HIPAA audits can be conducted at random, but random audits are conducted on mostly large organisations. As of March 2019, HHS has randomly selected 9 health plans and clearing houses for Compliance Reviews. In the past HHS has randomly sent out questionnaires to health care organisations and based upon the answers HHS decides which organisations to audit.
The U.S. Health and Human Services (HHS) Office for Civil Rights (OCR) first began conducting HIPAA audits in 2014. OCR conducts these periodic audits of covered entities and business associates to ensure that they follow HIPAA privacy, security, and breach notification rules. The audit goal is to ensure that paper and electronic PHI remain secure, private and protected. During the audit the OCR assesses the security policies, controls, and processes of your organisation.
From 2016 to 2017, the OCR conducted audits of 166 covered entities and 41 business associates. Audits typically start with a request for documents and data. They may ask for data records, policies, procedures, training records, or other details. After all this information is in the hands of the OCR they will need time to process it and reach a conclusion. The audit could be resolved very quickly if all the information supports the fact that your organisation is HIPAA compliance. After the OCR performs an audit they will provide a report and the healthcare organisation has the opportunity to respond the OCR's findings.
HIPAA also requires that covered entities and business associates perform their own internal audits at least annually. Many large organisations will perform internal audits twice a year or even quarterly, depending upon if there have been changes in technology, policies, procedures, etc.