HIPAA Security Audit: The Complete Guide to Safeguards, Specifications, and Penalties

Compliance · March 2026

Everything you need to know about a HIPAA security audit — the three safeguard categories, all 18 implementation specifications, the step-by-step audit process, penalty tiers, and how to prepare so nothing catches you off guard.

Key Takeaways

• A HIPAA security audit examines compliance with the Security Rule’s three safeguard categories: administrative, physical, and technical — covering 18 implementation specifications total
• The most common audit failures are an outdated or missing risk analysis, lack of documented policies, and no evidence of regular audit log reviews
• OCR penalties range from $141 per violation (Tier 1, no knowledge) up to $2,134,831 per violation category annually (Tier 4, willful neglect uncorrected)
• Both covered entities and business associates are directly liable under the Security Rule since the 2013 Omnibus Rule
• A thorough HIPAA security audit typically takes 4–12 weeks depending on organizational size, number of systems processing ePHI, and current maturity

A HIPAA security audit evaluates your organization’s compliance with the HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164). Unlike the Privacy Rule, which governs all forms of protected health information, the Security Rule focuses exclusively on electronic protected health information (ePHI) — data created, received, maintained, or transmitted in electronic form.

The Security Rule organizes its requirements into three safeguard categories:

Each category contains standards (mandatory objectives) and implementation specifications that are either required (must be implemented) or addressable (must be assessed and either implemented, implemented with an alternative measure, or documented as not reasonable and appropriate). A critical misconception: “addressable” does not mean “optional.” You must document your decision and rationale either way.

The audit also examines compliance with the Organizational Requirements (§164.314) — particularly Business Associate Agreements — and Policies, Procedures, and Documentation Requirements (§164.316), which mandate written policies and a six-year document retention period.

During a HIPAA security audit, auditors evaluate each of the following implementation specifications. Understanding these in detail is the first step toward closing gaps before an auditor finds them.

Administrative safeguards comprise over half of the Security Rule’s requirements and account for the majority of findings in a HIPAA security audit. These aren’t technology controls — they’re the management processes that make technology controls effective. Here’s what auditors examine in each area.

Risk Analysis and Risk Management (§164.308(a)(1))

This is the foundation of the entire Security Rule and the single most cited deficiency in OCR enforcement actions. A compliant risk analysis must:

• Identify every system that creates, receives, maintains, or transmits ePHI
• Identify and document reasonably anticipated threats and vulnerabilities
• Assess current security measures and their effectiveness
• Determine the likelihood of threat occurrence and potential impact
• Assign risk levels and document decisions for each identified risk
• Be updated whenever the environment changes — not just annually

The risk management plan flows directly from the risk analysis. Each identified risk must have a documented remediation action, responsible owner, target completion date, and status. Auditors will compare your risk analysis findings against your risk management plan to verify that gaps are being actively addressed — not just documented and forgotten.

Workforce Security (§164.308(a)(3))

Workforce security addresses who can access ePHI and how their access is managed throughout the employment lifecycle. The audit evaluates three addressable specifications:

• Authorization and/or Supervision: Documented procedures defining who approves workforce access to ePHI, how access levels are determined, and how supervised access works for trainees and temporary staff
• Workforce Clearance Procedure: Background checks, role-based access determination, and verification that each person’s access level matches their job function
• Termination Procedures: Documented process for revoking all access when an employee leaves — including VPN, email, EHR, cloud applications, physical keys, and badges. Auditors will often cross-reference your HR termination list against active directory and application access logs

Information Access Management (§164.308(a)(4))

This standard requires a formal process for granting access to ePHI — particularly when it is maintained in a healthcare clearinghouse. Auditors look for documented role-based access policies, access request and approval workflows, and periodic access reviews that verify current access levels remain appropriate. Organizations working with HITRUST frameworks will find significant overlap here.

Security Awareness and Training (§164.308(a)(5))

A HIPAA security audit doesn’t just check whether you have a training program — it evaluates whether the program is effective and ongoing. The four addressable specifications include:

• Security Reminders: Regular communications about security threats, policy updates, and best practices (newsletters, emails, posters, short briefings)
• Protection from Malicious Software: Training staff to recognize phishing, ransomware, and social engineering — not just installing antivirus
• Log-in Monitoring: Educating users about monitoring their own login activity and reporting suspicious access
• Password Management: Training on creating strong passwords, using password managers, and never sharing credentials

Auditors will request training records, completion rates, and evidence of ongoing security awareness activities. A once-a-year slide deck with no tracking of completion is a red flag.

