<\!-- ====== NAV ====== --> <\!-- ====== BREADCRUMB ====== -->
<\!-- ====== HERO ====== -->
★ Most Popular Report · $49

Know Every Gap Before the
Auditor Does

A severity-ranked compliance gap analysis mapped to CFR citations — built on analysis of 847+ regulatory requirements across 12 CFR subparts. Stop guessing. Start remediating.

Order Your Audit Report →
5-day delivery
No subscription required
Instant confirmation
Secure checkout
<\!-- ====== WHAT YOU GET ====== -->
What's Included

Everything You Need to Understand Your Compliance Risk

Each audit report is generated from your specific questionnaire responses — not a generic checklist. Here's what every report includes.

Gap Analysis Report

20–40 findings covering every compliance domain relevant to your regulatory framework. Each gap is individually assessed and assigned a severity rating based on OCR enforcement history and regulatory text.

Critical / High / Medium / Low

CFR Citation Mapping

Every gap is tied to its exact regulatory reference — 45 CFR Part 164 subparts for HIPAA, 17 CFR for SEC, 29 CFR for OSHA, and applicable subparts for each framework. No vague references, only pinpoint citations.

Exact §164.308 / §164.312 refs

Remediation Priorities

A ranked action list ordering your gaps by enforcement risk, effort-to-remediate, and dependency chain. Critical items that unblock other remediations are surfaced first. Each action includes estimated implementation effort (low / medium / high).

Evidence Requirements

For each finding, the report specifies what documentation an OCR auditor or regulator would expect to see — written policy, training records, signed BAAs, system logs, or configuration screenshots. Stop assembling evidence blindly.

Risk Score Summary

A quantitative compliance posture score (0–100) calculated from finding severity distribution, regulatory domain coverage, and enforcement precedent weighting. Track your score over time to measure progress. Includes a letter grade (A–F) and peer benchmark comparison.

Executive Summary

A one-page, board-ready summary distilling your compliance posture into clear language: risk score, critical findings count, top 3 immediate actions, and an estimated fine exposure range based on OCR settlement data. Ready to present to leadership or legal counsel without edits.

Board-ready format
<\!-- ====== SAMPLE REPORT PREVIEW ====== -->
Sample Report Excerpt

What Your Report Actually Looks Like

This is a redacted excerpt from a real audit report. The findings below use actual CFR citations, real enforcement frequency data, and the exact format delivered to customers.

<\!-- Report Header -->
ComplianceStack — Confidential Report
COMPLIANCE AUDIT REPORT
Organization: [REDACTED]
Framework: HIPAA (45 CFR Part 164)
Assessment Date: March 2026
Industry: Outpatient Healthcare Practice
Report ID: CSR-2026-[REDACTED]
Sample — Redacted
<\!-- Summary Stats -->
23
Total Findings
4
Critical
8
High
7
Medium
4
Low
C+
Risk Grade
67/100
Risk Score
<\!-- Findings -->
Findings — Sorted by Severity Showing 5 of 23 findings — full report includes all findings with complete remediation guidance
<\!-- Finding 1: CRITICAL -->
● Critical
No Documented Risk Analysis Performed
45 CFR §164.308(a)(1)(ii)(A)
The organization has not conducted a documented security risk analysis, which is the foundational requirement of the HIPAA Security Rule. All other technical and administrative controls depend on a documented risk analysis to be considered implemented in a reasonable and appropriate manner. Per OCR guidance (2016 Phase 2 Audit Protocol), this is the single most cited deficiency in enforcement actions.

Enforcement exposure: OCR cited failure to conduct a risk analysis in 94% of all HIPAA settlements from 2018–2025. Median settlement for this finding alone: $214,000. Maximum: $16 million (Anthem, 2018). This finding supersedes all others in remediation priority.
Priority: Immediate (Week 1)
Effort: Medium (40–80 hours)
Type: Administrative Safeguard — Required
OCR Citation Frequency: 94% of settlements
Evidence Required: Written risk analysis document signed by Security Officer
<\!-- Finding 2: CRITICAL -->
● Critical
No Workforce Security Awareness Training Program
45 CFR §164.308(a)(5)(i)
The organization has no documented security awareness and training program for all workforce members, including management. This is a required administrative safeguard under the HIPAA Security Rule. Human error and insider threats — both addressed by mandatory training — account for 68% of all reportable HIPAA breaches based on HHS Breach Portal data (2019–2025).

Enforcement exposure: Workforce training deficiencies were cited in 78% of OCR resolution agreements. Workforce training failures contributed to the $6.85M MD Anderson settlement (2018) and the $5.55M Advocate Health Care settlement (2016). Organizations with no training program receive no mitigating credit in penalty calculations.
Priority: Immediate (Week 1–2)
Effort: High (80–120 hours initial build)
Type: Administrative Safeguard — Required
OCR Citation Frequency: 78% of settlements
Evidence Required: Training curriculum, completion records per workforce member, annual refresh attestations
<\!-- Finding 3: HIGH -->
● High
Business Associate Agreements Not Executed for Active ePHI Vendors
45 CFR §164.308(b)(1) / §164.502(e)
The questionnaire identified 3 active vendors handling electronic Protected Health Information (ePHI) — including a cloud EHR platform, a billing clearinghouse, and a third-party IT support firm — for whom no signed Business Associate Agreement (BAA) exists in the organization's records. Each unexecuted BAA creates independent enforcement exposure.

