HIPAA - Health Insurance Portability and Accountability Act Practice Test

โ–ถ

If you have ever asked how many HIPAA audit programs are there, the short answer is three distinct phases of formal audit activity conducted by the HHS Office for Civil Rights, plus a continuous desk-audit process that runs alongside enforcement investigations. Understanding each program โ€” what triggered it, who it targeted, what auditors examined, and what came next โ€” is essential knowledge for compliance officers, healthcare administrators, and anyone preparing for a HIPAA certification exam. These programs collectively shape the compliance expectations that covered entities and business associates must meet every day.

If you have ever asked how many HIPAA audit programs are there, the short answer is three distinct phases of formal audit activity conducted by the HHS Office for Civil Rights, plus a continuous desk-audit process that runs alongside enforcement investigations. Understanding each program โ€” what triggered it, who it targeted, what auditors examined, and what came next โ€” is essential knowledge for compliance officers, healthcare administrators, and anyone preparing for a HIPAA certification exam. These programs collectively shape the compliance expectations that covered entities and business associates must meet every day.

The first federal HIPAA audit program launched in 2011 and 2012 as a pilot. It was followed by a far more expansive Phase 2 audit initiative that ran from 2016 through 2017. Since then, OCR has maintained the authority and infrastructure to conduct desk audits on a rolling basis, and the agency has signaled repeatedly that additional audit waves are coming. Staying current on hipaa audit programs and their outcomes helps organizations identify the compliance gaps that auditors actually focus on โ€” not just the ones that appear obvious on paper.

Beyond the formal audit phases, the HIPAA compliance landscape includes complaint-driven investigations, breach notification reviews, and Resolution Agreement monitoring โ€” all of which function as de facto audits even if OCR does not label them as such formally. The distinction matters because formal audits are proactive: OCR selects organizations at random or based on data, not because a complaint was filed. This proactive posture is what makes audit programs uniquely powerful as compliance motivators and what makes understanding them so valuable for anyone working in healthcare privacy.

This article breaks down each HIPAA audit program in chronological order, explains what auditors reviewed, identifies the most common findings, and offers concrete guidance on how organizations can prepare today. Whether you are sitting for a HIPAA exam, advising a covered entity, or leading a compliance team at a business associate, the material here provides a structured, accurate foundation for understanding OCR's oversight framework from inception through its current state in 2026.

It is also worth noting that the audit programs do not exist in isolation. They interact with OCR's enforcement priorities, the annual breach reports published by HHS, and Congressional pressure to demonstrate that HIPAA regulations have real teeth. When audit findings reveal widespread non-compliance โ€” as Phase 2 did in areas like risk analysis and Notice of Privacy Practices โ€” OCR uses that data to sharpen enforcement, update guidance documents, and signal to the industry which compliance gaps it will pursue most aggressively in subsequent years.

Finally, many compliance professionals conflate audits with investigations. They are different processes with different legal footing, different timelines, and very different consequences. Audits are generally educational and corrective in nature; investigations can result in civil monetary penalties reaching into the millions. Understanding the audit framework first gives you a solid context for understanding how OCR's enforcement escalates when organizations fail to fix the problems audits reveal โ€” a progression you will see tested repeatedly on HIPAA certification exams.

HIPAA Audit Programs by the Numbers

๐Ÿ“‹
3
Formal Audit Phases
๐Ÿฅ
167
Entities Audited in Phase 1
๐Ÿ”Ž
207
Entities Audited in Phase 2
๐Ÿ’ฐ
$1.9M
Average OCR Settlement (2023)
โš ๏ธ
89%
Phase 2 Entities With Findings
Test Your Knowledge: How Many HIPAA Audit Programs Are There?

The Three HIPAA Audit Programs at a Glance

๐Ÿ“‹ Phase 1 Pilot Audit (2011โ€“2012)

OCR contracted KPMG to audit 167 covered entities. The pilot tested audit protocols, identified compliance gaps, and produced a public report. No business associates were included. Findings were largely corrective, not punitive, since the program was designed to refine the audit methodology.