Contingency Planning (§164.308(a)(7))

Contingency planning ensures that ePHI remains available during and after an emergency. The audit evaluates five specifications:

• Data Backup Plan (Required): Documented procedures for creating retrievable, exact copies of ePHI. Auditors will verify backup frequency, testing schedules, and offsite storage
• Disaster Recovery Plan (Required): Procedures to restore any loss of data, including recovery time objectives and recovery point objectives
• Emergency Mode Operation Plan (Required): How critical business processes continue during emergencies like ransomware attacks, natural disasters, or power failures
• Testing and Revision Procedures (Addressable): Evidence of periodic testing (tabletop exercises, failover tests) and plan updates based on test results
• Applications and Data Criticality Analysis (Addressable): A documented assessment ranking systems and data by criticality to prioritize recovery efforts

In practice, the organizations that perform well in this area conduct at least one tabletop disaster recovery exercise per year and can produce documented results. Performing a comprehensive IT security audit annually helps identify gaps in contingency planning before they become compliance issues.

Physical safeguards are often underestimated in a HIPAA security audit, especially by organizations that have invested heavily in cybersecurity technology. But a sophisticated firewall means nothing if someone can walk into your server room unchallenged.

Facility Access Controls (§164.310(a))

This standard requires policies and procedures to limit physical access to electronic information systems and the facilities in which they are housed. Auditors evaluate four addressable specifications:

• Contingency Operations: Procedures allowing facility access in support of restoration of lost data during disaster recovery
• Facility Security Plan: Documented safeguards to protect the facility and equipment from unauthorized access, tampering, and theft
• Access Control and Validation Procedures: Procedures to control and validate physical access based on role or function — visitor logs, badge systems, escort policies
• Maintenance Records: Documentation of repairs and modifications to physical security components (locks, walls, doors, cameras)

Workstation Use and Security (§164.310(b)–(c))

Two related standards govern workstations. Workstation Use requires policies specifying the proper functions, physical attributes, and manner of accessing ePHI from workstations. Workstation Security requires physical safeguards restricting access to workstations that access ePHI.

In practice, this means auditors will check whether:

• Workstations in public areas have privacy screens and automatic screen locks
• Laptop encryption is enforced for devices that leave the facility
• Work-from-home policies address physical security of remote workstations
• Shared workstations (nursing stations, reception desks) have individual login requirements

Device and Media Controls (§164.310(d))

This standard addresses the lifecycle of hardware and electronic media containing ePHI. It includes two required and two addressable specifications:

• Disposal (Required): Documented procedures for the final disposition of ePHI and/or hardware or electronic media on which it is stored — including certificates of destruction
• Media Re-use (Required): Procedures for removal of ePHI from electronic media before the media is made available for re-use
• Accountability (Addressable): Maintaining a record of hardware and media movements and the persons responsible
• Data Backup and Storage (Addressable): Creating a retrievable copy of ePHI before moving equipment

Technical safeguards are the technology and procedures that protect ePHI and control access. During a HIPAA security audit, this is where auditors get hands-on — requesting system configurations, reviewing access control lists, and examining encryption implementations.

Access Control (§164.312(a))

Access control requires technical policies and procedures allowing only authorized persons and software programs to access ePHI. The four specifications include:

• Unique User Identification (Required): Every user who accesses systems containing ePHI must have a unique identifier. No shared accounts, no generic “admin” credentials used by multiple people
• Emergency Access Procedure (Required): Documented procedures for obtaining necessary ePHI during an emergency — break-glass accounts with audit trails
• Automatic Logoff (Addressable): Session timeout settings that terminate inactive sessions — especially critical for shared clinical workstations
• Encryption and Decryption (Addressable): Mechanisms to encrypt ePHI at rest. While addressable, the practical reality is that encryption at rest is expected by OCR in virtually all environments

Audit Controls (§164.312(b))

This standard requires hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use ePHI. A proper audit control implementation includes:

• Centralized log collection from all systems processing ePHI (EHR, email, cloud platforms, network devices)
• Log retention policies meeting the six-year HIPAA documentation requirement
• Regular log review procedures with documented findings and follow-up actions
• Tamper-evident or immutable log storage to prevent evidence destruction

Auditors will specifically ask: “How often do you review your audit logs, and can you show me the documentation from the last three reviews?” If you can’t produce that evidence, you have a finding. A virtual CISO can help establish these review processes without the overhead of a full-time security executive.

