Top 10 Signs Your Practice Will Fail a HIPAA Audit

OCR's audit and investigation process is more predictable than most practices assume. Investigators arrive with a checklist drawn directly from the HIPAA Security Rule and Privacy Rule. They ask for documentation. The practice that produces dated, scoped, recently-reviewed documentation passes. The practice that scrambles to assemble it fails.

These are the ten signs that the practice is on the second path — visible long before the investigation notice arrives.

1. The risk analysis is missing, older than 12 months, or scoped too narrowly

The single most-cited finding in OCR enforcement. HIPAA requires an "accurate and thorough" risk analysis under 45 CFR §164.308(a)(1)(ii)(A). A risk analysis from 2022 is not current. A risk analysis covering only the EHR is not thorough. Both fail an audit.

2. Workforce training records can't be produced on request

The training happened. Maybe. Nobody can find the documentation. Or training was clinical-only, and administrative staff handling PHI weren't included. Both are findings under 45 CFR §164.530(b).

3. The BAA list isn't current

A new lab integration went live six months ago. The BAA wasn't returned. Or the BAA was signed in 2019 and the vendor has since updated their template. The practice can't produce a current, complete BAA inventory. The Raleigh Orthopaedic Clinic case settled at $750,000 with no breach required — the missing BAA was the violation.

4. Audit logs exist but are never reviewed

The EHR generates logs. The cloud platform generates logs. Nobody opens them. There's no documented review schedule, no record of investigations triggered by log anomalies, no retention policy. 45 CFR §164.312(b) requires audit controls; OCR expects them to be used.

5. Staff share logins

The most operationally common failure. Front desk uses one shared account. The hygienist uses the doctor's login when the system locks them out. Audit logs that can't attribute actions to individuals don't meet the technical safeguard standard, and they make every breach investigation an exercise in presumption.

6. Laptops and mobile devices aren't documented as encrypted

Multiple million-dollar settlements (Children's Medical Center at $3.2M, Lifespan at $1.04M, Concentra at $1.7M) trace back to lost unencrypted laptops. The practice's own risk analysis said encryption was recommended. The implementation never happened. The audit asks for encryption documentation. There is none.

7. There is no written breach response plan

When something happens, the 60-day individual notification clock under the Breach Notification Rule starts at discovery. Practices without a written plan often waste 30 days investigating before notifying counsel — and end up out of compliance with the notification rule itself, compounding the underlying incident.

8. There's no record of workforce sanctions

Policy violations require documented enforcement under 45 CFR §164.530(e). If the practice has never sanctioned a workforce member for any HIPAA violation, either (a) the workforce is unprecedented in compliance history, or (b) the sanctions program is on paper only. Auditors assume (b).

9. Patient access requests don't follow a documented workflow

OCR's Right of Access Initiative has settled 45+ cases since 2019, with penalties typically $20,000–$200,000. The pattern: patient requests records, practice misses the 30-day window or charges fees beyond cost-based recovery, patient complains. Reference: 45 CFR §164.524. The defense: timestamped workflow, defined fee structure, named accountability.

10. Policies and procedures haven't been reviewed in years

HIPAA's administrative safeguards require ongoing review of policies and procedures. A binder from 2019 fails. A document library with version control, dated reviews, and evidence of revision in response to operational changes passes.

What this list has in common

Every one of these is documentation work that should already exist in the practice. The audit doesn't create the gap. It finds it.

The practical implication: the worst time to start gathering documentation is the day the OCR notice arrives. The best time is now — when there's no pressure, no narrow window, and the program can be built deliberately rather than reactively.

Where Patient Protect fits

Patient Protect is built around closing these gaps continuously rather than annually. Where documentation-focused compliance platforms produce the policy library and training tracking, Patient Protect adds the active layer — real-time audit-log monitoring, vendor BAA tracking, workforce training enforcement, encryption verification, incident-response orchestration. The two complement each other. Most practices need both.

---

Patient Protect tracks the operational program continuously — risk analyses, BAAs, audit logs, training, encryption, incident response — and surfaces gaps before they become enforcement findings. Plans start at $39/month with a 14-day free trial.