Man in suit holds magnifying glass and pen checking compliance audit form with charts and documents on desk.

How to Conduct a Compliance Audit in 2026: A Step-by-Step Tutorial

How to Conduct a Compliance Audit in 2026: A Step-by-Step Tutorial

Author: Nicole Statley at Healthcare Compliance Pros

What is a compliance audit and why it matters in healthcare

A compliance audit is a structured review of how well your organization's day-to-day operations match the laws, regulations, and internal policies that apply to you. It is essentially a "checkup" on your HIPAA, billing, and operations to catch issues before regulators or patients do.

In U.S. healthcare, this typically includes HIPAA Privacy, Security, and Breach Notification Rules, federal fraud and abuse laws, Medicare and Medicaid billing rules, and your state's licensing and practice standards. The HHS Office of Inspector General (OIG) emphasizes that regular internal monitoring and auditing are core elements of an effective compliance program for healthcare organizations of all sizes.

Drivers for audits include recent billing denials or overpayments, EHR or system changes, onboarding new providers, a privacy or security incident, moving to telehealth or remote work, or wanting to show your board or owners that the business is "audit-ready." A good audit leads to clearer processes, fewer surprises, and better documentation if a health plan, OCR, or a state agency ever knocks on your door.

Thinking about your setting (solo practice, clinic, medical billing office), what's the main reason you are interested in doing a compliance audit now: HIPAA, billing, or general "peace of mind"?

Preparation: setting audit objectives and scope

Before pulling charts or logs, decide exactly what you want this audit to accomplish. Objectives might be:

  • Confirm that HIPAA Privacy and Security requirements are implemented in daily workflows.
  • Validate documentation, coding, and billing for key visit types or procedures.
  • Confirm that policies match how staff actually work at the front desk, in the exam room, and in telehealth.

Next, define the scope in practical terms:

  • Regulatory scope: HIPAA (Privacy, Security, Breach Notification), applicable Medicare/Medicaid rules if you participate, and your state's practice and privacy rules.
  • Operational scope: front-desk registration, clinical documentation, telehealth workflows, remote work, prescription processes, and handling of test results and portals.
  • Time frame: for example, the last 3-6 months of encounters for selected services or providers.

For smaller organizations, the "audit team" might be the compliance lead, office manager, and one clinical champion (e.g., a physician or nurse). You can still bring in outside help for specific pieces (e.g., coding reviews or HIPAA security risk analysis) if needed, but you don't need a large formal team to start.

If you had to pick only one area for this year's audit such as HIPAA workflows, billing accuracy, or vendor/BA oversight, which one would you choose and why?

Step 1: planning the compliance audit

Create a simple audit plan and timeline:

Your audit plan doesn't have to be complicated, but it should be written. Include:

  • What you're auditing (e.g., HIPAA Privacy workflows and documentation for new patient visits).
  • Who is involved (e.g., compliance lead, office manager, one provider).
  • What methods you'll use (chart reviews, policy review, staff interviews, spot checks of front-desk processes).
  • When you'll start and when you want to be done (e.g., 4-6 weeks).

Set realistic dates. You may need to plan around clinic days and limited admin time. It is better to commit to a focused, achievable audit than an ambitious project that never finishes.

Risk assessment: prioritizing high-risk areas for providers

A risk assessment can be as straightforward as asking:

  • Where could we most easily get into trouble with HIPAA (e.g., unencrypted laptops, shared logins, unlocked screens, conversations at the front desk)?
  • Where do we see billing denials, payer questions, or frequent coding changes (e.g., E/M visits, telehealth, high-dollar procedures)?
  • Where have staff raised concerns or where workflows feel "messy" or inconsistent?

High-risk areas for organizations often include:

  • HIPAA Security (access controls, passwords, device security, remote access, texting PHI).
  • HIPAA Privacy (minimum necessary at front desk, use of portals, release of records, family access).
  • Documentation and coding for common visits (E/M, chronic care, procedures).
  • Third parties that handle PHI (billing companies, IT vendors, cloud tools, telehealth platforms).

Building a practical audit checklist

Turn your risk areas into a checklist your team can actually use:

For each line item, capture:

  • Requirement (e.g., HIPAA Security: unique user IDs; HIPAA Privacy: minimum necessary at front desk; internal policy reference).
  • What you will look at (e.g., screenshots of user accounts, chart notes, sign-in sheets, BA agreements, training logs).
  • How you will test it (e.g., interview, observation at the front desk, chart review, system review).

For example, a HIPAA front-desk checklist item could look like:

  • "Check if staff confirm caller identity before disclosing PHI by phone and avoid calling out full names and conditions in the waiting room."

