A HIPAA audit is based off a set of regulations, standards and implementation specifications. The audit is an analysis that helps to pinpoint the organization’s current state and what steps need to be taken to get the organization compliant.

An evaluation is part of the audit – a company must perform an evaluation and undergo periodic evaluations once a year at minimum. As technology changes, different components are added to an organization’s infrastructure and they should be re-evaluated.

While covered entities need to undergo HIPAA audits, third-party business associates also need to comply. This includes any company that might provide services for a covered entity, for example, an application hosted in a cloud and provided to a covered entity.