Preparing for a HIPAA OCR Audit: 6 Key Documents

Q: Types of HIPAA Audits

OCR Desk Audits: OCR's audit program sends documentation requests to selected covered entities and business associates. Organizations must respond with specified documents within 10 business days. Desk audits focus on documentation — risk analysis, policies, training records, BAA inventories.

ComplianceStack

How to Prepare for a HIPAA Audit: 2026 Step-by-Step Guide

Last updated: 2026-05-21 — ComplianceStack Editorial Team

Most HIPAA audits are triggered by complaints or breaches, not random selection. But OCR's audit program has expanded, and even organizations that have never had a breach can receive a desk audit request with a 10-day response window. Preparation starts before the audit notice arrives.

Types of HIPAA Audits

OCR Desk Audits: OCR's audit program sends documentation requests to selected covered entities and business associates. Organizations must respond with specified documents within 10 business days. Desk audits focus on documentation — risk analysis, policies, training records, BAA inventories.

Complaint Investigations: When a patient or employee files a complaint with OCR, it triggers an investigation of the specific covered entity. OCR has 180 days to investigate. Investigations can result in technical assistance, corrective action plans, or civil monetary penalties.

Breach Investigation: When a breach affecting 500+ individuals is reported, OCR typically opens an investigation. This is the most common trigger for enforcement actions and resolution agreements.

State Attorney General Investigations: State AGs can investigate HIPAA violations affecting state residents and bring civil actions.

Documents You Must Have Ready

OCR's desk audit program requests these documents as a baseline. Have them ready before any audit notice:

Privacy Rule:
- Notice of Privacy Practices (current version, with distribution evidence)
- Privacy policies and procedures
- Patient rights request handling procedures and logs
- Minimum necessary policies
- Workforce sanctions policy

Security Rule:
- Security Risk Analysis (most recent, with date)
- Risk management plan addressing identified risks
- Access management policies
- Audit control policies
- Workforce training records (dates, topics, attendees)
- Business Associate Agreement inventory and sample agreements

Breach Notification Rule:
- Breach notification policies and procedures
- Breach log (even if empty)
- Breach notifications sent (if applicable)

How to Conduct a Pre-Audit Self-Assessment

30–60 days before any anticipated audit (or annually as a matter of practice):

1. Pull your Risk Analysis. Is it current? OCR expects a new risk analysis whenever significant operational, environmental, or technical changes occur — or at least annually. A risk analysis from 2019 will not satisfy an auditor in 2026.

2. Review your BAA inventory. List every vendor or contractor that handles PHI. Do you have a signed BAA with each one? Are the BAAs updated to reflect the 2013 Omnibus Rule requirements?

3. Audit your training records. Can you show completion dates and content for every workforce member? HIPAA requires training when new employees are hired and when policies materially change.

4. Test your access controls. Run an access review: who has access to what ePHI? Are former employees terminated in your systems? Are access rights reviewed and certified periodically?

5. Review your Notice of Privacy Practices. Is it current? Is it displayed at service sites? Is it distributed to new patients?

6. Check your breach log. Even minor incidents (unauthorized access, misdelivered mail) should be documented with your assessment of whether they met the breach standard.

What Happens If You Fail an OCR Audit

OCR audit findings fall into a few categories:

Technical assistance: Minor gaps may result in guidance from OCR with no formal action. Most first-time, non-egregious findings result in technical assistance.

Corrective Action Plan (CAP): More significant findings result in a formal CAP requiring the organization to fix identified issues by a deadline, with documentation submitted to OCR.

Resolution Agreement: Used for more serious cases, often involving breaches. Requires significant remediation efforts, potentially a compliance monitor, and monetary settlement.

Civil Monetary Penalties (CMPs): Reserved for cases where OCR finds the organization unwilling to cooperate or violations are willful.

Practice tip: Cooperation and rapid, documented remediation efforts consistently result in better outcomes. OCR is more likely to issue technical assistance when an organization demonstrates it takes compliance seriously and moves quickly to fix problems.

What OCR Looks for in a HIPAA Audit

The HHS Office for Civil Rights (OCR) conducts HIPAA audits under the Audit Program established by Section 13411 of the HITECH Act. OCR's audit protocol covers three domains: the Privacy Rule (45 CFR §§164.500–514), the Security Rule (45 CFR §§164.302–318), and the Breach Notification Rule (45 CFR §§164.400–414). Understanding what auditors examine in each domain shapes your preparation strategy.

Privacy Rule focus: OCR auditors first verify you have a current Notice of Privacy Practices (NPP) — the document patients receive at first service. They look for distribution records proving the NPP was actually handed out. They then examine your authorization forms, your minimum necessary policies, and your patient access request logs. If you're not logging access requests or can't show the 30-day response window was met, that becomes a finding.