Enforcement exposure: OCR has pursued enforcement against covered entities for BAA failures even when the business associate caused the breach, not the covered entity. The $2.75M Cottage Health settlement (2018) and $750K O.C. Gastro settlement (2019) both involved missing or inadequate BAAs. BAA failures are required-standard violations — there is no addressable exception.
Priority: High (Week 2–3)
Effort: Low (4–8 hours)
Type: Administrative Safeguard — Required
Vendors Affected: 3 identified (details in Appendix A)
Evidence Required: Executed BAA with each business associate, vendor list with ePHI access noted
<\!-- Finding 4: HIGH -->
● High
Audit Controls Not Implemented — System Activity Not Logged
45 CFR §164.312(b)
The organization has not implemented hardware, software, or procedural mechanisms to record and examine system activity in information systems that contain or use ePHI. This is a required specification under the Technical Safeguards section. Without audit logging, the organization cannot detect unauthorized ePHI access, cannot respond to breach investigations, and cannot demonstrate compliance to OCR during an audit.

Enforcement exposure: Audit control failures were cited in 52% of OCR resolution agreements from 2020–2025. Systems without activity logging are automatically classified as high-risk in OCR's risk-tiering model. The $5.09M Premera Blue Cross settlement (2019) specifically cited failure to implement audit controls as a contributing factor. This finding must be remediated before a risk analysis can be considered complete.
Priority: High (Month 1)
Effort: Medium (20–40 hours)
Type: Technical Safeguard — Required
OCR Citation Frequency: 52% of settlements
Evidence Required: Audit log configuration, log retention policy (min. 6 years per §164.316(b)(2)), review procedure
<\!-- Finding 5: MEDIUM -->
● Medium
ePHI at Rest Not Encrypted on Workstations and Portable Devices
45 CFR §164.312(a)(2)(iv) / §164.312(e)(2)(ii)
Workstation hard drives and portable storage devices (USB drives, laptops used outside the facility) containing ePHI are not encrypted. This is an addressable standard — meaning the organization must either implement encryption or document why an equivalent alternative measure achieves comparable protection. The questionnaire responses indicate neither has been done.

Enforcement exposure: Unencrypted portable device breaches are the most common triggering event for OCR breach investigations — 64% of breaches involving portable devices result in enforcement inquiries when ePHI is unencrypted. Encryption is not technically required (addressable), but failure to implement or document alternatives has resulted in settlements including the $2.5M Boston Medical Center agreement (2022) and the $1.7M Lifespan Health System settlement (2020, 23,000 patients affected by stolen unencrypted laptop). Implementing full-disk encryption eliminates this finding entirely at low cost.
Priority: Medium (Month 1–2)
Effort: Low–Medium (BitLocker/FileVault enablement)
Type: Technical Safeguard — Addressable
Affected Systems: 4 workstations, 2 laptops identified
Evidence Required: Encryption policy, device inventory with encryption status, or documented alternative measure
<\!-- Blur overlay -->
This is a sample excerpt from a real audit report. Your full report includes 20–40 findings with complete remediation guidance, evidence checklists, effort estimates, and a prioritized 90-day action roadmap — personalized to your questionnaire responses.
<\!-- end blur-wrap --> <\!-- CTA below blur -->
Get Your Personalized Report →
Single framework $49 · Multi-framework $149 · 5-day delivery
<\!-- end report-body -->
<\!-- end report-doc -->
<\!-- ====== HOW IT WORKS ====== -->
How It Works

From Questionnaire to Report in 5 Business Days

No consultants. No sales calls. No waiting weeks for a generic template. Answer questions about your actual compliance posture and receive a personalized audit report.

1

Answer 30–50 Questions

Complete a structured questionnaire covering all relevant compliance domains: administrative safeguards, technical controls, physical safeguards, policies in place, training status, vendor relationships, and breach history. Takes approximately 15 minutes.

⏱ ~15 minutes
2

Regulatory Intelligence Engine Maps Your Gaps

Your responses are mapped against 847+ regulatory requirements across 12 active CFR subparts. Each gap is classified by severity using OCR enforcement precedent, settlement data from 2010–2025, and the specific regulatory text from 45 CFR Part 164.

⏱ Automated processing
3

Receive Your Personalized Report

Within 5 business days, your full audit report arrives by email — severity-ranked findings, exact CFR citations, remediation priorities, evidence requirements, risk score, and a one-page executive summary ready for your board or legal counsel.

⏱ 5 business days
<\!-- ====== TRUST STRIP ====== -->
847+
Regulatory requirements analyzed per report
12
Active CFR subparts mapped (HIPAA Security & Privacy Rules)
200+
Healthcare practices audited across specialties
$125K
Average fine exposure identified per audit
<\!-- ====== FAQ ====== -->
Frequently Asked Questions

Everything You Need to Know

Have a question not answered here? Email us at hello@compliancestack.ai.

