Compliance with HIPAA for small firms is generally straightforward and there isn't a standard audit. It's not the same animal as SOC2, which is a CPA standard and is administered by certified auditors.