HIPAA

HIPAA Compliance Audit: The Evaluation and the OCR Audit Protocol

The short version

A HIPAA compliance audit tests whether a covered entity or business associate actually does what the rules require. The Security Rule builds it in: 45 CFR 164.308(a)(8) requires a periodic technical and nontechnical evaluation that measures how well the safeguards meet the rule, especially after a change in the environment. Separately, the HHS Office for Civil Rights publishes an Audit Protocol that sets out the requirements it audits across the Privacy, Security, and Breach Notification Rules, and many organizations use it as the template for an internal audit before OCR ever calls.

The HIPAA risk analysis asks what could go wrong. The compliance audit asks whether the controls you put in place are working. They are different exercises, and HIPAA expects both. This guide covers the Security Rule evaluation, the OCR Audit Protocol, who performs the audit, what it tests, and the failures that turn an audit into a finding.

What the rule requires

The Security Rule names the audit obligation directly. Under 45 CFR 164.308(a)(8), a covered entity or business associate must perform a periodic technical and nontechnical evaluation, based initially on the standards implemented under the rule and then in response to environmental or operational changes affecting the security of electronic protected health information. The evaluation establishes the extent to which the safeguards meet the requirements. It is the rule's built-in check that the program works, not just that it was designed.

The OCR Audit Protocol

The HHS Office for Civil Rights, which enforces HIPAA, publishes an Audit Protocol that lists the requirements it audits across the three rules: the Privacy Rule, the Security Rule, and the Breach Notification Rule. Each entry names the requirement and the established criteria an auditor checks against. Because it is OCR's own list, the protocol is the most direct template for an internal audit: an organization that tests itself against the protocol is testing against the same criteria OCR would use.

Internal evaluation versus external audit

The evaluation can be performed internally or by an external party. What matters is objectivity and competence: the reviewer should not be grading their own work, and they should know the rules. An internal compliance function can run the evaluation, but the larger or higher-risk the entity, the more an external, independent audit carries weight, with the board or governing body as the audience for the findings.

What the audit tests

RuleWhat the audit checks
Security RuleThe administrative, physical, and technical safeguards for ePHI, and whether they are implemented and operating.
Privacy RuleUses and disclosures, the minimum-necessary standard, notices of privacy practices, and individual rights such as access.
Breach Notification RuleThe breach risk-assessment process and the notification timelines to individuals, HHS, and where required the media.

How to conduct one

Step 1: Set the scope against the protocol

Decide which rules and requirements the audit covers, using the OCR Audit Protocol as the requirement list.

Step 2: Gather and test the evidence

Collect policies, procedures, and records, and test whether the safeguards operate as documented, not just whether the document exists.

Step 3: Rate and document findings

Record each gap with its severity and the requirement it implicates, so the findings are specific and actionable.

Step 4: Build the corrective action plan

Turn the findings into a remediation plan with owners and dates, the same plan OCR would expect to see.

Step 5: Re-evaluate after change

Repeat the evaluation periodically and whenever an environmental or operational change affects ePHI security, as 164.308(a)(8) requires.

Where it goes wrong

A HIPAA compliance audit is how an organization proves its safeguards work before OCR asks. For the wider rules, see the HIPAA compliance guide and the HIPAA glossary; for the input it tests against, see the HIPAA security risk analysis guide.

Primary sources

Common questions

Does HIPAA require a compliance audit?
The Security Rule requires a periodic technical and nontechnical evaluation under 45 CFR 164.308(a)(8) that measures how well the safeguards meet the rule. That evaluation is the audit obligation. The HHS Office for Civil Rights also publishes an Audit Protocol that organizations commonly use as the template for an internal audit.
What is the difference between a HIPAA risk analysis and a compliance audit?
The risk analysis identifies the threats and vulnerabilities to electronic protected health information; the compliance audit, or evaluation, tests whether the safeguards put in place actually work. HIPAA expects both. Running a risk analysis and calling it the evaluation is a common gap.
What is the OCR Audit Protocol?
It is the list the HHS Office for Civil Rights publishes of the requirements it audits across the Privacy, Security, and Breach Notification Rules, each with the criteria an auditor checks against. Because it is OCR's own list, an organization that audits itself against it is testing against the same criteria OCR would use.
Who can perform a HIPAA compliance audit?
An internal compliance function or an external independent party. The key is objectivity and competence: the reviewer should not be grading their own work, and the larger or higher-risk the entity, the more an independent external audit carries weight with the governing body.
From the team behind this guide

A HIPAA audit that holds up to OCR

Compliance Command Center runs the HIPAA evaluation against the OCR Audit Protocol, tests whether the safeguards operate rather than just exist, and turns findings into a corrective action plan. Practitioners build it, with a human reviewing every deliverable, so it reads as adequate if OCR asks.

See Compliance Command Center Talk to a Practitioner