HIPAA audits are mainly directed for covered entities of all sizes. The main purpose of HIPAA audits is to ensure that the ePHI of any patient is held safe and the security of sensitive information is maintained at all levels. The HHS Office for Civil Rights (OCR) is on a constant endeavor to assess the compliance with HIPAA Privacy, Security and Breach Notification Rules. Keeping the same view in mind, HHS Office for Civil Rights (OCR) conducts audits of covered entities and their business associates.  


During a HIPAA audit, the policies, measures and procedures are reviewed with the purpose of monitoring the implementation of Privacy, Security, and Breach Notification Rules.  The entire audit program is implemented by means of a comprehensive audit protocol that has been updated to reflect the Omnibus Final Rule.

The OCR HIPAA audit program fulfils the purpose of reviewing the processes, controls, and policies that selected covered entities to use in order to secure the privacy of the Protected Health Information (PHI).

The HIPAA audits also are designed to cover HIPAA Privacy Rule requirements in seven areas:

  • Notice of privacy practices for PHI
  • Rights to request privacy protection for PHI
  • Access of individuals to PHI
  • Administrative requirements
  • Uses and disclosures of PHI
  • Amendment of PHI
  • Accounting of disclosures.

The Importance of HIPAA Audit Programs

HIPAA audits are very beneficial to ensure that all the covered entities are HIPAA compliant. Also, having proper periodic audits can help organizations working in healthcare arenas, screen unauthorized access to patient’s information. Auditing also helps the organizations to detect invasion of privacy norms and other threats that can eventually send the information in wrong hands. Overall, audits work to see the effectiveness of the organization and the measures taken by the personnel who deal with PHI.   

What Happens In an Audit Program?

If the OCR selects any entity for the audit program, the entity is notified through an e-mail and is required to provide all the documents and the data as a response to document-request letter.The audit team, the entire process and the expectations and requirements of OCR are further explained by OCR to the covered entities. Audit entities then send the requested documents via a secured online portal on OCR’S website.  The documents are then reviewed. The final audit reports are then formed post the inclusion of auditees’ responses to the draft findings.

Leave a Reply

Your email address will not be published. Required fields are marked *