A HIPAA compliance audit is a structured review of a HIPAA Covered Entity’s or HIPAA Business Associate’s policies, procedures, safeguards, and records to assess conformity with requirements in the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule. Audits may be performed by the Department of Health and Human Services Office for Civil Rights or conducted internally or by an external assessor to evaluate whether required controls exist, operate as designed, and are documented.
A compliance audit typically evaluates administrative requirements such as governance, assigned responsibilities, workforce training, sanction policies, complaint handling, and documentation retention. Privacy elements commonly reviewed include permitted uses and disclosures, authorization management, application of the HIPAA Minimum Necessary Rule where it applies, Notice of Privacy Practices content and distribution practices, and processes supporting individual rights such as access, amendments, restrictions when applicable, confidential communications, and accounting of disclosures when applicable.
Security evaluation focuses on electronic protected health information and the safeguards required by the HIPAA Security Rule, including risk analysis, risk management, access controls, audit controls, integrity controls, transmission security, workstation security, device and media controls, and contingency planning. Evidence reviewed may include risk analysis reports, remediation plans, system configurations, access provisioning records, audit log practices, incident response documentation, and vendor management artifacts, including business associate agreements and oversight practices for subcontractors that handle protected health information.
When an audit identifies gaps, follow up activity may include corrective action planning, policy revisions, technical remediation, workforce retraining aligned with job roles, and enhanced monitoring. For organizations preparing for an external review, audit readiness commonly involves maintaining current written policies and procedures, keeping evidence of implementation, and demonstrating that privacy and security controls are applied consistently across systems, departments, and third-party relationships.