What HIPAA Auditors Actually Look For (And How to Pass)

Most practices don’t fail HIPAA audits because they don’t care about compliance. They fail because they don’t know what auditors actually look for until it’s too late.

I’ve seen practices with expensive compliance software still get dinged. I’ve seen tiny offices sail through audits because they had the basics locked down. The difference? Understanding what matters and what doesn’t.

Here’s what auditors actually examine — and how to make sure you pass.

The Audit Isn’t a Surprise Test

HIPAA audits follow a pattern. The Office for Civil Rights (OCR) uses a protocol that covers specific areas, and they publish it. You can literally read the audit protocol before you get audited. Yet most practices never look at it.

The protocol covers three main rule sets:

• Privacy Rule — How you handle PHI access, minimum necessary standards, and patient rights
• Security Rule — Administrative, physical, and technical safeguards for electronic PHI
• Breach Notification Rule — How you detect, report, and respond to breaches

Each area has specific “key activities” auditors evaluate. That’s your checklist. Use it.

What Auditors Actually Examine

1. Risk Assessments

This is the number one finding in HIPAA audits. Not having a current, comprehensive risk assessment.

An auditor wants to see:

• A written risk analysis covering all systems that touch ePHI
• Identification of threats and vulnerabilities
• An assessment of the likelihood and potential impact of each risk
• A documented plan to address each identified risk
• Evidence the plan is being executed

Most practices either have no risk assessment, one that’s years old, or one that’s so generic it’s useless. Your risk assessment needs to be specific to your practice, your systems, and your workflows.

2. Policies and Procedures

Auditors don’t just want to see policies exist. They want to see policies that match what you actually do.

Key policies auditors examine:

• Access management and user authentication
• Workforce training requirements
• Incident response procedures
• Data backup and disaster recovery
• Mobile device and remote access policies
• Sanction policies for workforce violations

The gap that kills practices: writing policies nobody follows. If your policy says you rotate passwords every 90 days but nobody actually does it, that’s worse than not having the policy. Auditors interview staff. Inconsistencies surface fast.

3. Business Associate Agreements

Every vendor that touches PHI needs a signed BAA. Not a handshake. Not an email. A proper, current, signed agreement.

Common BAAs failures:

• Missing BAAs entirely for vendors handling PHI
• Outdated BAAs that don’t reflect current arrangements
• BAAs that don’t include required provisions
• Assuming your EHR vendor’s agreement covers all their subcontractors (it doesn’t always)

Audit your vendor list. If a company can access, transmit, or store PHI, you need a BAA. That includes your IT support, cloud backup provider, email hosting, billing service, and anyone else who might touch patient data.

4. Training Documentation

Auditors want proof that every workforce member — including volunteers and temporary staff — has received HIPAA training. Not just once. Ongoing.

What they look for:

• Initial training for all new workforce members
• Annual refresher training
• Training on policy changes and new threats
• Signed acknowledgments
• Training on breach notification procedures

“I think we did training last year” doesn’t count. You need dates, attendance records, and content outlines.

5. Physical Safeguards

Don’t overlook the physical environment. Auditors check:

• Workstation positioning — can patients or visitors see screens displaying PHI?
• Door locks and access controls for areas where PHI is stored
• Visitor sign-in logs and escort policies
• Disposal procedures for paper records and equipment
• Clean desk policies and enforcement

6. Technical Safeguards

Auditors evaluate:

• Access controls — unique user IDs, automatic logoff, emergency access procedures
• Audit controls — logs showing who accessed what and when
• Integrity controls — how you ensure ePHI isn’t altered improperly
• Transmission security — encryption for data in transit
• Encryption at rest for stored ePHI

Common Findings That Get Practices in Trouble

Based on OCR enforcement data and audit results, these come up repeatedly:

No risk assessment. This is the single most common finding. If you don’t have one, you fail. Period.

Insufficient BAAs. Practices routinely miss vendors that need agreements, especially cloud services and IT providers.

No sanctions policy or unenforced sanctions. Having a policy you never use is a finding.

Inadequate training. One-time training at hire isn’t sufficient. Neither is training with no documentation.

Missing or incomplete incident response plan. When a breach happens, you need a written plan that tells your team exactly what to do. Not a mental note.

Failure to conduct periodic reviews. Policies, risk assessments, and BAAs aren’t set-it-and-forget-it. They need regular review and updates.

The Penalty Reality

HIPAA violations carry civil monetary penalties from $100 to $50,000 per violation, up to $1.5 million per category per year. Willful neglect with no correction? That’s the top tier.

But the real cost isn’t always the fine. It’s the corrective action plan that OCR can impose, requiring you to:

• Hire a compliance officer
• Implement specific technical controls
• Submit regular reports to HHS for years
• Pay for annual independent audits

A practice I consulted with spent more on remediation than they would have on compliance — by a factor of ten.

Your Pass-the-Audit Checklist

1. Complete a risk assessment — Use the NIST framework or hire someone who knows what they’re doing. Update it annually.
2. Write policies that match reality — Don’t document aspirations. Document what you actually do. Then do what you documented.
3. Get BAAs for every vendor — Audit your full vendor list. If they touch PHI, get the agreement signed.
4. Train your people — Initial training, annual refreshers, and documentation for every session.
5. Implement technical safeguards — Encryption, access controls, audit logs. These aren’t optional.
6. Create an incident response plan — Write it, test it, and update it.
7. Document everything — If it’s not documented, it didn’t happen. Auditors work on evidence, not intentions.
8. Review periodically — Set calendar reminders for annual reviews of your risk assessment, policies, and BAAs.

The Bottom Line

HIPAA compliance isn’t about perfection. It’s about reasonable and appropriate efforts. Auditors understand that small practices have different resources than hospital systems. What they don’t excuse is willful neglect.

Start with the risk assessment. Fix the gaps you find. Document what you’re doing. Then maintain it.

That’s how you pass an audit. Not with expensive software or consultant reports, but with consistent execution of the basics.

If you need help getting your compliance house in order, that’s what we do. Reach out and let’s make sure you’d pass tomorrow.