There are three ways to have the federal government, specifically the Office for Civil Rights, audit your organization’s HIPAA Compliance:
- Randomly: The OCR performs a HIPAA compliance audit for a few dozen organizations per year. In a large country like this, you probably don’t need to worry about a random HIPAA security audit.
- After a complaint: Patients are permitted to lodge complaints about the use of their PHI to HHS. In some cases, these complaints resulted in a HIPAA security audit.
- After a breach: If you have to report a breach of PHI to HHS, there is a very good chance you will be subject to a HIPAA compliance audit.
If your organization is audited, you must follow all HIPAA audit requirements in order to adhere to the HIPAA audit checklist.