There are a number of ways to become the subject of an OCR HIPAA audit. The most unlikely way is to be selected for a random audit and if that happens, go buy a lottery ticket!
Complaints filed by dissatisfied customers and/or disgruntled employees resulted in about 15,000 investigations last year. Suffer a breach and OCR will be knocking on your door. As the number and severity of breaches continue to increase, third party companies are becoming much more efficient at identifying companies that have suffered a cyber-breach. An estimated 70% of breaches are identified by such Internet sleuths. It’s got to be pretty humbling when someone announces to the world, “You’ve been breached!”
Well, now a company is giving businesses a “security rating” similar to a credit rating. BitSight tracks the flow of data across the Internet and assesses companies via their “externally observable data”. By tracking externally observable security characteristics of companies, where cyber attacks are targeted, and evidence of successful attacks (You’ve been breached!), BitSight uses its proprietary algorithms to assign a company a Security Score. 
There are huge ramifications to such data being available. Companies can be made or broken on the score. How do you keep a low security score off social media? Ethical questions abound. But that is a blog topic for another day.
We all need to pay attention to this type of service as it is a double edge sword. With one company able to generate “security scores” more will follow offering similar services with little or no oversight or regulation.
The best action you can take in the short term is to rigorously manage and continue to improve your company’s cyber security.