A HIPAA compliance audit can be conducted by the Department of Health and Human Services Office for Civil Rights, by the organization’s own internal audit or compliance function, or by an independent external assessor retained by a HIPAA Covered Entity or HIPAA Business Associate. The specific authority, scope, and consequences depend on whether the audit is an Office for Civil Rights oversight activity, a regulatory enforcement-related review, or a voluntary assurance activity initiated by the regulated organization.
The Department of Health and Human Services Office for Civil Rights conducts audits and investigations to evaluate compliance with the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule. Office for Civil Rights may perform reviews directly or through contractors acting on its behalf, and the work typically involves document requests, interviews, and testing of whether required policies, procedures, safeguards, and documentation are in place and operating.
Organizations also conduct internal audits to evaluate conformity with HIPAA requirements and to support governance oversight. Internal audits may be performed by compliance officers, privacy officers, security officers, internal audit departments, or risk management functions, provided the reviewers have sufficient independence from the operations being assessed and can access relevant systems, records, and staff.
External audits may be conducted by independent consulting firms, law firms providing compliance assessments, accounting firms, or information security assessors engaged to evaluate privacy and security controls for protected health information and electronic protected health information. When an external firm performs the audit on behalf of a Covered Entity or Business Associate and needs access to protected health information, the engagement typically requires a business associate agreement that limits use and disclosure and addresses safeguards and incident response obligations.