Audit readiness
OCR audits are complaint-driven, breach-triggered, or random — and you will not know which until the notification arrives. This guide covers exactly what OCR will request, how practices are selected, and how to generate audit-ready evidence before you need it.
Based on OCR HIPAA Audit Protocol · 45 CFR Parts 160 & 164
Selection process
Most independent practices believe audits only happen to hospitals. In reality, OCR investigates covered entities of all sizes — and independent practices are often less prepared when the request arrives.
The most common trigger. A patient, employee, or business associate files a complaint with HHS OCR. Complaints about denied access to records, unauthorized disclosures, or missing safeguards can all initiate an investigation. OCR receives thousands of complaints annually and investigates based on severity and pattern.
When you report a breach to HHS — especially one affecting 500 or more individuals — OCR reviews the circumstances. Large breaches automatically appear on the public Breach Portal and trigger a compliance review. Even smaller breaches can lead to investigation if the circumstances suggest systemic failures.
OCR conducts periodic compliance reviews — sometimes random, sometimes targeting specific sectors or geographic areas. The 2016–2017 HIPAA audit program evaluated both covered entities and business associates. While random audits are less common than complaint-driven investigations, they do occur, and practices selected have no advance notice of the criteria used.
The 7 documents
Every OCR investigation begins with a data request. These seven categories cover the documentation your practice must produce. If you cannot produce them within the requested timeframe, OCR draws its own conclusions.
The SRA is the single most requested document in any OCR audit. It must be current — not last year's version with a new date. Your SRA should identify every system that stores, processes, or transmits ePHI; assess threats and vulnerabilities for each; document the likelihood and impact of each risk; and show the controls you've implemented to mitigate them.
Why it matters: A missing or outdated SRA is the most common finding in OCR enforcement actions and the most frequent basis for civil money penalties.
OCR will request your complete set of HIPAA policies covering the Security Rule, Privacy Rule, and Breach Notification Rule. Policies must be written, reviewed regularly, and reflect your practice's actual operations — not generic templates. They must cover access controls, workforce training, incident response, device management, BAA requirements, and patient rights.
Why it matters: Policies that don't match your actual operations are worse than no policies — they demonstrate awareness of the requirement without compliance.
Documentation showing that every workforce member — employees, volunteers, trainees, and contractors — has received HIPAA training. Records must show who was trained, when, what material was covered, and acknowledgment of receipt. Training must occur at onboarding and periodically thereafter. Role-specific training is expected for staff in different functions.
Why it matters: Verbal training with no documentation is the same as no training in an OCR audit.
A complete list of every business associate your practice works with, along with the signed BAA for each. This includes EHR vendors, billing services, IT support, cloud storage, shredding companies, and any other entity that creates, receives, maintains, or transmits PHI on your behalf. Each agreement must be current and cover required provisions.
Why it matters: A single missing BAA can result in a finding of willful neglect if the vendor relationship involves routine ePHI handling.
Your documented procedures for identifying, responding to, and recovering from security incidents and breaches. The plan must include roles and responsibilities, escalation procedures, notification timelines (60 days for individuals, 72 hours under the proposed 2026 rule), evidence preservation steps, and post-incident analysis procedures.
Why it matters: An untested plan is almost as risky as no plan. OCR may ask when the plan was last exercised and what the outcomes were.
Records showing who accessed ePHI, when, from what device, and what actions were taken. HIPAA requires the capability to record and examine activity in information systems that contain or use ePHI. Access logs must be reviewed regularly — not just collected. Your practice should be able to demonstrate a review process with documented findings.
Why it matters: Collecting logs without reviewing them demonstrates capability without compliance — OCR evaluates both.
Documentation covering how your practice manages devices that store ePHI — workstations, laptops, mobile devices, USB drives, backup media, and paper records. This includes hardware inventory, disposal and reuse procedures, encryption status, and policies for devices leaving the facility. Every device that touches ePHI must be tracked through its lifecycle.
Why it matters: A single unencrypted laptop lost from a practice has triggered six-figure penalties. Device controls are non-negotiable.
Patient Protect
Every document OCR requests is generated, tracked, and maintained automatically. Whether you use Patient Protect alongside your existing compliance partner or as a standalone platform, the evidence is ready when you need it.
OCR document
Security Risk Assessment
Guided SRA wizard
Walk through every required assessment step in plain language. The wizard maps your systems, identifies threats, scores risks, and generates a complete, timestamped SRA document — audit-ready on day one.
OCR document
Policies and Procedures
Auto-generated policy library
Over 40 HIPAA policies generated from your practice profile — Security Rule, Privacy Rule, and Breach Notification Rule. Policies reflect your actual operations, not generic templates. Version-controlled and review-tracked.
OCR document
Training Records
80+ training modules with tracking
Role-specific HIPAA training for every workforce member. Completion tracked per employee with timestamps, acknowledgment records, and audit-ready reports. New hire onboarding and annual refresher workflows included.
OCR document
BAA Inventory
BAA lifecycle management
Track every business associate relationship — agreement status, expiration dates, vendor contact information, and compliance verification. E-sign new agreements and get alerts before any BAA lapses.
OCR document
Incident Response Plan
Breach response workflows
Pre-built incident response procedures with step-by-step guides, notification templates, timeline tracking, and OCR reporting assistance. Your plan is documented, tested, and ready before day zero.
OCR document
Access Logs
Immutable audit logging
Per-session ePHI access logs retained 6+ years. Tamper-proof by architecture. Regular review workflows with documented findings — satisfying both the logging requirement and the review requirement.
OCR document
Device Controls
Technology asset tracking
Hardware and software inventory with ePHI classification, encryption status tracking, and disposal documentation. Know the compliance status of every device in your practice — from workstations to USB drives.
FAQ
You generally won't know in advance. OCR investigations are most commonly triggered by patient complaints or breach reports. Random compliance reviews also occur but are less frequent. The best preparation strategy is maintaining continuous compliance — not scrambling when notification arrives. Practices that treat every day as audit day are the ones that pass.
Desk audits — where OCR requests documentation remotely — typically last 30 to 90 days. On-site audits can take one to three days for the site visit, but the overall investigation period can extend to months or years depending on findings. Having audit-ready documentation reduces the timeline significantly because you can respond to data requests immediately.
OCR outcomes range from technical assistance (guidance on how to comply) to resolution agreements with corrective action plans and civil money penalties. Penalties range from $100 to $50,000 per violation, with annual maximums up to $1.5 million per category. The severity depends on the nature of the violation, whether it constitutes willful neglect, and how quickly you remediate.
Yes. While the ideal approach is continuous compliance, Patient Protect can rapidly generate the core documentation OCR requests — SRA, policies, training records, BAA inventory, and incident response plans. The platform creates audit-ready evidence from day one, which significantly reduces the preparation burden even on an accelerated timeline.
Don’t wait for the notification
Start with a free risk assessment that shows exactly where your practice stands. Then decide whether Patient Protect closes the gaps — or whether you address them another way.
14-day free trial · No charge until trial ends
