A healthcare audit is a structured review of clinical practices, medical records, or organizational processes to determine whether they meet a defined standard of quality, safety, or regulatory compliance. Unlike medical research, which generates new knowledge, an audit measures current performance against an existing benchmark and identifies where gaps exist. Healthcare organizations use audits to reduce errors, maintain accreditation, ensure proper billing, and protect patient data.
The Three Main Types of Healthcare Audits
Healthcare audits fall into three broad categories, each with a different scope and purpose.
Clinical audits are led by healthcare professionals within a hospital or clinic. A physician team might audit how often patients with a specific condition receive a recommended treatment, then compare their rate to the published clinical guideline. These are local initiatives focused on improving the care patients actually receive at the bedside.
Internal audits are conducted by staff from within the organization, often quality officers or professionals from a different department than the one being reviewed. This separation helps ensure independent judgment. Internal audits typically evaluate broader operational systems: how well the hospital’s infection control protocols function, whether documentation practices meet standards, or whether privacy safeguards are in place. They often serve as preparation for an external audit.
External audits are performed by outside bodies to verify that a facility meets minimum quality and regulatory standards. Accreditation surveys, government compliance reviews, and certification inspections all fall into this category. Despite their different scopes, all three types share the same underlying goal: improving the quality of hospital care.
How the Audit Cycle Works
A clinical audit is not a one-time event. It follows a repeating cycle, most commonly described by four phases: Plan, Do, Study, Act.
- Plan: Define the topic, choose the standard you’re measuring against, and decide what data to collect. A surgical department might choose to audit compliance with a guideline requiring antibiotic administration within one hour before incision.
- Do: Collect the data. This could mean pulling electronic health records, reviewing charts, or observing processes in real time.
- Study: Analyze the results and compare them to the target standard. If the guideline calls for 100% compliance and the department hits 78%, that gap becomes the focus.
- Act: Implement changes to close the gap, then re-audit after a set period to see if performance improved.
The cycle then repeats. Each loop is meant to push performance closer to the target. An audit that stops after one round, without re-measurement, is considered incomplete because there is no way to confirm that changes actually worked.
Regulatory and Government Audits
Several federal agencies conduct audits of healthcare organizations, each targeting a different area.
The Joint Commission runs accreditation surveys for hospitals and critical access hospitals. Its process evaluates facilities against published standards and federal Conditions of Participation. The Commission also tracks 14 National Performance Goals, which are high-priority, measurable patient safety objectives that go beyond basic regulatory minimums. Hospitals that lose Joint Commission accreditation can lose their eligibility to receive Medicare and Medicaid payments, making these surveys high-stakes events.
The Centers for Medicare and Medicaid Services (CMS) operates the Recovery Audit Program, which uses Recovery Audit Contractors (RACs) to identify improper Medicare payments. RACs review claims after they’ve been paid, looking for both overpayments that need to be returned and underpayments owed to providers. They conduct automated reviews at the system level and complex reviews that require a qualified individual to examine the actual medical record. The program covers all 50 states, divided into five regions with dedicated contractors for areas like durable medical equipment and home health services.
The Office for Civil Rights (OCR) within the Department of Health and Human Services audits compliance with HIPAA privacy and security rules. Its 2024-2025 audit cycle is reviewing 50 covered entities and business associates, with a specific focus on security provisions most relevant to hacking and ransomware attacks.
What Gets Reviewed in a Records Audit
When auditors examine medical records or electronic health records (EHRs), they typically look at several layers of documentation. The scope of the audit, communicated in advance, specifies which records to provide. Auditors then select a sample of records and analyze them for instances of noncompliance with either law or internal policy.
For EHR-specific audits, reviewers examine the data itself along with the system’s audit log, which tracks who accessed or modified records and when. Organizations are expected to have documented policies for EHR use, a monitoring process already in place, and records of any follow-up actions taken when problems were previously identified. If the facility received federal incentive payments for adopting electronic records, auditors may also verify that the system was used in a meaningful way rather than simply installed.
Coding audits are among the most common. The industry benchmark for medical coding accuracy is 95%. In practice, audits have found diagnosis coding accuracy around 92% and procedure coding accuracy around 91% when measured code by code. When accuracy is weighted to give more importance to high-impact codes (like a principal diagnosis that determines the payment category), diagnosis accuracy can drop to roughly 88%. These numbers matter because coding errors directly affect reimbursement and can trigger further scrutiny from federal auditors.
What Audits Actually Change
The evidence on whether audits improve patient outcomes is encouraging but nuanced. A mixed-method evaluation of internal patient safety audits in hospitals found that the rate of patients experiencing at least one adverse event dropped from 36.1% to 31.3% after auditing, and preventable adverse events fell from 5.5% to 3.6%. Those reductions are meaningful in absolute terms, though the study noted they did not reach statistical significance on their own.
Where the results were more clearly positive was in the patient experience. At 9 and 15 months after an internal audit, patients reported significantly higher perceptions of safety during their hospital stay. Overall quality ratings also improved significantly at the 15-month mark. On the operational side, medication safety and information security in clinical wards both showed statistically significant improvement after auditing.
Broader safety culture and team dynamics, however, did not change measurably. This suggests audits are effective at fixing specific, concrete processes (like how medications are handled or how data is secured) but less effective at shifting the overall workplace culture in the short term. Repeated audit cycles over years are generally what drive deeper organizational change.
How Audits Differ From Research
People sometimes confuse clinical audits with clinical research, but the distinction is important. Research is designed to generate new knowledge, asking “What is the best treatment?” An audit asks a different question: “Are we delivering the treatment we already know is best?” A third category, service evaluation, asks “What standard does this service achieve?” without comparing to a predefined benchmark. Audits are the only one of the three that measure current practice against a specific, pre-existing standard and then require action to close any gap.
This distinction has practical consequences. Research typically requires ethics committee approval and informed consent from participants. Clinical audits generally do not, because they are reviewing care that has already been delivered against standards that already exist. This makes audits faster to initiate and easier to repeat, which is part of why they’ve become the backbone of continuous quality improvement in healthcare systems worldwide.