๐Ÿ”Ž Phase 2 Audit Program (2016โ€“2017)

A major expansion covering 166 covered entities and 41 business associates. OCR used desk audits โ€” document review without on-site visits โ€” to assess Privacy Rule, Security Rule, and Breach Notification Rule compliance. Phase 2 generated detailed public reports revealing widespread deficiencies in risk analysis.

๐Ÿ“Š Ongoing Desk Audits and Investigations

Since Phase 2, OCR has maintained a continuous audit infrastructure. Desk audits can be triggered at any time, and OCR has publicly committed to future audit waves. Complaint investigations and breach reviews also function as targeted audits with enforcement consequences.

๐Ÿ† Permanent Audit Infrastructure

OCR's audit program is now a standing function, not a one-time project. The agency maintains audit protocols, an audited entity database, and reporting templates. This permanent infrastructure means any covered entity or business associate can be selected for review at any time without prior warning.

The Phase 1 pilot audit program, conducted from late 2011 through 2012, represented the first time OCR systematically examined HIPAA compliance across a broad sample of covered entities. OCR contracted with KPMG to develop audit protocols and carry out fieldwork at 167 organizations, including hospitals, physician practices, health plans, and healthcare clearinghouses. The selection was designed to reflect the diversity of the covered entity universe โ€” large academic medical centers appeared alongside small dental offices, and national insurers alongside regional Medicaid managed care plans.

During Phase 1, KPMG auditors arrived on-site at each organization and spent between one and two weeks reviewing policies, procedures, workforce training records, technical safeguard documentation, and physical security controls. The audit protocol covered 169 individual performance criteria drawn from the Privacy Rule, Security Rule, and Breach Notification Rule. Auditors did not simply check whether policies existed โ€” they tested whether those policies were actually implemented, consistently followed, and regularly updated to reflect changes in technology and operations.

The Phase 1 final report, published by OCR in 2012, identified risk analysis as the single most common area of deficiency. A large percentage of audited entities either had no formal risk analysis or had conducted one that was inadequate โ€” failing to cover all electronic protected health information across all systems, or failing to document the risk management actions taken in response to identified vulnerabilities. This finding previewed what would become the dominant theme of HIPAA enforcement throughout the following decade.

Other frequent Phase 1 findings included deficiencies in workforce training documentation, gaps in Business Associate Agreement coverage, incomplete Notice of Privacy Practices content, and inadequate physical safeguards for workstations that accessed ePHI. Smaller covered entities โ€” particularly solo and small-group physician practices โ€” showed higher rates of deficiency across nearly every category, reflecting the reality that these organizations often lack dedicated compliance staff and must rely on practice managers or billing personnel to manage HIPAA requirements alongside other administrative duties.

OCR used the Phase 1 results to refine the audit protocol substantially before launching Phase 2. Several criteria were consolidated, others were added to address emerging concerns around mobile devices and cloud computing, and the overall structure was reorganized to make findings more comparable across different entity types. OCR also published the revised audit protocols publicly, which gave covered entities and business associates an unprecedented opportunity to understand exactly what auditors would look for โ€” an opportunity that compliance professionals should use actively when preparing their organizations for potential review.

The corrective action process following Phase 1 was relatively informal. Where auditors identified deficiencies, they worked with entities to develop corrective action plans, but OCR did not impose civil monetary penalties based on Phase 1 findings alone. The pilot was explicitly framed as a learning exercise for both OCR and the regulated community. That changed with Phase 2, where the findings were more systematically documented and where some entities with particularly serious deficiencies were referred for formal compliance review โ€” a process that could lead to enforcement action.

For compliance professionals, the most important lesson from Phase 1 is that the audit protocol itself is a compliance roadmap. OCR published the 169 performance criteria used in Phase 1, and the updated protocols from Phase 2 are also publicly available.

Working through those criteria systematically โ€” assigning ownership for each, documenting current status, and developing remediation plans for gaps โ€” is one of the most effective ways to reduce audit risk and strengthen HIPAA compliance programs simultaneously. Many organizations that perform well in audits do so precisely because they treat the published protocol as a self-assessment tool and revisit it annually.

