How to Prepare for a HIPAA Audit: 2026 Step-by-Step Guide

Last updated: 2026-04-05 — ComplianceStack Editorial Team

Most HIPAA audits are triggered by complaints or breaches, not random selection. But OCR's audit program has expanded, and even organizations that have never had a breach can receive a desk audit request with a 10-day response window. Preparation starts before the audit notice arrives.

Types of HIPAA Audits

OCR Desk Audits: OCR's audit program sends documentation requests to selected covered entities and business associates. Organizations must respond with specified documents within 10 business days. Desk audits focus on documentation — risk analysis, policies, training records, BAA inventories.

Complaint Investigations: When a patient or employee files a complaint with OCR, it triggers an investigation of the specific covered entity. OCR has 180 days to investigate. Investigations can result in technical assistance, corrective action plans, or civil monetary penalties.

Breach Investigation: When a breach affecting 500+ individuals is reported, OCR typically opens an investigation. This is the most common trigger for enforcement actions and resolution agreements.

State Attorney General Investigations: State AGs can investigate HIPAA violations affecting state residents and bring civil actions.

Documents You Must Have Ready

OCR's desk audit program requests these documents as a baseline. Have them ready before any audit notice:

Privacy Rule:
- Notice of Privacy Practices (current version, with distribution evidence)
- Privacy policies and procedures
- Patient rights request handling procedures and logs
- Minimum necessary policies
- Workforce sanctions policy

Security Rule:
- Security Risk Analysis (most recent, with date)
- Risk management plan addressing identified risks
- Access management policies
- Audit control policies
- Workforce training records (dates, topics, attendees)
- Business Associate Agreement inventory and sample agreements

Breach Notification Rule:
- Breach notification policies and procedures
- Breach log (even if empty)
- Breach notifications sent (if applicable)

How to Conduct a Pre-Audit Self-Assessment

30–60 days before any anticipated audit (or annually as a matter of practice):

1. Pull your Risk Analysis. Is it current? OCR expects a new risk analysis whenever significant operational, environmental, or technical changes occur — or at least annually. A risk analysis from 2019 will not satisfy an auditor in 2026.

2. Review your BAA inventory. List every vendor or contractor that handles PHI. Do you have a signed BAA with each one? Are the BAAs updated to reflect the 2013 Omnibus Rule requirements?

3. Audit your training records. Can you show completion dates and content for every workforce member? HIPAA requires training when new employees are hired and when policies materially change.

4. Test your access controls. Run an access review: who has access to what ePHI? Are former employees terminated in your systems? Are access rights reviewed and certified periodically?

5. Review your Notice of Privacy Practices. Is it current? Is it displayed at service sites? Is it distributed to new patients?

6. Check your breach log. Even minor incidents (unauthorized access, misdelivered mail) should be documented with your assessment of whether they met the breach standard.

What Happens If You Fail an OCR Audit

OCR audit findings fall into a few categories:

Technical assistance: Minor gaps may result in guidance from OCR with no formal action. Most first-time, non-egregious findings result in technical assistance.

Corrective Action Plan (CAP): More significant findings result in a formal CAP requiring the organization to fix identified issues by a deadline, with documentation submitted to OCR.

Resolution Agreement: Used for more serious cases, often involving breaches. Requires significant remediation efforts, potentially a compliance monitor, and monetary settlement.

Civil Monetary Penalties (CMPs): Reserved for cases where OCR finds the organization unwilling to cooperate or violations are willful.

Practice tip: Cooperation and rapid, documented remediation efforts consistently result in better outcomes. OCR is more likely to issue technical assistance when an organization demonstrates it takes compliance seriously and moves quickly to fix problems.

More Resources

• Framework Education Hub
• HIPAA for Dental Practices
• HIPAA for Mental Health Providers
• GDPR for SaaS Companies
• HIPAA Penalty Tiers
• GDPR Fines Overview
• Free 5-Minute Compliance Quiz
• Regulatory Deadline Tracker
• HIPAA Risk Calculator
• Find a Compliance Consultant