Which three front-line workflows in your practice (e.g., check-in, rooming, telehealth setup, refills) would you most want on your first audit checklist?

Step 2: conducting fieldwork and collecting evidence

Sampling and data collection

You don't need a statistician. Choose a reasonable number of charts per provider or visit type (for example, 10-20 records per provider for a focused review) and make sure you select them objectively (e.g., using a date range or random selection from a list).

Evidence you might collect includes:

  • Policies and procedures (HIPAA, billing, telehealth, remote work).
  • Training records for staff and providers.
  • Sampled charts, encounter notes, coding/billing records, and remittance advice.
  • Screenshots or reports showing user access, failed logins, or audit logs.
  • Business associate agreements and contracts with your billing and IT vendors.

Interviewing staff and observing workflows

In a small setting, interviews can be informal but structured. Ask staff to walk you through how they:

  • Verify identity at check-in and over the phone.
  • Handle requests for records or information from family members or other providers.
  • Use the EHR (templates, copy-paste, problem lists, telehealth documentation).
  • Work remotely (if applicable): what devices they use, where they take calls, how they access the EHR.

Then observe a few real workflows (with appropriate privacy) and compare what you see to what's written in policies and what staff said. This often reveals the most meaningful gaps.

Protecting patient confidentiality during the audit

Even in an audit, your team must follow HIPAA. Use PHI only as needed for the review, limit who can see raw data, and avoid exporting more PHI than necessary. When you involve outside help (e.g., consultants or billing vendors), make sure you have a current business associate agreement and clear instructions about how they must handle PHI.

Do you already have a standard way to select charts for review (e.g., by date, provider, or visit type), or is that something you would need to build from scratch?

Step 3: analyzing findings and identifying non-compliance

Rating your findings in a practice-friendly way

After reviewing your samples and interviews, sort issues into a few simple categories providers can understand:

  • Critical: high risk of patient harm, regulatory penalties, or overpayments (e.g., unencrypted laptops with PHI, repeated upcoding, regular disclosures without proper authorization).
  • Moderate: real issues that could turn into bigger problems if not fixed (e.g., inconsistent identity checks, missing elements in templates, incomplete BA documentation).
  • Low: opportunities to clean up documentation, improve training materials, or standardize workflows.

For each finding, capture:

  • What rule or policy it relates to.
  • What you saw.
  • Why it matters (e.g., risk of complaint, breach, overpayment, or patient confusion).
  • What you recommend changing.

Common gaps

Recurring gaps often include:

  • HIPAA Security: shared logins, weak passwords, no regular review of who has EHR access, missing or outdated security risk analysis.
  • HIPAA Privacy: staff not fully understanding minimum necessary; casual conversations at the front desk; unclear processes for authorizations and record requests.
  • Documentation and coding: templates that don't quite match how providers document; over-reliance on copy-paste; inconsistent support for billed codes.
  • Vendor oversight: old or missing BA agreements with billing, IT, or telehealth vendors; no documentation of how PHI is protected by those partners.

Using Healthcare Compliance Pros tools for gap analysis

Software and templates can save significant time. A platform like Healthcare Compliance Pros can help you:

  • Map findings to specific HIPAA and billing requirements, so you can show providers exactly which rule is affected.
  • Use pre-built checklists tailored to your organization, rather than starting from scratch.
  • Track risk ratings and corrective actions in one place instead of scattered spreadsheets and email threads.

Thinking about your last "informal" review of charts or workflows, which category above (security, privacy, documentation, vendors) do you suspect would generate the most findings if you audited it formally?

Step 4: reporting and communicating results

Writing a clear, provider-focused audit report

Your primary audience is often your board, physicians, advanced practice providers, and the office manager. Keep your report direct and action-oriented. Include:

  • A 1-2 page overview of what you looked at (e.g., 40 charts, front-desk workflows, user access), why, and your overall risk assessment.
  • A list of key strengths (so the report doesn't feel purely negative).
  • A table of findings with risk level, brief description, and recommended fix.
  • A simple action plan with owners and timelines.

Use plain language and focus on impact: how the issue could affect patients, revenue, or regulatory exposure. Avoid legal jargon or complex citation formats; you can keep detailed references in an appendix.

Tailoring the message for different people in the organization

For providers, emphasize how findings affect clinical workflow, patient trust, and documentation that supports their billing. For staff, focus on what needs to change in their daily tasks (check-in, phone calls, scanning documents, portal use). For owners or a small board, highlight overall risk and what you are doing to fix it.