Free HIPAA Compliance Questions and Answers
Practice HIPAA compliance concepts including audit programs, Privacy Rule, and Security Rule requirements
Free HIPAA Medical Information Questions and Answers
Test your knowledge of protected health information rules and medical privacy obligations under HIPAA

HIPAA Audit Programs: Privacy, Security, and Breach Notification Reviews

๐Ÿ“‹ Privacy Rule Audits

Privacy Rule audits under both Phase 1 and Phase 2 focused on whether covered entities maintained compliant Notice of Privacy Practices, honored patient rights to access their own records, established appropriate minimum necessary policies, trained their workforce on privacy obligations, and maintained proper authorization processes for uses and disclosures of protected health information that fall outside treatment, payment, and healthcare operations.

Phase 2 desk audits specifically examined whether entities provided patients timely access to records within the 30-day regulatory deadline โ€” a right OCR has since elevated to a top enforcement priority. Auditors reviewed a sample of access requests and the entity's documented response, looking for both timeliness and completeness. Entities that charged unreasonable fees, delayed responses without proper extension notices, or denied access without valid grounds were flagged as deficient even if their written policies appeared compliant on paper.

๐Ÿ“‹ Security Rule Audits

Security Rule audits consistently produced the highest deficiency rates of any rule area, with risk analysis and risk management topping the list in both Phase 1 and Phase 2. Auditors examined whether entities had conducted comprehensive, organization-wide risk analyses that identified all ePHI, assessed the likelihood and impact of threats and vulnerabilities, and documented risk management decisions โ€” including the rationale for accepting residual risks rather than eliminating them entirely through technical controls.

Beyond risk analysis, auditors reviewed audit controls, workforce security training, workstation use policies, device encryption practices, and contingency planning documentation including data backup procedures and disaster recovery plans. Mobile device management policies emerged as a significant gap in Phase 2, reflecting the widespread adoption of smartphones and tablets in clinical settings without corresponding security controls. Many entities had no formal mobile device policy or had policies that applied only to organization-issued devices, leaving personally owned devices entirely outside the security framework.

๐Ÿ“‹ Breach Notification Audits

Breach Notification Rule audits examined whether entities had documented policies for identifying and evaluating potential breaches, conducted required four-factor risk assessments to determine whether discovered incidents constituted reportable breaches, and met the mandatory notification timelines โ€” 60 days from discovery for individual and HHS notification, with media notification required for breaches affecting more than 500 residents of a state or jurisdiction.

Auditors also reviewed the content and delivery method of breach notifications, checking whether notices to affected individuals contained all required elements including a description of what happened, what information was involved, what steps individuals could take to protect themselves, what the entity was doing to investigate and remediate, and how individuals could contact the entity for more information. Deficiencies in notification content and timeliness were common findings, particularly among smaller entities that had not documented their breach response procedures in advance of an actual incident.

Benefits and Challenges of HIPAA Audit Programs for Healthcare Organizations

Pros

  • Audits identify compliance gaps before a breach or complaint triggers a more serious investigation
  • Published audit protocols give organizations a free, detailed self-assessment framework to use proactively
  • Corrective action plans from audits are typically less punitive than enforcement settlements
  • Audit findings generate industry-wide data that helps all organizations benchmark their compliance programs
  • Participating in an audit demonstrates good-faith commitment to HIPAA compliance if issues arise later
  • Audit preparation exercises improve cross-departmental communication between IT, legal, and clinical teams

Cons

  • Audit preparation requires significant staff time and resources that smaller organizations may struggle to allocate
  • Document requests can be broad and time-consuming, diverting attention from patient care operations
  • Audit findings can be referred for enforcement if deficiencies are serious or reflect willful neglect
  • Organizations have limited ability to contest audit selection or narrow the scope of document requests
  • Remote desk audits may not capture contextual information that explains apparent policy gaps
  • Audit timelines can extend for months, creating prolonged uncertainty for compliance teams and leadership
HIPAA De-identification and Data Anonymization
Master HIPAA's two de-identification methods and understand when PHI loses its protected status under the law
HIPAA Electronic Health Records (EHR) Compliance
Test your understanding of EHR security requirements, access controls, and audit log obligations under HIPAA

