>The dept of HHS requires any organization with HIPAA business associate status to regularly undergo audits.
Can you provide a link to this requirement? The HIPAA/HITECH laws provide no requirements for an external audit (and self-audits aren't actually audits) and the HHS, as far as I know, only does small sample random audits unless a complaint was made.