A short slide deck or one-page summary can help you walk through findings at a staff or provider meeting. This makes the audit feel collaborative instead of punitive.

If you had to explain one high-risk finding to your lead provider in 2-3 sentences, what would you want them to hear first: the rule you violated, the risk to patients, or the risk to revenue and regulators?

Step 5: follow-up and continuous improvement

Turning findings into a realistic action plan

Once the report is done, turn it into a living action list. For each item, define:

  • The specific fix (e.g., "encrypt all laptops," "update HIPAA notices," "revise E/M documentation templates," "execute BA agreement with billing vendor").
  • Who owns it (by role, not just name, e.g., "office manager," "IT vendor," "medical director").
  • When it should be done (prioritizing critical items).

In small settings, it helps to review this list at monthly staff or leadership meetings until major items are closed.

Feeding audit results into training and monitoring

Use your findings to refine training:

  • If front-desk privacy is an issue, run a short, targeted session on phone calls and conversations in shared spaces.
  • If documentation is weak, provide quick examples of what a "complete" visit note looks like for your most common visit types.
  • If security practices are inconsistent, refresh staff and providers on passwords, screensavers, and device handling.

For monitoring, pick a few simple metrics to track, such as a small monthly sample of charts per provider or periodic spot checks of user access. This helps you move from "once-a-year audit" to ongoing oversight without overwhelming your team.

Planning your next cycle

A practical model is to rotate focus areas throughout the year:

  • Quarter 1: HIPAA Privacy and front-desk workflows.
  • Quarter 2: Documentation and coding for top services.
  • Quarter 3: HIPAA Security and remote/telehealth workflows.
  • Quarter 4: Vendor/BA oversight and policy updates.

You can then do a lighter "check" in the same areas the following year and deepen the review where you saw more issues.

Given your current bandwidth, do you think a quarterly focus like this feels doable, or would an annual focused audit plus lighter spot checks fit better with your organization's reality?

Healthcare Compliance Pros advantage: support for specific business needs

Most practices and organizations do not have the time or staff to design and run a full audit program from scratch. A partner like Healthcare Compliance Pros can help you implement an audit process that fits the size and complexity of your organization without "big system" overhead.

For provider offices and clinics, key advantages can include:

  • Pre-built checklists tailored to ambulatory settings, primary care, specialty clinics, and behavioral health, mapped to HIPAA and common billing rules.
  • Simple tools for tracking findings and corrective actions so nothing gets lost in email or paper notes.
  • Training modules and communication tools that let you quickly close the loop with staff after an audit.
  • Access to compliance experts who understand the realities of every size of business, not just large systems and plans.

From your perspective as a provider, clinic lead, or office manager, where would outside support make the biggest difference? Creating checklists, reviewing charts, managing HIPAA security, or coaching staff on new workflows?

FAQs

1. How often should small practices and clinics perform compliance audits?

At minimum, most small practices benefit from at least one focused internal audit per year, plus smaller spot checks in high-risk areas. You may choose to audit more often when you add new providers, change EHRs, expand telehealth, or experience a breach, complaint, or payer investigation. The exact schedule should reflect your risk profile and state requirements.

2. Are compliance audits only for large health systems?

No. Regulators expect all covered entities and business associates that bill federal programs to have some level of monitoring and auditing, regardless of size. Small practices can scale the depth and formality of their audits, but "we're too small to audit" is not a defensible position if something goes wrong.

3. Do we need a lawyer to conduct our audit?

You do not need a lawyer to run basic compliance audits focused on operations, documentation, and training. However, involving legal counsel can be helpful when you suspect significant overpayments, potential self-disclosures, or complex state law issues. Many practices use a mix: internal or consultant-led audits for routine checks, with legal engaged when higher risks are identified.

4. How does a compliance audit differ from our regular coding review?

Coding reviews are often part of a broader compliance audit but focus mainly on whether documentation supports the codes billed. A full compliance audit may also look at HIPAA privacy and security, front-desk workflows, telehealth, vendor contracts, and training, not just billing. Both are important; the audit simply takes a wider view of risk.

5. What's the easiest way for an organization to start?

Start small and focused. Pick one high-risk area: HIPAA front-desk workflows, telehealth documentation, or documentation and coding for your most common visit type. Then create a simple checklist, review a modest sample, and document what you find and fix. Once you've done one cycle, you can expand your scope and formalize your process over time.

For your own setting, if you had to choose one specific workflow (e.g., front-desk check-in, telehealth visits, or release of records) to use as your "pilot audit," which would you choose and what makes that area feel most urgent right now?