What Triggers a HIPAA Audit for a Small Clinic?

Written By GT

People use the word “audit” loosely. In HIPAA enforcement, it can mean three different things that feel similar from the clinic’s perspective because they all involve OCR requesting documents and explanations, but they start for different reasons.

  1. A complaint-driven investigation, where someone files a complaint with OCR.

  2. A compliance review, where OCR initiates a review based on an event or signal other than a complaint, often tied to breach reporting or patterns OCR is seeing.

  3. A formal OCR audit under the HIPAA Audit Program, which is a proactive program required by HITECH and is not necessarily connected to any allegation about your clinic.

Understanding which of these you are dealing with matters, because it affects what triggered OCR’s involvement, what OCR will ask for, and how quickly timelines can become real.

Informational note: This article is for informational purposes only and does not constitute legal advice.

1) Complaint-driven investigations: the most common trigger for small clinics

The most frequent trigger for OCR involvement with a small clinic is a complaint. OCR’s own intake guidance makes clear it reviews every complaint it receives, but it can only take action on complaints that meet certain conditions. Two of the most important are that the alleged action must have occurred within the past six years, and the complaint must be against an entity required to comply with the HIPAA Rules, meaning a covered entity or business associate. OCR also lists “clinics” as examples of covered entities when the provider electronically transmits health information in connection with certain standard transactions such as electronic billing. 

Once OCR accepts a complaint for investigation, OCR notifies the complainant and the covered entity and then requests information from both sides to understand the facts. Covered entities are required by law to cooperate with OCR complaint investigations. If OCR finds noncompliance, OCR typically tries to resolve it through voluntary compliance, corrective action, and or a resolution agreement, with civil money penalties as a potential path when the entity does not resolve the matter satisfactorily. 

What actually triggers complaints in the real world is usually not sophisticated legal disputes. It is operational friction: a patient denied timely access to records, a dispute about fees, a staff member disclosing information to the wrong person, or a pattern of communication and privacy practices that frustrates patients.

2) Compliance reviews: OCR can initiate scrutiny without a complaint

OCR does not only react to complaints. OCR also initiates compliance reviews due to “a variety of instigating events other than a complaint,” including media reports, referrals from other state and federal agencies, trends in complaints and or breach reports received, and other ongoing indications of noncompliance identified by OCR staff. 

That sentence is worth taking literally. It means OCR can open a review because of what it is seeing across the ecosystem, not only because a specific person complained about your clinic. For a small clinic, the most consequential of these “non-complaint” triggers tends to be breach reporting, because breach reporting creates a formal, time-stamped signal to OCR that something happened.

3) Breach reporting is a major practical trigger for compliance reviews

If a breach of unsecured protected health information affects 500 or more individuals, HHS states the covered entity must notify the Secretary without unreasonable delay and no later than 60 calendar days from discovery, using the breach reporting form. 

If a breach affects fewer than 500 individuals, HHS states the covered entity may notify the Secretary on an annual basis and that reports for those smaller breaches are due no later than 60 days after the end of the calendar year in which the breaches were discovered. 

Those reporting requirements do not automatically mean OCR will “audit” you in the casual sense, but they do explain why breach reports are a high-signal input into OCR’s compliance review pipeline. OCR’s own enforcement data page explicitly lists “trends in complaints and or breach reports received” as one of the instigating events that can lead OCR to initiate compliance reviews. 

A practical point that small clinics often miss is that “breach reporting” is not only about large hospital events. Smaller incidents can still create compliance exposure if they reveal that the clinic has no risk analysis, no incident procedures, weak access controls, or recurring process failures. OCR’s enforcement approach, as described on HHS pages, focuses heavily on whether the entity’s program and evidence support compliance, not on whether the entity intended harm. 

4) The OCR HIPAA Audit Program: proactive audits that are not tied to your incident

The third meaning of “audit” is the formal OCR HIPAA Audit Program. HHS states that HITECH requires HHS to periodically audit covered entities and business associates for compliance with the HIPAA Privacy, Security, and Breach Notification Rules. 

HHS also states OCR initiated its 2024–2025 HIPAA Audits and that these audits will review 50 covered entities’ and business associates’ compliance with selected provisions of the HIPAA Security Rule most relevant to hacking and ransomware attacks. OCR describes these audits as a way to examine mechanisms for compliance and identify risks and vulnerabilities that may not have been revealed by OCR’s enforcement activities, and it indicates OCR will publish an industry report after the audits are completed. 

The reason this matters for a small clinic is that the audit program is not inherently “you did something wrong.” It is proactive. If you are selected, the trigger may simply be that OCR is running an audit cycle and your organization falls into the sampling frame. That is different from an investigation that begins with a patient complaint or a breach report.

5) What OCR typically asks for when scrutiny happens

OCR’s enforcement description makes clear that when a complaint is accepted for investigation, OCR asks both sides to present information and may request specific information to understand the facts. 

OCR’s enforcement data page also describes a common resolution pattern: investigations often end with technical assistance or corrective action focused on privacy and security policies, procedures, training, or safeguards. 

Translated into what clinics actually experience, OCR commonly asks for evidence that the clinic has a functioning compliance program, not just “we try.” In small clinics, the documents and artifacts that tend to matter most are:

  • Written policies and procedures that reflect real workflows (privacy, security, access requests, incident response).

  • Evidence of workforce training and that training is updated when policies change.

  • Evidence of risk analysis and risk management for ePHI.

  • Business associate governance where vendors touch PHI.

  • Evidence that incidents are handled through a consistent internal process, including documentation of outcomes.

OCR’s public materials do not claim every case involves all of these, but they repeatedly point to these categories as the areas where corrective action is obtained when noncompliance is found. 

Practical takeaway for small clinics

A “HIPAA audit” of a small clinic is most often triggered by a complaint or by signals that cause OCR to initiate a compliance review, with breach reporting being one of the clearest signals. Separately, OCR runs a formal HIPAA audit program that can select entities for review as part of a proactive cycle.

The difference between a clinic that gets stuck in a long, painful process and a clinic that moves through it efficiently is usually not whether the clinic is perfect. It is whether the clinic has basic program artifacts and can produce them quickly and consistently. That is also where tools can help, not by changing the legal standard, but by making the evidence and workflow management less fragile.

Sources

  • OCR’s HIPAA Audit Program (HITECH audit requirement; 2024–2025 audits; focus areas and scope).

    https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html 

  • What OCR Considers During Intake and Review of a Complaint (6-year window; covered entity and business associate jurisdiction; clinics as examples).

    https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/what-ocr-considers-during-intake-and-review/index.html 

  • How OCR Enforces the HIPAA Privacy and Security Rules (investigation steps; required cooperation; typical resolutions).

    https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/how-ocr-enforces-the-hipaa-privacy-and-security-rules/index.html 

  • Enforcement Data (compliance review triggers, including media reports, agency referrals, trends in complaints and breach reports).

    https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/index.html 

  • Filing a HIPAA Complaint (complaint process entry point).

    https://www.hhs.gov/hipaa/filing-a-complaint/index.html 

  • Breach Reporting (500+ individuals, notify within 60 days; reporting mechanics).

    https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html 

  • Breach Notification Rule overview (under 500, annual reporting deadline within 60 days after year-end).

    https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html 

  • 45 CFR Part 164 Subpart D (breach notification regulatory framework).

    https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D 

GT
Previous

Can We Store Patient Records in Google Drive or Dropbox?
Next

What Counts as a HIPAA Security Risk Analysis?