Security Rule focus: OCR's security audit checks five categories: (1) administrative safeguards (risk analysis, security management process, workforce security); (2) physical safeguards (facility access, workstation security, device and media controls); (3) technical safeguards (access control, audit controls, transmission security); (4) organizational standards; and (5) policies and procedures. The most common finding: a risk analysis that is outdated or doesn't cover all systems that store ePHI. A 2019 risk analysis does not meet the current standard when you migrated to cloud systems in 2024.

Breach notification focus: OCR examines whether you have a breach notification policy, whether you conducted the required four-factor risk assessment for every reported incident, and whether notification was timely (60 days for individuals, 60 days for HHS, annual for media if applicable). Auditors also look for whether you documented your assessment decisions — a breach log showing "not a breach" without documented reasoning is a citation risk.

OCR publishes its audit protocol and selection criteria. Review the most recent audit findings at hhs.gov/hipaa/for-professionals/compliance-enforcement/audit for what OCR has cited most frequently.

HIPAA Audit Documentation Checklist

OCR desk audits request documentation within 10 business days. Being ready means having these seven document packages assembled before any audit notice arrives. Store them in a single location accessible to your compliance officer and legal counsel.

1. Current risk analysis (most critical): The Security Rule at 45 CFR §164.308(a)(1) requires an accurate, thorough risk analysis covering all ePHI systems. For a desk audit, OCR asks for the date, scope, methodology, and identified risks with remediation actions. If your risk analysis predates your last major technical or operational change, it will be flagged. A thorough risk analysis is your single highest-value compliance investment — it drives every other control.

2. Risk management plan: Your risk analysis identifies threats; your risk management plan describes how you address them. OCR wants to see that you identified risks and took concrete steps, not just documented the analysis.

3. Notice of Privacy Practices (NPP) and distribution records: The NPP must be current (post-2013 HHS form), posted visibly at service delivery sites, and distributed to new patients at first contact. Distribution records can be electronic — email confirmations, practice management system attestations.

4. Business Associate Agreement inventory and signed BAAs: List every vendor that handles PHI and attach the current signed BAA for each. OCR specifically checks for missing BAAs with high-risk vendors (cloud storage, EHR vendors, billing services).

5. Workforce training records: Must show date, content, trainee names, and trainer. Annual refresh or material change training events documented.

6. Security policies and procedures: Access control policy, audit logging policy, contingency plan, incident response plan — the core Security Rule documentation.

7. Breach notification log: Even if you have never had a breach, maintain a log documenting your breach risk assessments for every incident. OCR wants to see a process, not just a result.

Common Audit Failures and How to Avoid Them

OCR's audit findings cluster around a small number of failure patterns. Understanding what breaks audits is the fastest path to passing one.

Failure 1: Stale or absent risk analysis. This is the single most-cited finding in OCR audit reports and resolution agreements. 45 CFR §164.308(a)(1) requires a current risk analysis — and OCR interprets "current" to mean updated whenever there is a significant change to your ePHI environment (new system, new vendor, new data type). Organizations that completed a risk analysis in 2019 and never updated it when they migrated to a cloud EHR in 2021 are operating without a compliant risk analysis. The solution: schedule annual risk analysis review and trigger updates on any material system change.

Failure 2: Incomplete BAA inventory. OCR asks for a list of every business associate and signed agreements for each. Organizations routinely discover they have 15–40 vendors in their ePHI ecosystem — many onboarded informally — and missing BAAs for half of them. The fix: conduct a vendor inventory audit now, execute BAAs for any vendor touching PHI, and implement a vendor onboarding process that includes BAA execution before data flows.

Failure 3: Missing or incomplete training records. Training records that show "HIPAA training completed" with no date, no content detail, and no employee signature do not satisfy OCR's documentation standard. Each record needs date, content, and employee confirmation. For organizations that use LMS auto-completion (click-through with timer), supplement with periodic knowledge assessments to demonstrate actual comprehension.

Failure 4: NPP not actually distributed. Having a compliant NPP is not enough — you must demonstrate you gave it to patients. Practice management systems that flag NPP delivery in the patient record satisfy this requirement. If you cannot show evidence that new patients received the NPP, OCR cites it as a Privacy Rule violation.

Failure 5: Breach log without documented risk assessments. Organizations with zero reportable breaches often have no breach log at all — which creates a documentation gap even without a breach event. Maintain a breach log that records every incident and your four-factor assessment for each, even if the conclusion is "not a breach."

Get Audit-Ready Today

Use our free HIPAA Risk Calculator to identify your highest-risk gaps before an OCR auditor does.

Run Your Free HIPAA Risk Assessment →