HIPAA Audit Readiness Checklist

Conduct or update a comprehensive, organization-wide HIPAA risk analysis covering all systems that store, transmit, or process ePHI
Document your risk management plan with specific mitigation actions, timelines, and responsible owners for each identified risk
Review all Business Associate Agreements for completeness and confirm they are in place with every vendor who accesses PHI
Verify your Notice of Privacy Practices is current, posted in all required locations, and distributed to new patients at first service
Audit patient access request logs to confirm responses were provided within 30 days and fees charged were reasonable and documented
Test your workforce training records to confirm all employees completed HIPAA training upon hire and at least annually thereafter
Review mobile device policies to ensure they cover both organization-issued and personally owned devices used to access ePHI
Confirm your breach notification policy includes the four-factor risk assessment, 60-day notification timeline, and required notice content
Conduct a physical security walkthrough to identify workstations with ePHI visible to unauthorized individuals or left unattended and unlocked
Maintain an updated inventory of all systems and media that store ePHI, including cloud services and third-party applications
Inadequate risk analysis is the most cited deficiency across every HIPAA audit phase

OCR Phase 1 and Phase 2 audit reports both identified risk analysis failures as the single most common compliance gap, appearing in a majority of audited entities. A compliant risk analysis must be comprehensive (covering all ePHI across all systems), documented, regularly updated, and followed by a documented risk management plan โ€” not just a checklist completed once and filed away.

The findings that emerged from Phase 2 deserve special attention because they reflect the compliance reality of the industry as a whole, not just the organizations that happened to be selected. Phase 2 covered 166 covered entities and 41 business associates, audited through a desk review process in which OCR sent document requests and analyzed submissions remotely rather than conducting on-site visits. This approach allowed OCR to process more organizations in less time, though it also meant that auditors could not directly observe practices or interview staff.

Risk analysis deficiencies dominated Phase 2 findings just as they had in Phase 1. Among covered entities, a substantial majority either lacked a formal risk analysis entirely or had conducted one that failed to meet the regulatory standard โ€” typically because the analysis was limited to a specific department or system rather than encompassing all ePHI across the enterprise. Business associates showed even higher deficiency rates than covered entities in this area, reflecting the fact that many BAs had not historically been subject to direct HIPAA enforcement and therefore had less mature compliance programs.

The Phase 2 results also highlighted significant problems with patient access to records. OCR had begun prioritizing right-of-access enforcement in the years leading up to Phase 2, and the audit findings confirmed why: many entities had policies that technically required timely responses to access requests, but their actual practices โ€” as documented in logs and records the auditors reviewed โ€” showed delays, excessive fees, and in some cases outright denials without adequate justification. These findings directly fueled OCR's subsequent Right of Access Initiative, which produced dozens of enforcement settlements in 2019 through 2023.

Breach Notification Rule compliance was another area of significant concern. While most entities had some form of breach notification policy, auditors found frequent gaps in the four-factor risk assessment process โ€” the analysis that determines whether an incident involving unsecured PHI constitutes a reportable breach. Many entities were using a single-step, yes-or-no determination rather than the four-factor analysis required by regulation, which examines the nature and extent of the PHI involved, the unauthorized person who received it, whether it was actually acquired or viewed, and the extent to which the risk has been mitigated.

Business Associate deficiencies extended beyond risk analysis. Many BAs lacked current, complete Business Associate Agreements with their own subcontractors โ€” a chain-of-privacy obligation that covered entities often overlook when managing their vendor relationships. Auditors found cases where BAs had executed agreements with covered entities but had no corresponding agreements with the cloud providers, data processors, and IT vendors who actually handled PHI on the BA's behalf. This gap creates significant legal and liability exposure that can run upstream to the covered entity as well.

Physical safeguards were frequently cited in Phase 2 as well. Auditors identified workstations in clinical areas where ePHI was displayed on screens visible to patients or visitors, devices left logged in and unattended, and facilities without adequate visitor access controls in server rooms or areas where paper PHI was processed. These physical security gaps are often easier to fix than complex technical vulnerabilities, but they require sustained operational attention rather than a one-time policy update โ€” making them persistent findings across multiple audit cycles.

