HIPAA audits can be conducted at random, but random audits are conducted on mostly large organizations. As of March 2019, HHS has randomly selected 9 health plans and clearing houses for Compliance Reviews. In the past HHS has randomly sent out questionnaires to health care organizations and based upon the answers HHS decides which organizations to audit.
The U.S. Health and Human Services (HHS) Office for Civil Rights (OCR) first began conducting HIPAA audits in 2014. OCR conducts these periodic audits of covered entities and business associates to ensure that they follow HIPAA privacy, security, and breach notification rules. The audit goal is to ensure that paper and electronic PHI remain secure, private and protected. During the audit the OCR assesses the security policies, controls, and processes of your organization.
From 2016 to 2017, the OCR conducted audits of 166 covered entities and 41 business associates. Audits typically start with a request for documents and data. They may ask for data records, policies, procedures, training records, or other details. After all this information is in the hands of the OCR they will need time to process it and reach a conclusion. The audit could be resolved very quickly if all the information supports the fact that your organization is HIPAA compliance. After the OCR performs an audit they will provide a report and the healthcare organization has the opportunity to respond the OCR's findings.
HIPAA also requires that covered entities and business associates perform their own internal audits at least annually. Many large organizations will perform internal audits twice a year or even quarterly, depending upon if there have been changes in technology, policies, procedures, etc.