HIPAA Compliance Audit: What to Know and How to Prepare, Step-by-Step
A HIPAA compliance audit evaluates whether your organization protects patient data according to federal standards—and the results carry real consequences. OCR penalties for violations can reach up to $50,000 per violation, with annual caps in the low millions per violation category for repeated failures.
This guide walks through the HIPAA audit process, from understanding what auditors evaluate to conducting your own internal assessment and preparing for an OCR examination. It focuses primarily on the HIPAA Security Rule requirements for protecting electronic protected health information (ePHI), while recognizing that OCR audits may also address the Privacy and Breach Notification Rules.
What Is a HIPAA Compliance Audit?
A HIPAA compliance audit is a structured assessment of how well an organization protects protected health information (PHI) according to HIPAA requirements. The audit can be internal (conducted by your own team or internal audit) or external (conducted by an independent assessor or by theOffice for Civil Rights, or OCR).
Auditors typically review:
Administrative, physical, and technical safeguards
Policy and procedure documentation
Risk analysis and risk management activities
Training and workforce management
Access logs, configurations, and relevant incident records
A few key terms help clarify who HIPAA audits apply to:
Covered entities: Healthcare providers, health plans, and healthcare clearinghouses that transmit health information electronically
Business associates: Third-party vendors and contractors that create, receive, maintain, or transmit PHI on behalf of covered entities
Electronic protected health information (ePHI): PHI that is stored or transmitted electronically
Why HIPAA Audits Matter
Organizations that fail to maintain HIPAA compliance face regulatory penalties, operational disruption, and reputational damage. Proactive auditing, on the other hand, helps you find issues early and demonstrate diligence to regulators, customers, and partners.
Regulatory Penalties and Enforcement Actions
OCR enforces HIPAA and issues civil monetary penalties for violations, announcing 21 settlements in 2025 alone. Penalties scale based on the level of negligence, ranging from lower amounts for unknowing infractions up to $50,000 or more per violation for willful neglect that is not corrected. Repeated violations in the same calendar year can add up to millions of dollars in fines.
Customer and Business Partner Trust
Healthcare organizations, payers, and large partners increasingly require proof of HIPAA alignment before signing contracts. A completed audit or independent HIPAA attestation provides tangible evidence of your security and privacy program. It supports trust, but it does not replace your legal obligations under HIPAA or OCR’s enforcement authority.
Proactive Risk Identification
Regular audits help organizations identify vulnerabilities before they become breaches. Instead of scrambling after an incident, you can find gaps in controls, training, or vendor oversight and address them on your own timeline.
Types of HIPAA Audits
Organizations can encounter several types of HIPAA audits depending on their role and circumstances.
| Audit Type | Conducted By | Trigger | Typical Frequency |
|---|---|---|---|
| Internal HIPAA audit | Organization’s compliance or security team | Self-initiated | Annually and after major changes |
| Third-party HIPAA audit or attestation | Independent auditor or firm | Customer/vendor requirements, due diligence | As needed for customers or board |
| OCR HIPAA audit | Office for Civil Rights (HHS) | Random selection, complaint, or breach report | At OCR’s discretion |
Internal HIPAA Audits
Internal audits are self-assessments conducted by your own compliance, security, or internal audit team. Many organizations perform an internal HIPAA audit at least annually and whenever significant changes occur, such as:
Implementing new EHR or clinical systems
Migrating to new cloud infrastructure
Mergers and acquisitions
Expanding into new service lines or geographies
Third-Party HIPAA Audits
Independent assessments conducted by external HIPAA auditors are voluntary but increasingly expected in vendor and customer relationships. Many organizations use an AT-C 315 HIPAA attestation or similar report to provide independent, point-in-time assurance that controls were designed and operating in a manner aligned to HIPAA requirements.
OCR HIPAA Audit Program
The OCR audit program is a formal enforcement mechanism. OCR conducts periodic audits using a published audit protocol, and audits can be triggered by random selection, complaints, or following a reported breach affecting 500 or more individuals. OCR may review your implementation of the Privacy, Security, and Breach Notification Rules—not just IT security.
HIPAA Auditing Requirements
HIPAA audits—especially those focused on the Security Rule—evaluate safeguards across four main categories. OCR’s protocol maps specific requirements under each area.
