The dept of HHS requires any organization with HIPAA business associate status to regularly undergo audits.
Can you fly under the radar and potentially get away with not doing it? Of course, anything is possible. Could a multibillion dollar internet organization beholden to shareholders and under public scrutiny get away with it? Not likely.
>The dept of HHS requires any organization with HIPAA business associate status to regularly undergo audits.
Can you provide a link to this requirement? The HIPAA/HITECH laws provide no requirements for an external audit (and self-audits aren't actually audits) and the HHS, as far as I know, only does small sample random audits unless a complaint was made.
