The United States Department of Health and Human Services (HHS) has announced that, in 2026, there will be significant changes to how the Office for Civil Rights (OCR) conducts HIPAA compliance audits. These changes include increased use of technology to perform audits of covered entities and business associates.
These changes apply to every covered entity and business associate, including hospitals, physician groups, billing vendors, software providers, and managed service providers.
Prior to 2026, some believed that audits were only conducted on large systems. That is no longer true. Smaller organizations are just as likely to be targeted by OCR and may even be at greater risk due to their smaller size and possibly less developed compliance programs.
The purpose of this article is to inform organizations about the upcoming changes to audits, what auditors will focus on during these audits, and to provide guidance so organizations can take proactive steps to prepare for OCR enforcement actions.
Why Enforcement Is Increasing
Enforcement of the Health Insurance Portability and Accountability Act (HIPAA) has been steadily increasing since 2019. While most of the enforcement has received national attention through large breach settlement notices, enforcement through Corrective Action Plans (CAPs) has become much more prevalent. Enforcement is no longer limited to organizations that experience large-scale data breaches. HHS is proactively auditing organizations to ensure they can demonstrate compliance.
There are several reasons why enforcement is increasing.
Healthcare data is more valuable to cyber attackers than ever. Healthcare data continues to be a prime target for ransomware attacks which compromise patient care. With the expansion of remote workers and cloud-based applications, the threat surface has grown exponentially. At the same time, many organizations continue to utilize outdated policies and procedures to protect patient data that do not accurately represent how data flows today.
HHS has also greatly enhanced its ability to conduct audits. With the advent of Phase 2 audits, HHS can remotely and at scale audit organizations’ documentation. This provides HHS with the opportunity to simultaneously audit multiple organizations rather than conducting a traditional sample-based audit.
Simply stated, enforcement is increasing because the risks are increasing and the tools available to HHS are increasing.
What Phase 2 Audits Really Look For
Phase 2 audits are not about finding fault. Phase 2 audits are about finding evidence that compliance is not only present but also current and operational.
Auditors are not interested in written policies and procedures. Rather, auditors seek evidence that compliance is practiced daily. Evidence such as employee training records, risk assessments, incident response procedures, and other compliance elements must be shown to align with daily operations.
Two major focus areas of Phase 2 audits are risk analysis and access controls.
Risk analysis is one of the primary areas of focus. Many organizations complete a risk assessment once and never update it. Auditors expect risk assessments to be an ongoing process that takes into account the systems, vendors, and workflows currently used by the organization.
Access controls is another primary area of focus. Access controls refer to how employees are provided access to electronic protected health information (ePHI), how access is revoked when it is no longer needed, and how access to ePHI is monitored. One of the most common issues identified in audits is the use of shared logins and outdated user lists.
Vendor management is another key area of focus. Business associate agreements between covered entities and business associates must be current and accurate. Covered entities must be able to document that they evaluate the potential risks associated with the business associates they hire to handle ePHI.
Finally, breach response procedures are another area of focus. Auditors want to know how breaches are identified, who is responsible for responding to breaches, and how notifications are made. Any delays or uncertainty in responding to breaches will result in enforcement action by OCR.
Frequent Gaps Identified in Audits
While each organization’s situation is unique, certain issues frequently arise during audits.
Written policies and procedures exist but are not updated. Employee training is conducted but not documented. Risk assessments are completed but are either incomplete or generic. Technical safeguards are implemented but are not assessed or updated.
Another very common issue identified in audits is a lack of ownership. Compliance responsibilities are typically distributed across various departments of the organization without a designated point of accountability. When auditors ask who is responsible for HIPAA compliance in an organization, vague responses create significant concerns.
Another area of weakness is documentation. Many organizations do the right thing with regard to compliance but cannot prove it. During an audit, compliance activities that are not documented are considered to be non-compliant.
How to Prepare for Audits in 2026
Preparing for audits in 2026 does not have to be overwhelming. Preparation is simply a matter of creating structure.
Begin by completing a current risk assessment that reflects the organization’s real systems, vendors, and workflows. A risk assessment should identify vulnerabilities and assign responsibility for addressing them.
Review and update your policies and procedures. Ensure that policies and procedures are consistent with the organization’s operating practices. If employees could not identify policies and procedures related to protecting patient data in the workplace, they need to be revised.
Employee training should be role-based and documented. While general awareness training is beneficial, auditors want to see that individuals with access to ePHI have been trained specifically regarding their responsibilities.
Business Associate Agreements should be formalized. Create a list of your business associates, review agreements regularly, and document the results of any security evaluations you have completed.
Finally, test your incident response plan. Engage in tabletop exercises to test your leadership and response teams. Clearly define roles and responsibilities to minimize risk and regulatory exposure.
Cost of Waiting
Unfortunately, many organizations wait until they receive an audit notice from OCR. Once an audit notice is received, timelines are extremely tight, and correcting documentation gaps becomes extremely challenging.
By preparing early, organizations can address issues on their own terms. Additionally, if an audit notice is ultimately received, demonstrating a history of good faith efforts to comply with HIPAA regulations will likely be viewed favorably by OCR.
HIPAA Enforcement in 2026
In 2026, HIPAA enforcement will reward organizations that make compliance an ongoing process and penalize those that view it as an annual event.
Organizations that establish effective governance structures, maintain accurate documentation, and continuously assess risk will not only reduce the likelihood of receiving an enforcement notice from OCR, but will also develop stronger and safer systems for their patients and employees.
Conclusion
HIPAA compliance audits are no longer rare; they are a normal part of operating in the modern healthcare environment. Phase 2 audits depart from the theoretical approach of past audits. Instead, audits will focus on reality versus theory and evidence of compliance versus the intent of compliance.
Organizations that establish a culture of compliance that is active, demonstrable, and ongoing will not only minimize the risk of receiving an enforcement notice from OCR, but will also create environments where patients and employees are safe and supported.
Do you want to learn more from Steven Okoye? Follow him on Facebook and visit his website!