Administrative Safeguards
Administrative safeguards cover policies, procedures, risk management, and workforce oversight. Key expectations include:
Documented risk analysis and ongoing risk management
Workforce security and training for all personnel with access to PHI
Designated security and privacy officials
Contingency planning for data backup, disaster recovery, and emergency operations
Sanction policies and procedures for workforce non-compliance
Physical Safeguards
Physical safeguards protect facilities and equipment that store or process ePHI. Examples include:
Facility access controls for data centers, clinics, and offices
Workstation security rules (for example, location and physical access)
Device and media controls, including secure disposal and reuse of hardware containing ePHI
Technical Safeguards
Technical safeguards are technology-based protections for ePHI, such as:
Access controls: Unique user IDs, authentication, automatic logoff, and (where appropriate) encryption
Audit controls: Systems that record and examine activity in systems containing ePHI
Integrity controls: Measures that protect ePHI from improper alteration or destruction
Transmission security: Protections (often encryption) for ePHI transmitted over networks
Organizational Requirements
Organizational requirements cover Business Associate Agreements (BAAs) and related documentation. Covered entities and business associates must have written agreements with all vendors that create, receive, maintain, or transmit PHI on their behalf. Without appropriate BAAs, you may be exposed even if your internal controls are strong.
How to Conduct a HIPAA Compliance Audit
The following steps apply whether you are conducting an internal audit, preparing for an external attestation, or getting ready for the possibility of an OCR examination.
1. Designate HIPAA Security and Privacy Officials
HIPAA requires covered entities to designate individuals responsible for privacy and security. These officials lead the audit process, coordinate across teams, and serve as points of contact for any external auditors.
2. Define Audit Scope and Objectives
Clarify what systems, processes, and locations the audit will cover. The scope should include all places where ePHI is created, received, maintained, processed, or transmitted, including:
Clinical systems and EHR platforms
Cloud infrastructure and backups
Connected medical devices and telehealth tools
Third-party services that handle PHI as part of your workflows
3. Conduct a HIPAA Risk Assessment
Formal risk analysis is a foundational Security Rule requirement and one of the most common gaps identified in OCR enforcement actions.
Start by:
Inventorying all ePHI assets and data stores
Mapping how ePHI flows between systems, departments, and third parties
Assessing likelihood and impact for each risk
Prioritizing remediation activities
Risk assessments must be updated periodically and after significant changes to your environment or operations. Annual updates are a common industry expectation, even though HIPAA itself speaks in terms of ongoing, periodic review rather than a fixed calendar schedule.
4. Review Policies and Procedures
Evaluate all HIPAA-related policies for completeness, clarity, and alignment with practice, including:
Privacy and data use policies
Security policies (access control, encryption, logging, backup, and recovery)
Breach notification and incident response procedures
Workforce sanction and acceptable use policies
Confirm that day-to-day operations match what your policies describe. Auditors typically test both documentation and actual practice.
5. Collect and Organize Compliance Evidence
Auditors and assessors require documented evidence, not just verbal assurances. Gather items such as:
Risk analyses and risk registers
Security and privacy policies with version history and approvals
Training records and completion evidence
BAAs and key vendor contracts
Access review records and audit logs
Incident reports and corrective action plans
Platforms like Drata help organizations centralize HIPAA-related controls and evidence, link safeguards to risks, and maintain defensible records so you are not scrambling to compile documentation when an audit is announced.
6. Interview Key Personnel
Speak with workforce members—including IT, security, clinical staff, and business leaders—to validate that they:
Understand HIPAA requirements relevant to their role
Follow established procedures for handling PHI and ePHI
Know how to report incidents or suspected breaches
Interviews often reveal gaps between documented procedures and actual behavior.
7. Perform Technical Testing and Control Assessments
Technical testing helps confirm that your security controls are implemented and operating as intended. Typical activities include:
Verifying access controls and role-based access
Reviewing audit logs for anomalous activity
Confirming encryption configurations (at rest and in transit, where appropriate)
Performing vulnerability scanning and, where appropriate, penetration testing
Reviewing backup and recovery configurations and recent restore tests
8. Document Findings and Create a Remediation Plan
Document all findings, including gaps, vulnerabilities, and instances of non-compliance. For each issue, capture:
Description of the finding
Impact and associated risk
Root cause where known
Recommended remediation steps
Assigned owner and target completion date
A prioritized remediation plan and evidence of follow-through demonstrate good-faith compliance efforts, which can be important if OCR ever initiates an investigation or audit.
Common HIPAA Audit Findings and How to Avoid Them
Understanding where organizations commonly fall short helps you prioritize preparation.
Incomplete or Outdated Risk Assessments
Incomplete, narrow, or outdated risk assessments are among the most frequent issues in HIPAA enforcement actions—all 10 OCR resolution agreements in early 2025 cited risk analysis failures. Risk analysis is not a one-time exercise. Review and update it regularly—commonly at least annually—and whenever you introduce major new systems, vendors, or data flows involving PHI.