Integrity Controls (§164.312(c))

Integrity controls ensure that ePHI is not improperly altered or destroyed. The standard has one addressable specification — Mechanism to Authenticate Electronic Protected Health Information — which requires implementing electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner. In practice, this means:

• Checksums or hash verification for data at rest
• Database integrity monitoring and change detection
• Version control and audit trails in EHR systems
• File integrity monitoring (FIM) on critical systems

Transmission Security (§164.312(e))

Transmission security protects ePHI when it is transmitted over electronic networks. The two addressable specifications are:

• Integrity Controls: Security measures to ensure that electronically transmitted ePHI is not improperly modified without detection
• Encryption: Mechanisms to encrypt ePHI in transit. Auditors will check for TLS 1.2+ on all web interfaces, encrypted email (or secure portal alternatives), VPN for remote access, and encrypted connections to cloud services

Whether you’re preparing for an internal audit, engaging a third-party assessor, or responding to an OCR desk audit, the HIPAA security audit process follows a consistent structure. Here’s what to expect at each stage.

Step 1: Define Scope and Objectives

The audit begins by defining what’s in scope. This includes identifying all locations, systems, applications, and business associates that create, receive, maintain, or transmit ePHI. For organizations operating across multiple sites or using cloud services extensively, scoping alone can take one to two weeks. The output is a documented scope statement and an ePHI inventory.

Step 2: Document Request and Evidence Collection

The auditor issues a document request list covering all Security Rule standards. Typical requests include your current risk analysis, risk management plan, written policies and procedures, workforce training records, Business Associate Agreements, incident response plans, contingency plans, access control configurations, and audit log samples. Organizations that work with a SOC 2 readiness partner often find significant evidence overlap.

Step 3: Policy and Procedure Review

Auditors review all documented policies and procedures against Security Rule requirements. They check that policies are comprehensive, current (reviewed and updated within the last 12 months), approved by management, and distributed to the workforce. Missing policies or policies that haven’t been updated since initial creation are common findings.

Step 4: Technical Assessment and Control Testing

This is where the audit moves from documentation to verification. Auditors examine system configurations, test access controls, review encryption implementations, verify backup and recovery procedures, and assess network security architecture. They may conduct vulnerability scanning to identify technical weaknesses. The goal is to determine whether your documented controls are actually implemented and operating effectively.

Step 5: Interviews and Walkthroughs

Auditors interview key personnel — the Security Officer, IT administrators, HR, facility managers, and frontline staff — to verify that documented procedures reflect actual practice. Physical walkthroughs of facilities assess physical safeguards: server room access, workstation placement, visitor procedures, and media disposal practices.

Step 6: Gap Analysis and Risk Assessment

The auditor compiles all findings into a gap analysis, mapping each Security Rule requirement to its current compliance status. Gaps are rated by severity and risk level. This analysis forms the foundation of the audit report and drives the remediation plan.

Step 7: Reporting and Remediation Planning

The final audit report details all findings, their risk ratings, and specific recommendations for remediation. A strong audit report prioritizes findings so you can address the highest-risk gaps first. The remediation plan assigns owners, deadlines, and success criteria for each finding. Many organizations then engage in a follow-up assessment 90 to 180 days later to verify remediation.

The HITECH Act established a tiered penalty structure for HIPAA violations, updated annually for inflation. Understanding these tiers is essential context for any HIPAA security audit because they define the financial stakes of non-compliance. The current penalty amounts (adjusted for inflation through 2026) are:

Studying recent OCR enforcement actions reveals exactly what auditors prioritize and where organizations fail most often. These cases illustrate why a thorough HIPAA security audit is not optional.

Banner Health — $1.25 Million (2023)

Banner Health, one of the largest nonprofit health systems in the U.S., agreed to a $1.25 million settlement after a 2016 hacking incident affected nearly 3 million individuals. OCR’s investigation found that Banner Health failed to conduct an enterprise-wide risk analysis, lacked sufficient monitoring of health information systems activity, and did not implement adequate procedures to regularly review records of information system activity. The settlement included a two-year corrective action plan.