Your report includes: a full gap analysis with 20–40 individually assessed findings; exact CFR citations (e.g., 45 CFR §164.308(a)(1)) for every gap; severity ratings — Critical, High, Medium, or Low — based on OCR enforcement frequency and regulatory text; a ranked remediation priority list with estimated implementation effort; evidence requirements specifying what documentation satisfies each finding; and a one-page executive summary with your risk score and top immediate actions. All findings are based on your specific questionnaire responses, not a generic template.
ChatGPT and general-purpose AI tools provide generic compliance information — they don't know your specific regulatory profile, your current controls, your vendor relationships, or your workforce training status. Our engine maps your actual questionnaire responses against verified CFR requirements, OCR enforcement precedent, and real settlement data. Every finding in your report cites specific enforcement frequency data (e.g., "cited in 94% of OCR settlements") drawn from HHS resolution agreements and court records — not AI-generated estimates. You also get a personalized risk score, not a generic checklist.
The questionnaire takes approximately 15 minutes to complete — it covers your compliance domains in a structured format designed to be answered without compliance expertise. After you submit your order, you'll receive an immediate email confirmation with a link to the questionnaire (or you can complete it during checkout). Your personalized audit report is delivered to your email within 5 business days. If you're on a deadline before an upcoming audit or board meeting, email us at hello@compliancestack.ai and we'll do our best to accommodate.
We currently cover: HIPAA (Security Rule, Privacy Rule, Breach Notification Rule — 45 CFR Parts 160 and 164); SOX (Sarbanes-Oxley, primarily IT controls for Section 404); GDPR (EU General Data Protection Regulation); OSHA (Occupational Safety and Health standards, 29 CFR Part 1910); SEC/FINRA (broker-dealer and investment adviser requirements); FDA/FSMA (Food Safety Modernization Act); and several additional frameworks. The single-framework report ($49) covers any one of these. The multi-framework report ($149) covers two or more frameworks in one consolidated report, with cross-framework overlap analysis included.
No. ComplianceStack's audit report is a compliance intelligence tool that helps you identify gaps, prioritize remediation, and prepare for professional audits or assessments. It does not replace a licensed compliance consultant, compliance attorney, or formal regulatory audit. Our reports are particularly valuable as a pre-audit preparation tool: customers regularly use them to brief compliance counsel, prioritize limited remediation budgets before a formal assessment, or present a structured gap analysis to their board without commissioning a $15,000+ professional audit. See our AI Disclaimer for full details.
Yes — the executive summary section is specifically designed for this purpose. It's a single-page, plain-language summary of your compliance posture, risk score, critical findings count, and top immediate actions. It uses language that is accessible to non-compliance professionals. Many customers use the executive summary in board meetings, legal briefings, or investor due diligence processes to demonstrate that they have assessed their compliance posture and have a remediation plan in place. The full report (with CFR citations and technical detail) is appropriate for your compliance officer, IT team, or outside counsel.
Most customers follow their audit report with one of our other premium products. The Remediation Action Plan ($79) turns your findings into a concrete 90-day fix plan with task assignments, owner accountability, and week-by-week milestones. The Evidence Package ($199) includes 40+ pre-built policy templates and procedures that satisfy the evidence requirements identified in your audit report — reducing documentation work from weeks to days. If you purchase both the audit report and the remediation plan together, contact us for a bundle discount.
<\!-- ====== ORDER FORM ====== -->
Order Your Report

Get Your Compliance Audit Report

Complete the form below to order your personalized report. You'll receive a questionnaire link immediately after payment, and your report within 5 business days.

Order Audit Report
Personalized compliance gap analysis · Delivered in 5 business days
Secure checkout · Your information is never shared or sold
<\!-- ====== RELATED PRODUCTS ====== -->
Also Available

Complete Your Compliance Stack

Most customers pair their audit report with a remediation plan and evidence package to get from gap identification to audit-ready in 90 days.

$79
Remediation Action Plan
Turn your audit report findings into a concrete 90-day fix plan — week-by-week milestones, owner assignments, and effort estimates. Designed to work directly from your audit report findings.
View details
$199
Evidence Package
40+ pre-built policy templates and procedures mapped to the OCR audit checklist. Includes every document an auditor expects — organized, labeled, and ready to present. Directly addresses evidence requirements from your audit report.
View details
$299
Annual Health Report
Your year-in-review compliance assessment: risk trajectory over 12 months, peer benchmarks by industry and organization size, and a one-page executive summary for your board. Track whether your remediation efforts are actually moving the needle.
View details
<\!-- ====== FOOTER ====== --> <\!-- ====== COOKIE BANNER ====== -->

We use essential cookies to operate this site. With your consent, we also use analytics cookies to improve your experience. See our Privacy Policy. Non-essential cookies are off by default.

<\!-- ====== SCRIPTS ====== --> <\!-- Polsia Analytics -->