Missing or Inadequate Policies
Gaps in written policies, or policies that exist on paper but are not followed in practice, create significant exposure. Make sure policies:
Cover relevant HIPAA requirements
Are reviewed and updated on a defined schedule
Are communicated to the workforce with clear expectations
Insufficient Access Controls
Common failures include:
Shared user accounts or generic logins
Lack of unique user IDs and authentication
Excessive privileges that exceed the “minimum necessary” standard
Infrequent access reviews
Implement role-based access, enforce unique credentials, and perform regular access reviews for systems containing ePHI.
Lack of Workforce Training and Documentation
HIPAA requires training and documentation of that training. Track:
Which training content each role receives
How often training is delivered (for example, during onboarding and at least annually)
Completion status for each workforce member who handles PHI
Stored evidence (certificates or system records) is essential when auditors ask how you meet personnel-related requirements.
How to Prepare for an OCR HIPAA Audit
OCR can audit covered entities and business associates at any time. While you cannot fully control timing, you can control your level of readiness.
Understand the OCR Audit Protocol
OCR publishes an audit protocol that outlines how it evaluates compliance with the Privacy, Security, and Breach Notification Rules. Reviewing the protocol helps you:
Understand specific implementation specifications and questions
Map your controls and documentation to each requirement
Identify high-risk gaps in advance
Ensure Documentation Is Audit-Ready
Organize and maintain accessible compliance documentation so you can respond quickly to OCR requests. In practice, this means having:
A clear inventory of policies and procedures
Easy access to risk assessments and risk registers
Training evidence and logs
Vendor inventories and BAAs
Incident logs and breach assessments
OCR typically requires documentation within a defined timeframe, so you cannot wait until you receive an audit notification to start organizing.
Conduct a Mock HIPAA Examination
Internal mock audits or third-party readiness assessments using the OCR protocol can identify and remediate gaps before an official audit. Organizations that use continuous compliance platforms maintain audit-ready documentation year-round, reducing the last-minute rush when customers, partners, or regulators request evidence.
How to Automate HIPAA Compliance Audits
Manual, point-in-time audits make it hard to see issues that arise between assessments. Compliance automation platforms help turn HIPAA auditing into a continuous, predictable process.
Key capabilities include:
Continuous control monitoring: Automatically check that security controls remain in place and functioning as intended
Automated evidence collection: Pull audit evidence from integrated systems (for example, cloud infrastructure, identity providers, endpoint tools) instead of relying on manual screenshots
Real-time risk visibility: Link risk registers, safeguards, and control failures so you can identify and address compliance gaps quickly
Streamlined workforce tracking: Monitor security awareness, HIPAA training, and access reviews, and retain audit-ready records of completion
Vendor oversight: Maintain a centralized vendor inventory, BAAs, and vendor risk assessments tied back to HIPAA requirements
The Drata Agentic Trust Management Platform helps security, compliance, and GRC leaders:
Map HIPAA administrative, technical, and physical safeguards into a centralized control structure
Continuously monitor HIPAA-related controls and automatically surface risks when safeguards fail
Centralize HIPAA audit evidence, testing results, and auditor collaboration to reduce disruption during recurring reviews
Manage HIPAA policies through structured reviews and approvals, track workforce training, and review business associates using scalable vendor risk workflows
Drata does not make your organization HIPAA compliant automatically and does not replace legal advice or your obligations under the Privacy Rule. Instead, it is designed to help you align with the HIPAA Security Rule and Breach Notification expectations from a controls perspective and continuously monitor those controls over time.
Book a demo of Drata to see how automation can reduce manual audit work, improve visibility into PHI-related risks, and keep your HIPAA audit program ready for scrutiny from customers, partners, and regulators.
FAQs About HIPAA Compliance Audits
How often should a HIPAA compliance audit be performed?
Many organizations conduct an internal HIPAA audit at least annually, with additional assessments after significant organizational or system changes that affect how ePHI is handled. Regulators expect ongoing review and risk management rather than one-time or infrequent assessments, and the proposed HIPAA Security Rule update would require audits every 12 months.
What is the difference between a HIPAA audit and a HIPAA risk assessment?
A HIPAA risk assessment (risk analysis) identifies where ePHI resides, what could go wrong, and how likely and impactful those risks are. A HIPAA audit evaluates overall compliance with the Privacy, Security, and Breach Notification Rules, including whether you have performed an appropriate risk analysis and implemented safeguards and policies to address identified risks.
Can a business associate be audited by OCR?
Yes. OCR can audit both covered entities and business associates. Business associates that create, receive, maintain, or transmit PHI on behalf of covered entities can be selected for audits or investigations, particularly after a reported breach or complaint.
What happens if an organization fails a HIPAA audit?
OCR audit or investigation findings typically result in a corrective action plan that specifies remediation steps and timelines. Failure to address violations can lead to civil monetary penalties, mandated compliance monitoring, resolution agreements, and in severe cases, referral to the Department of Justice for potential criminal prosecution.