Regulator Audit Priorities for FHIR
### HHS Office for Civil Rights (HIPAA)
OCR audits FHIR implementations first by checking for executed BAAs—a missing or deficient agreement is an immediate red flag. They then examine encryption protocols (TLS 1.2+, AES-256 at rest) and access logging and monitoring. Recent OCR settlements (e.g., 2023 cases involving cloud-based EHR systems) show regulators prioritize whether audit logs capture who accessed which FHIR resources and when. They also verify minimum necessary controls—whether your system limits data access to staff and systems that genuinely need it.
### EU Data Protection Authorities (EDPB, National DPAs)
EU regulators focus on lawful basis documentation (explicit consent records, Art. 9 compliance) and Data Processing Agreement completeness under Articles 28–30. They increasingly examine FHIR API consent mechanisms—whether patients can withdraw consent and have it reflected in real-time data flows. Recent EDPB guidelines on health data processing highlight enforcement of the right to erasure (GDPR Article 17), which complicates FHIR integrations with immutable audit trails.
### State Attorneys General (CCPA, State Health Privacy Laws)
State enforcers examine opt-in consent logs for sensitive health data and whether deletion requests are honored in FHIR systems. They also review breach notification timelines under state health privacy statutes (typically 60 days). A FHIR data breach that is not disclosed within the state-mandated window is a separate violation layer.
Priority sequence: Regulators audit BAAs and legal basis first, then technical controls (encryption, logging), then consent and deletion workflows. Missing documentation is the easiest violation to prove and often triggers deeper investigation.