LA Care Health Plan — $1.3 Million (2023)

LA Care, the largest publicly operated health plan in the U.S., settled for $1.3 million after two breaches involving unauthorized access to member portals. OCR found that LA Care failed to conduct a thorough risk analysis, did not implement sufficient access controls, and lacked adequate security incident response and reporting procedures. The corrective action plan required implementation of a comprehensive risk analysis program.

Yakima Valley Memorial Hospital — $240,000 (2024)

This case is particularly instructive because it involved an insider threat. Twenty-three security guards used their login credentials to access patient medical records without a job-related purpose. OCR found the hospital failed to implement procedures to regularly review records of information system activity, failed to implement the correct access controls to limit unnecessary access, and lacked adequate audit controls. This case underscores that a HIPAA security audit must evaluate insider threat controls, not just perimeter security.

MedEvolve — $350,000 (2023)

MedEvolve, a business associate providing practice management and revenue cycle management services, settled for $350,000 after an unsecured server exposed the ePHI of over 230,000 individuals. OCR found MedEvolve failed to conduct a risk analysis, did not have a business associate agreement in place with a subcontractor, and lacked access controls for the exposed server. This case reinforces that business associates face the same enforcement exposure as covered entities.

Based on hundreds of assessments, here are the highest-impact preparation steps we recommend to clients before a HIPAA security audit.

1. Update your risk analysis. If it’s more than 12 months old or doesn’t reflect current systems and threats, redo it. Include all systems, all locations, all cloud services, and all business associates that touch ePHI.

2. Verify your policy library. Ensure you have written policies covering every Security Rule standard. Each policy should show a review date within the last year, an approval signature, and a version number.

3. Audit your access controls. Run an access review across all systems containing ePHI. Remove terminated employees, disable dormant accounts, and verify that current access levels follow least privilege principles.

4. Review your BAA inventory. Confirm that every vendor or subcontractor with access to ePHI has a current, signed Business Associate Agreement. Check that BAAs include breach notification requirements and security obligations.

5. Test your contingency plans. Conduct at least a tabletop exercise for your disaster recovery and emergency mode operations plans. Document the results and any improvements made.

6. Pull your audit logs. Verify that logs are being collected from all ePHI systems, that retention meets the six-year requirement, and that you have documentation of regular log review activities.

7. Refresh your training records. Confirm that all current workforce members have completed security awareness training within the last 12 months and that completion records are centrally stored.

8. Conduct a pre-audit self-assessment. Walk through the Security Rule requirements yourself before the auditor does. Document what you find and begin remediation immediately. A HITRUST preparedness engagement can serve as an excellent foundation for HIPAA readiness if your organization is also pursuing HITRUST certification.

Going back to that Virginia clinic: after three months of focused remediation following their first proper HIPAA security audit, they closed 94% of their identified gaps. Their risk analysis was current, access controls were tightened, audit logs were being reviewed monthly, and backup procedures had been tested and verified. When a phishing attempt successfully compromised one staff member’s credentials six months later, their improved monitoring caught it within four hours. Under the old controls, it would have gone undetected for weeks or months.

The cost of that audit and remediation was roughly $85,000. The average cost of a healthcare data breach in 2025, according to IBM’s Cost of a Data Breach Report, was $10.93 million. The math is not complicated.

A HIPAA security audit is not about checking boxes or satisfying a regulator. It is about building a clear, documented understanding of where your security program stands, where the gaps are, and what it will take to close them. It protects your patients, your organization, and your career.

“The organizations that handle HIPAA well aren’t the ones with the biggest budgets. They’re the ones that take the audit seriously, fix what it finds, and build compliance into their daily operations rather than treating it as an annual event.”

Ready for Your HIPAA Security Audit?

Don’t wait for OCR to find your gaps. Let us help you identify and close them first.

Our initial consultation is free and includes a high-level review of your current HIPAA posture, identification of the highest-risk gaps, and a preliminary roadmap with realistic timelines and budget estimates. No obligation, no pressure.

Published: March 2026 · Author: Alexander Sverdlov

This article is for informational purposes only and does not constitute legal or professional advice. Penalty amounts reflect inflation-adjusted figures and may be updated by HHS. Organizations should consult qualified legal counsel and compliance professionals for guidance specific to their circumstances.