The most important lesson from Phase 2 findings for compliance professionals is that policy documentation alone does not equal compliance. OCR auditors are specifically trained to look past written policies and examine whether actual practices match what the policies prescribe. An organization that has a beautiful, comprehensive HIPAA policies and procedures manual but whose staff have not been trained, whose risk analysis is outdated, and whose breach response logs do not reflect the documented procedure will perform poorly in an audit regardless of how well its paperwork looks on the surface.

After an audit concludes, the process does not simply end with a report. OCR's audit framework includes a structured corrective action process for entities that received findings, and in some cases โ€” particularly where findings indicate serious, systemic non-compliance โ€” the audit file may be forwarded to OCR's enforcement division for potential investigation and civil monetary penalties. Understanding what happens after an audit is as important as understanding what happens during one, both for managing organizational risk and for answering exam questions accurately.

For entities that received findings in Phase 1 or Phase 2, OCR typically issued a final audit report detailing each deficiency and the evidence supporting it. Entities were then given an opportunity to respond with a corrective action plan โ€” a documented commitment to remediate each finding within a specified timeframe.

OCR reviewed these plans and, in many cases, conducted follow-up reviews to verify that promised corrections had actually been implemented. The corrective action process is not merely administrative paperwork; it creates a documented record of what the organization knew about its compliance gaps and what it committed to do about them.

One of the most significant developments following Phase 2 was OCR's use of audit findings to inform its enforcement priorities. The widespread deficiencies in right-of-access compliance identified during Phase 2 directly contributed to the launch of OCR's Right of Access Initiative in 2019. Similarly, the high rates of inadequate risk analysis found across both audit phases reinforced OCR's practice of citing risk analysis failures as the primary basis for civil monetary penalties in breach-related enforcement actions. In this way, the audit program functions as a feedback loop between compliance monitoring and enforcement strategy.

For organizations that were not audited in Phase 1 or Phase 2, the audit reports still provide enormous value. OCR published detailed technical findings reports for both phases, including anonymized descriptions of common deficiencies and the types of evidence auditors found most useful in evaluating compliance. Compliance officers should read these reports carefully and use them to stress-test their own programs โ€” asking whether their organization would have been cited for the same issues that tripped up the audited entities and, if so, what specific remediation steps are needed.

The interplay between audits and enforcement also affects how organizations should approach voluntary self-disclosure. If an organization discovers a compliance gap during audit preparation โ€” particularly one that might constitute a breach or involve willful neglect of HIPAA requirements โ€” it faces a difficult decision about whether to proactively notify OCR before an audit surfaces the issue. OCR's enforcement policies generally treat voluntary disclosure favorably compared to discovered non-compliance, but the decision involves complex legal considerations that typically require involvement of HIPAA counsel with enforcement experience.

Business associates face particular complexity in the post-audit environment. Phase 2 audit findings for BAs were generally more severe than those for covered entities, and OCR's subsequent enforcement actions against BAs have confirmed that the agency views them as fully accountable for HIPAA compliance โ€” not merely contractual obligations that flow from covered entity requirements. BAs that handle large volumes of PHI, operate cloud infrastructure, or provide services across multiple healthcare clients should treat HIPAA audit readiness as a core business requirement rather than a periodic compliance exercise.

Looking forward to 2026 and beyond, the HIPAA audit landscape will almost certainly expand to address technologies and practices that did not exist or were not widespread during Phase 2. Telehealth platforms, AI-assisted clinical decision support tools, ambient clinical intelligence systems that continuously capture patient conversations, and consumer health applications that access EHR data through interoperability APIs all create new categories of ePHI risk that OCR's existing audit protocols do not fully address.

Organizations investing in these technologies should proactively assess their HIPAA implications and document those assessments โ€” both because it is the right compliance approach and because it will position them well when auditors eventually arrive with questions about how these systems were evaluated and governed.

