A HIPAA compliance audit tests whether a covered entity or business associate actually does what the rules require. The Security Rule builds it in: 45 CFR 164.308(a)(8) requires a periodic technical and nontechnical evaluation that measures how well the safeguards meet the rule, especially after a change in the environment. Separately, the HHS Office for Civil Rights publishes an Audit Protocol that sets out the requirements it audits across the Privacy, Security, and Breach Notification Rules, and many organizations use it as the template for an internal audit before OCR ever calls.
The HIPAA risk analysis asks what could go wrong. The compliance audit asks whether the controls you put in place are working. They are different exercises, and HIPAA expects both. This guide covers the Security Rule evaluation, the OCR Audit Protocol, who performs the audit, what it tests, and the failures that turn an audit into a finding.
What the rule requires
The Security Rule names the audit obligation directly. Under 45 CFR 164.308(a)(8), a covered entity or business associate must perform a periodic technical and nontechnical evaluation, based initially on the standards implemented under the rule and then in response to environmental or operational changes affecting the security of electronic protected health information. The evaluation establishes the extent to which the safeguards meet the requirements. It is the rule's built-in check that the program works, not just that it was designed.
The OCR Audit Protocol
The HHS Office for Civil Rights, which enforces HIPAA, publishes an Audit Protocol that lists the requirements it audits across the three rules: the Privacy Rule, the Security Rule, and the Breach Notification Rule. Each entry names the requirement and the established criteria an auditor checks against. Because it is OCR's own list, the protocol is the most direct template for an internal audit: an organization that tests itself against the protocol is testing against the same criteria OCR would use.
Internal evaluation versus external audit
The evaluation can be performed internally or by an external party. What matters is objectivity and competence: the reviewer should not be grading their own work, and they should know the rules. An internal compliance function can run the evaluation, but the larger or higher-risk the entity, the more an external, independent audit carries weight, with the board or governing body as the audience for the findings.
What the audit tests
| Rule | What the audit checks |
|---|---|
| Security Rule | The administrative, physical, and technical safeguards for ePHI, and whether they are implemented and operating. |
| Privacy Rule | Uses and disclosures, the minimum-necessary standard, notices of privacy practices, and individual rights such as access. |
| Breach Notification Rule | The breach risk-assessment process and the notification timelines to individuals, HHS, and where required the media. |
How to conduct one
Step 1: Set the scope against the protocol
Decide which rules and requirements the audit covers, using the OCR Audit Protocol as the requirement list.
Step 2: Gather and test the evidence
Collect policies, procedures, and records, and test whether the safeguards operate as documented, not just whether the document exists.
Step 3: Rate and document findings
Record each gap with its severity and the requirement it implicates, so the findings are specific and actionable.
Step 4: Build the corrective action plan
Turn the findings into a remediation plan with owners and dates, the same plan OCR would expect to see.
Step 5: Re-evaluate after change
Repeat the evaluation periodically and whenever an environmental or operational change affects ePHI security, as 164.308(a)(8) requires.
Where it goes wrong
- Confused with the risk analysis. The entity runs a risk analysis and calls it the evaluation, but never tests whether the controls operate.
- Never refreshed. The evaluation predates a major system or vendor change, contrary to the rule's response-to-change requirement.
- Findings without remediation. Gaps are documented but never resolved into a corrective action plan that closes.
A HIPAA compliance audit is how an organization proves its safeguards work before OCR asks. For the wider rules, see the HIPAA compliance guide and the HIPAA glossary; for the input it tests against, see the HIPAA security risk analysis guide.
Primary sources
- 45 CFR 164.308(a)(8): The HIPAA Security Rule evaluation requirement: a periodic technical and nontechnical evaluation of how well safeguards meet the rule.
- HHS Office for Civil Rights HIPAA Audit Protocol: The OCR protocol that sets out the audited requirements across the Privacy, Security, and Breach Notification Rules.
- 45 CFR 164.308(a)(1)(ii)(A): The HIPAA Security Rule risk analysis requirement.