[marcinzm]

No you don’t, there are fines if you are found in violation but no one is checking on an ongoing basis. Specific entities may privately pay for audits or do so as part of certifications (HiTrust, etc) but that’s not required.

[bduerst]

The dept of HHS requires any organization with HIPAA business associate status to regularly undergo audits.

Can you fly under the radar and potentially get away with not doing it? Of course, anything is possible. Could a multibillion dollar internet organization beholden to shareholders and under public scrutiny get away with it? Not likely.

[marcinzm]

>The dept of HHS requires any organization with HIPAA business associate status to regularly undergo audits.

Can you provide a link to this requirement? The HIPAA/HITECH laws provide no requirements for an external audit (and self-audits aren't actually audits) and the HHS, as far as I know, only does small sample random audits unless a complaint was made.