Practice HIPAA Medical Information and Privacy Rules Now

Practical preparation for a HIPAA audit begins long before an auditor makes contact. The most effective compliance programs treat audit readiness as a continuous operational state rather than a reactive scramble triggered by an audit notice. This means maintaining living documentation โ€” policies, procedures, risk analyses, training records, and BAAs โ€” that is updated on a regular schedule rather than dusted off when auditors ask for it. Organizations that can produce current, well-organized documentation within days of a request demonstrate exactly the kind of operational discipline that auditors look for as a proxy for genuine compliance.

Designating a HIPAA Privacy Officer and a HIPAA Security Officer โ€” as the regulations require โ€” is a foundational step that some smaller organizations still neglect. These individuals need not be full-time dedicated roles at small practices, but they must be identifiable people with defined responsibilities, documented authority, and adequate training to perform their functions. Auditors will ask who holds these roles, what training those individuals have received, and what activities they have undertaken in the past 12 months. Vague answers to these questions are a red flag that typically prompts deeper scrutiny.

Annual workforce training is another area where documentation quality matters as much as the training itself. Auditors want to see that training occurred, who participated, what content was covered, and how completion was tracked. Generic acknowledgment forms that simply state an employee read the HIPAA policy manual are weaker evidence than records showing that specific training modules were completed, quizzes were passed, and any employees who failed were retrained. Learning management system reports, signed attestations with specific course titles, and training completion dashboards all provide the kind of granular documentation that satisfies audit requests.

Vendor management is a frequently underestimated area of audit preparation. Many organizations have BAAs in place with their primary EHR vendor and major health plan but lack agreements with the dozens of smaller vendors โ€” billing services, transcription companies, IT support contractors, cloud backup providers, and specialty software vendors โ€” who access PHI in the course of their work. Conducting a thorough vendor inventory, mapping each vendor's PHI access, and confirming that current, legally adequate BAAs are in place for every applicable relationship is a time-consuming but essential element of audit readiness.

Incident response and breach notification documentation is another area that pays dividends in audits. Organizations that have documented, tested, and regularly updated their incident response procedures โ€” including the four-factor breach risk assessment process and the notification workflow โ€” can demonstrate to auditors not just that they have policies, but that those policies have been applied to actual incidents and that the organization has learned from each response. Tabletop exercises that walk through breach scenarios, documented after-action reviews, and evidence of improvements made based on lessons learned all contribute to a strong showing in this area.

Finally, physical and environmental security deserves attention that it does not always receive in organizations focused primarily on cybersecurity threats. HIPAA requires covered entities to implement physical safeguards for facilities where ePHI is maintained, including access controls, workstation use policies, and device security.

Simple measures โ€” screen privacy filters on workstations in patient-facing areas, automatic session timeouts on computers that access ePHI, locked server rooms with access logs, and policies for secure disposal of printed PHI โ€” can address many of the physical safeguard findings that have appeared consistently across all HIPAA audit phases. Regular physical security walkthroughs, documented and signed by the Security Officer, provide evidence that these controls are actively maintained rather than passively assumed.

For individuals preparing for HIPAA certification exams, the audit program content is reliably tested because it sits at the intersection of regulatory knowledge and practical application. Expect questions about the number of audit phases, the types of entities covered in each phase, the most common audit findings, the difference between desk audits and on-site audits, and the relationship between audit findings and enforcement outcomes.

Understanding the chronology and the specific findings from each phase โ€” not just the general principle that OCR conducts audits โ€” is what distinguishes strong exam performers from those who have only surface-level familiarity with the topic.

HIPAA Healthcare Provider Obligations and Covered Entities
Test your knowledge of covered entity definitions, provider obligations, and HIPAA compliance requirements
HIPAA - Health Insurance Portability and Accountability Act Administrative Safeguards Questions and Answers
Practice questions on HIPAA administrative safeguards including policies, training, and risk management requirements

HIPAA Questions and Answers

How many HIPAA audit programs has OCR conducted?

