HIPAA Compliance Audit: What to Know and How to Prepare, Step-by-Step

Bringing your company in line with HIPAA requirements can look daunting from the outside. There are many requirements, very little flexibility, and the threat of significant fines. But with a strong understanding of the HIPAA requirements and a compliance platform with built-in frameworks for HIPAA, the compliance process becomes much easier.

Here’s what you need to know if you’re tackling HIPAA compliance and preparing for your first audit. We’ll share what the Department of Health and Human Services (HHS) has to say about HIPAA, break down the audit process into concrete steps, and give you tips on how to make your audit go as smoothly as possible. 

What Is a HIPAA Compliance Audit?

A HIPAA compliance audit is a formal review of your company’s policies and practices around safeguarding protected health information (PHI) and electronic protected health information (ePHI). The process measures how effectively you follow HIPAA regulations, including its Privacy, Security, and Breach Notification Rules. This HIPAA audit protocol from the HHS lays out performance criteria and the type of inquiry auditors make to assess each sector of the HIPAA omnibus. 

HIPAA audits can be performed internally (by your company or a contracted third-party) or by the Office for Civil Rights (OCR) within HHS. 

When and Why You Need to Undergo a HIPAA Compliance Audit

You might undergo a HIPAA compliance audit for a few reasons. First, it’s an important part of the risk management program for any organization that handles PHI. Falling out of compliance with HIPAA can be rather expensive—even organizations that are reasonably diligent and unaware of non-compliance can be charged up to $71,162 per violation—so it’s smart to monitor your HIPAA practices closely. Regular internal audits are a best practice for any company that handles PHI.

Second, companies that work as service providers for healthcare organizations (or other partners that manage PHI) may need a formal HIPAA attestation to win a service agreement. Or, if you have existing healthcare partnerships, you may be required or requested to perform audits after major growth, especially if you expand your tech stack.

Finally, you could be selected by the Office for Civil Rights (OCR) for one of its annual audits or after a reported breach. An OCR audit isn’t necessarily a sign of wrongdoing, nor does it imply suspicion from regulators or partners. Any organization that handles PHI can be chosen as part of OCR’s ongoing enforcement efforts.

Unlike internal or partner-driven audits, OCR audits are mandatory. If selected, your organization must follow the process outlined by OCR and meet its deadlines. That’s why routine internal reviews and proactive compliance practices are so important; they prepare you to respond quickly and confidently if the OCR ever comes knocking.

The HIPAA Compliance Audit Process in 8 Steps

What should you expect during a HIPAA compliance audit, and how should you prepare? We broke the process down into eight steps to help you prepare for a smooth audit. 

Step 1: Assign Roles and Define the Scope

All organizations covered by HIPAA must have a security and privacy officer to oversee compliance with the omnibus. Your HIPAA officer will be responsible for everything from developing policies and procedures to training your workforce on HIPAA to investigating possible cyberattacks, and more. The officer will also head up communications with OCR if you’re selected for an audit.

Next, you’ll need to define your status under HIPAA. Covered entities include most healthcare providers, health plans, and healthcare clearinghouses. Business associates, on the other hand, may have a much wider range of roles; this designation covers any organization that receives PHI from a covered entity. Business associates must all comply with the HIPAA Security Rule and Breach Notification Rule, but most of the provisions set out in the HIPAA Privacy Rule do not directly apply to organizations in this category.

Finally, you’ll need to define the scope of your audit. Include any part of your system or organization that interacts with PHI or ePHI. Don't forget physical aspects like drives ePHI is stored on. You’ll also need to identify any employees who interact with PHI or are responsible for helping uphold HIPAA standards. 

Step 2: Conduct a HIPAA Risk Assessment

Understanding your HIPAA posture is the first step toward ensuring compliance. A HIPAA risk assessment helps you find weak spots in your systems that could result in the unauthorized exposure of PHI and ePHI.

As part of this step, you’ll need to:

• Identify all systems that transmit and store PHI and ePHI
• Map the data flows of PHI and ePHI across your organization
• Identify all nodes of access, both for internal users and vendors
• Evaluate administrative vulnerabilities, like the potential mismatch between your security policies and employee practices, or gaps in your administrative procedures
• Evaluate technical vulnerabilities like unpatched software or a lack of access controls
• Evaluate physical vulnerabilities like unsecured storage devices or displays seen by unauthorized individuals

A risk management solution simplifies your HIPAA risk assessment by pre-mapping risks according to the HIPAA rules, automating gap analysis, and making it easy to build your risk register. Without a compliance tool, a risk assessment will take significant manual labor. 

Step 3: Gather and Review Required Documentation

Because the HIPAA omnibus is so extensive, so is the documentation you’ll need to prove you’re HIPAA compliant. If you’re audited by the OCR or a third-party, they’ll tell you what documents are required. You can expect to need evidence of compliance with each of the HIPAA rules you’re responsible for following.

You should be ready to provide:

• Organization-wide HIPAA policies and procedures
• HIPAA risk assessments
• Workforce HIPAA training records
• HIPAA Business Associate Agreements (BAAs)
• Incident response plans
• Access logs for systems that contain ePHI
• Individual HIPAA authorizations (if relevant)

Creating, gathering, and reviewing documentation can take a long time, so be proactive and start before you’re selected by the OCR for an audit. Compliance solutions with a built-in HIPAA framework and the ability to collate information from multiple systems across your tech stack will save you time and reduce the risk of missing evidence.

