Skip to main content
Meet Us at GHPCO 2026 - Global Healthcare InnovationMarch 15-18, 2026|Meet Us at GHPCO 2026 - Global Healthcare InnovationMarch 15-18, 2026
Best Practices

The HIPAA Audit Program, Part 1

As many CIOs or Compliance Officers can attest, it’s impossible to attend a healthcare privacy or security conference these days without running into Leon Rodriguez. Rodriguez, the Director of OCR/HHS, gives the same presentation at these events time and again, and, without fail, draws the highest attendance of any particular event session. While Rodriguez holds himself well at the podium, attendees are not exactly lining up in the standing room only section of the banquet hall to see public speaking virtuosity. No, they are there for the terrifying subject matter: the HIPAA Audit Program.

3 min read
hipaa healthcare compliance audit program|hitech hipaa audit program for health care

As many CIOs or Compliance Officers can attest, it’s impossible to attend a healthcare privacy or security conference these days without running into Leon Rodriguez. Rodriguez, the Director of OCR/HHS, gives the same presentation at these events time and again, and, without fail, draws the highest attendance of any particular event session. While Rodriguez holds himself well at the podium, attendees are not exactly lining up in the standing room only section of the banquet hall to see public speaking virtuosity. No, they are there for the terrifying subject matter: the HIPAA Audit Program.

HITECH enacted HIPAA Audit Program

hitech hipaa audit program for health care

The HIPAA Audit Program, enacted through the HITECH Act in 2009, was put in place to correct what was widely seen as a lax HIPAA compliance culture in healthcare. Simply put, HIPAA non-compliance was only an issue if you got caught. Perhaps rightfully so, many healthcare CIOs or compliance professionals have long been concerned only with keeping patient PHI safe. As for following all the “other” HIPAA requirements – performing risk assessments, creating data use and access policies, etc. – most healthcare leaders only actually adhered to the rules insofar as they helped the facility keep patient data safe. In the unfortunate event that a health care facility suffered a data breach and subjected itself to a rigorous OCR/HHS investigation, items such as missing risk assessments and inadequate security incident management processes would be identified and held against the entity. However, manage your data breach risk effectively, the thinking went, and the odds that the federal regulators identified a series of poor documentation practices were small enough to live with.

More Thorough and Aggressive HIPAA Audit Program

Through an aggressive audit pilot program, OCR/HHS has let it be known that this relaxed practice is no longer acceptable. The process starts with a letter from the federal agency letting the facility know that it has anywhere from seven to ten days to hand over all of its documented policies and procedures. From there, a site visit is scheduled with OCR/HHS’s auditing firm, KPMG, where a team of their auditors investigates all of the facility’s practices relating to patient PHI privacy and security. From there, a written report is prepared for the facility and, if warranted, sanction and fines are handed down.

HIPAA Audit Program Step in the Right Direction

Federal agencies are taking data protection practices seriously, and OCR/HHS is leading the charge with the HIPAA Audit Program. In Part 2 of this series, we will go into the HIPAA Audit Pilot findings and show how these will both affect providers and shape the program in the years to come.

Frequently Asked Questions

Find answers to common questions about this topic.

Healthcare facilities typically receive seven to ten days to provide all documented policies and procedures once notified of a HIPAA audit by OCR/HHS. This short timeframe emphasizes the importance of having compliance documentation readily available and well-organized.

During a HIPAA audit site visit, KPMG auditors on behalf of OCR/HHS conduct a thorough investigation of all facility practices related to patient PHI privacy and security. The audit team reviews policies, procedures, and actual implementation to assess full HIPAA compliance beyond just data breach prevention.

Following a HIPAA audit, OCR/HHS prepares a written report detailing findings, and if violations are identified, the facility may face sanctions and monetary fines. The severity depends on the nature and extent of compliance gaps discovered during the audit process.

All covered entities under HIPAA, including hospitals, clinics, health plans, and healthcare clearinghouses, are subject to potential HIPAA audits. The audit program was designed to enforce compliance across the entire healthcare industry, not just organizations that have experienced data breaches.

Healthcare facilities should maintain comprehensive documentation including risk assessments, data use and access policies, security incident management processes, and all HIPAA-required policies and procedures. Having these documents current and easily accessible is critical given the short response timeframe for audit requests.

Krishna Kurapati

Written by

Krishna Kurapati

Founder & CEO

Founder & CEO of QliqSOFT with 20+ years of healthcare technology experience.

View all posts

Related Articles

hipaa compliance audit program|hipaa audit program and risk assessments
Best Practices

The HIPAA Audit Program, Part 2

In Part 1 of this series, we examined the purpose and general background of the HIPAA Audit Program. In this second part of the series, we will take an in-depth look into the HIPAA Audit findings to see what issues are tripping up providers the most. Remember: while the pilot phase of the program was intended to be educational, OCR has stated that future violations can and will be accompanied by sanctions, up to and including civil monetary penalties.

Krishna KurapatiKrishna Kurapati
3 min read
hipaa risk assessment audit
Best Practices

The HIPAA Audit Program, Part 3

In Part 2 of this three-part series, we took a deep look into the preliminary HIPAA Audit findings and observed the most common infractions identified by OCR. Specifically, security gaps accounted for the majority of results, with the lack of risk assessments and inadequate mobile device security being two of the most cited weaknesses. Fortunately for those selected in the 2012 pilot phase of the audits, OCR was primarily focused on using the exercise to educate covered entities of serious HIPAA issues.

Krishna KurapatiKrishna Kurapati
3 min read
wellpoint hipaa breach alert|wellpoint hipaa breach settlement
Best Practices

HIPAA Breach Alert: WellPoint fined $1.7M

In what is believed to be one of the larger HIPAA breach settlements in recent memory, health insurer WellPoint has agreed to settle with HHS for $1.7M stemming from a 2009 and 2010 incident where WellPoint impermissibly disclosed the ePHI of over 600,000 individuals through an unsecured online application. During its investigation, OCR found that WellPoint had not enacted the appropriate administrative, technical, and physical safeguards mandated under HIPAA.

Krishna KurapatiKrishna Kurapati
1 min read
3m left