Any breach regardless of size, will automatically trigger an investigation by the Office for Civil Rights (OCR) of the US Department of Health and Human Services (HHS), which may result in an audit.
In addition, the OCR Launched Phase 2 of the HIPAA Audit Program. Covered Entities (CE) are selected through a randomized process. Responses must contain the specified documentation: adopted HIPAA policies, procedures, evidence of implementation, including risk analysis & risk management. The CE must respond within 10 business days after the initial contact by OCR.
If a CE does not have the requested documentation, an explanation for the deficiency must be included in the response. A CE may be selected for a comprehensive onsite audit.