Step 4: Validate Safeguards and Controls

The testing phase of your audit should include all your security controls and thus cover every provision in the HIPAA omnibus.

First, review your employee training procedures. Are all workers who may come into contact with PHI or ePHI regularly instructed on how to handle this data legally? Then, test your policies themselves: Do they address the HIPAA rules and issues raised in your risk assessment? Finally, look at your system for enforcing controls, reporting violations, and handling infractions. 

Testing your physical locations will mean checking whether unauthorized individuals can access facilities with PHI or ePHI. You’ll also want to verify the security of any locations that house critical hardware.

Finally, your technical safeguard tests must evaluate your system's security. Access to ePHI must be tightly controlled with features like encryption, multi-factor authentication, and access controls. Your software should record and save logs for activities, including log-ons, application use, and interactions with ePHI. Additionally, your organization must log firewall and anti-malware activity.

Step 5: Review Audit Logs and Audit Trails

Audit logs capture system events like logins, file access, and changes to data. When reviewed together, they form an audit trail—a chronological record of user activity. Audit trails allow you to reconstruct what happened, confirm normal use, and spot anomalies that could indicate unauthorized access.

Reviewing this activity isn’t a one-time thing; HIPAA requires organizations to monitor for unauthorized activity regularly. There’s no set frequency, but your company should pick a schedule that makes sense based on your risk assessment. You’re required to retain at least six years’ worth of audit logs (some states may require a longer retention period).

Step 6: Interview Key Personnel

As part of your audit, you’ll need to observe and interview employees to see how they interpret and follow your organization’s procedures. Shadowing individuals is often the best way to spot gaps between your desired outcomes and employees’ actions.

A mismatch between employees’ desired and actual behavior may be due to a training gap or unmet needs that prevent employees from performing their jobs. Shadow IT usage is often a sign of a tech stack that lacks important time-saving features. Though you hopefully won’t end up in this position, lackadaisical compliance practices may also stem from personnel issues.

Finally, this stage allows you to ensure your team is aware of how to respond in case of a hack, ransomware attack, or other cybersecurity issues. The Breach Notification Rule is a major part of HIPAA, so it’s important to make sure your team knows how to respond even though an attack is unlikely. 

Step 7: Report Findings and Build a Remediation Plan

Once you’ve reviewed your systems and practices, create an audit report that documents your process, findings, and any outstanding risks. Conduct a risk analysis to rank each issue by likelihood and impact, so you can prioritize remediations.

Next, build a remediation plan. Assign an owner to each risk with clear steps to reduce exposure and a way to track progress. They’re responsible for overseeing the remediation process and flagging any remaining issues the company needs to handle. If you’re working in Drata, you can create a risk drawer to track your progress and even create Jira tickets.

Make sure you save your audit reports so they can be reviewed as part of future audits. (Drata will do this automatically for you.)

Step 8: Re-Audit or Implement Continuous Monitoring (Optional)

Proving ongoing compliance will help you during an OCR audit, so make sure you schedule annual HIPAA audits. Organizations that did not pass their first audit should conduct another audit as soon as they have finished the remediation process. Others may choose to wait a year before their next audit. 

A Trust Management tool like Drata can ensure your HIPAA compliance between audits by continuously monitoring your controls and alerting you of failed tests. The more you can automate, the easier it is to stay audit-ready so you’re not caught off guard by an OCR notification.

Streamline HIPAA Compliance With Drata

Trust is the real outcome of compliance. Drata’s Trust Management platform brings security, risk, and compliance into one continuous system so you’re proving resilience to every customer, partner, and regulator who asks.

HIPAA fits naturally into that system. The framework comes pre-mapped with the controls, policies, BAAs, and training you need, backed by continuous monitoring and real-time reporting. And when it’s time to share proof, our Trust Center makes it simple to show your HIPAA posture alongside every other framework you manage.

See how to get started on HIPAA with Drata. Schedule a demo with our team.

HIPAA Audit FAQs

Still have questions about HIPAA compliance and audits? We answer common queries below.

How Often Should You Perform Internal HIPAA Audits?

Covered entities must self-audit for HIPAA compliance annually. Some organizations choose to audit once every six months to ensure confidence in their program; others use a tool like Drata to implement continuous monitoring to catch lapses outside of audit season.

Who Can Perform a HIPAA Audit?

Organizations can perform internal HIPAA audits to check their compliance, or contract a third-party auditor. Those that are selected as part of the Office for Civil Rights (OCR) audit program will be audited by an OCR agent.

What Triggers an OCR HIPAA Audit?

OCR HIPAA audits may be triggered by data breaches that expose PHI or ePHI, but any covered entity may be audited by OCR at any time. Therefore, it’s best to always be prepared for an audit.

What’s Included in an OCR HIPAA Audit?

An OCR HIPAA audit will test your compliance with the Security Rule and Breach Notification Rule of the HIPAA omnibus, as well as the Privacy Rule if it applies to your organization. You can learn more about the OCR audit protocol on the HHS website.

Can Startups or BAAs be Audited?

Yes, startups and BAAs can both be selected by the OCR for a HIPAA audit. Building your compliance program early should be a focus if you will be covered by HIPAA.