assessment (sometimes called a security risk analysis) is something you’re required to do internally as an ongoing part of HIPAA compliance. It’s the process of identifying where your ePHI lives, what threats exist, and how vulnerable your systems are.
Here’s the connection: when OCR auditors show up, one of the first things they look for is evidence that you’ve been conducting regular risk assessments. A missing or outdated risk assessment is one of the most common findings in HIPAA enforcement actions. The risk assessment is something you do yourself to stay compliant. The audit is what happens when regulators check your work.
What Happens if You Fail
HIPAA audits themselves are primarily designed to assess and improve compliance, not to immediately penalize organizations. However, serious issues uncovered during an audit can lead to a formal compliance review, which can result in corrective action plans or financial penalties.
The penalty structure for HIPAA violations has four tiers based on the level of fault:
- Unknowing violations: $100 to $50,000 per violation, with an annual cap of $25,000 for repeat violations of the same type.
- Reasonable cause: $1,000 to $50,000 per violation, capped at $100,000 annually for repeat violations.
- Willful neglect, corrected promptly: $10,000 to $50,000 per violation, up to $250,000 annually.
- Willful neglect, not corrected: A flat $50,000 per violation, with an annual maximum of $1.5 million.
The financial exposure adds up quickly because each affected patient record can count as a separate violation. An organization with a systemic compliance gap affecting thousands of patients faces penalties that multiply accordingly.
How to Prepare
Most organizations that struggle with HIPAA audits share the same basic problem: they lack documentation. Having good security practices in place isn’t enough if you can’t prove it on paper. The audit program specifically reviews the policies and procedures you’ve adopted, which means written evidence is essential.
At a minimum, you should have current, written policies covering each area of the Privacy, Security, and Breach Notification Rules. You need a documented risk analysis that’s been updated within the past year, along with evidence of how you addressed the risks it identified. Training records should show that every member of your workforce has been educated on HIPAA requirements relevant to their role. Incident response logs, access controls documentation, and business associate agreements should all be organized and accessible.
Many organizations conduct internal mock audits or hire third-party consultants to run through the OCR audit protocol before a real audit occurs. OCR publishes its audit protocol publicly, so there’s no mystery about what they’re looking for. The protocol maps directly to specific HIPAA standards and implementation specifications, giving you a clear checklist to measure yourself against.