Audit Selection Process

Once entity contact information is obtained, a questionnaire designed to gather data about the size, type, and operations of potential auditees will be sent to covered entities and business associates. This data will be used with other information to develop pools of potential auditees for the purpose of making audit subject selections.

OCR will be asking covered entity auditees to identify their business associates. We encourage covered entities to prepare a list of each business associate with contact information so that they are able to respond to this request.

OCR will choose auditees through random sampling of the audit pool.   Selected auditees will then be notified of their participation.  

If a covered entity or business associate fails to respond to information requests, OCR will use publically available information about the entity to create its audit pool.  An entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.

Source :
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html?language=en#selection