OCR has conducted three distinct phases of HIPAA audit activity: the Phase 1 pilot program (2011โ€“2012), the Phase 2 audit program (2016โ€“2017), and an ongoing desk audit infrastructure that has been used on a rolling basis since Phase 2. Additionally, OCR's complaint investigations and breach notification reviews function as targeted audits, though they are not labeled as part of the formal audit program.

What is the difference between a HIPAA desk audit and an on-site audit?

A desk audit is conducted remotely: OCR sends a document request, and the audited entity submits its policies, procedures, and records electronically for review. An on-site audit involves OCR auditors visiting the organization's facilities, interviewing staff, and directly observing practices. Phase 1 used on-site audits; Phase 2 used desk audits exclusively. Both approaches can generate findings that lead to corrective action requirements.

Who can be selected for a HIPAA audit?

Any covered entity or business associate can be selected for a HIPAA audit. Covered entities include healthcare providers who transmit PHI electronically, health plans, and healthcare clearinghouses. Business associates are vendors and contractors who create, receive, maintain, or transmit PHI on behalf of covered entities. Phase 2 was the first formal audit phase to include business associates directly, reflecting their expanded liability under the HITECH Act.

What were the most common findings in HIPAA audits?

Across both Phase 1 and Phase 2, inadequate risk analysis was the most common finding. This includes failing to conduct any risk analysis, limiting the analysis to certain systems rather than all ePHI, and failing to document risk management decisions. Other frequent findings included incomplete Notice of Privacy Practices, delays in responding to patient access requests, missing Business Associate Agreements with subcontractors, and inadequate workforce training documentation.

Can a HIPAA audit result in financial penalties?

Yes, though audits are primarily corrective rather than punitive. If auditors identify serious deficiencies โ€” particularly those indicating willful neglect or systemic non-compliance โ€” the audit file can be referred to OCR's enforcement division for investigation. That investigation can result in civil monetary penalties ranging from $100 to $50,000 per violation, with annual caps per violation category. Completing a corrective action plan in good faith during the audit process generally reduces enforcement risk.

How much advance notice does OCR give before a HIPAA audit?

For Phase 2 desk audits, OCR sent email notifications requesting preliminary information, giving entities a short window โ€” sometimes as little as two weeks โ€” to respond to initial data requests before the formal audit document request was issued. There is no regulatory requirement for OCR to provide extended advance notice. Organizations should maintain audit-ready documentation at all times rather than relying on a notice period to prepare.

What is the HIPAA audit protocol, and where can I find it?

The HIPAA audit protocol is the official list of performance criteria that OCR auditors use to evaluate compliance during a formal audit. It covers Privacy Rule, Security Rule, and Breach Notification Rule requirements and is organized into specific audit elements. OCR has published the Phase 2 audit protocol on the HHS website, making it freely available. Compliance officers routinely use the protocol as a self-assessment tool to identify gaps before auditors do.

Are business associates subject to HIPAA audits?

Yes. Before the HITECH Act of 2009, business associates were regulated primarily through their contracts with covered entities. HITECH made BAs directly liable for HIPAA compliance, and OCR's Phase 2 audit program included 41 business associates โ€” the first time BAs were directly audited. Phase 2 BA findings showed even higher deficiency rates than covered entities, particularly for risk analysis and Security Rule compliance.

What should an organization do immediately after receiving a HIPAA audit notice?

Upon receiving an audit notice, an organization should immediately notify its legal counsel and HIPAA Privacy and Security Officers, assemble a response team, and identify the staff responsible for gathering each category of requested documentation. It should also review its existing policies and records to identify any obvious gaps that can be remediated before the document submission deadline, while ensuring that any remediation steps are accurately dated and not backdated to appear older than they are.

How does a HIPAA audit differ from a HIPAA investigation?

A HIPAA audit is proactive: OCR selects organizations based on sampling criteria, not because a complaint was filed or a breach was reported. An investigation is reactive: it is triggered by a complaint, a breach report, or a referral from an audit. Audits are generally corrective and educational in nature; investigations more frequently lead to enforcement actions including Resolution Agreements and civil monetary penalties. Both can result in corrective action requirements, but investigations carry higher enforcement risk.
โ–ถ Start Quiz