Top 10 Signs Your Practice Will Fail a HIPAA Audit
The ten warning signs auditors look for first when evaluating an independent practice. Each one is operational, observable, and fixable before the investigation begins.

Top 10 Signs Your Practice Will Fail a HIPAA Audit
Every front desk I have ever worked at had the same drawer, top right of the reception desk, behind the box of pens. The drawer holds sticky notes with passwords because there is no way one human can remember nine vendor passwords that rotate on different schedules. It holds a printed schedule for the day because the printer is faster than the EHR. It holds the patient I needed to call back about a billing question — name, number, sometimes a clinical note jotted in pencil — because the EHR doesn't let me write a "remember to call this person" note that isn't part of the chart. None of that is anyone failing at their job. All of it is what "just trying to get patients seen on a Tuesday" looks like when the tools don't keep up. The drawer is what the front desk had to invent to make the morning work, and the same is true of the binder nobody has time to open and the audit log nobody has been calendared to review, and those are the kinds of things OCR notices on a Tuesday afternoon when they walk through the office unannounced — not because the staff are failing, but because the workflow built itself around tools that never quite caught up with the workday.
1. The risk analysis is missing, older than 12 months, or scoped too narrowly
This is the single most-cited finding in OCR enforcement, and it is almost always less about the practice refusing to do the work than about nobody on staff having a recurring slot on the calendar to refresh it. HIPAA requires an "accurate and thorough" risk analysis under 45 CFR §164.308(a)(1)(ii)(A), and a document from 2022 that covers only the EHR isn't going to satisfy either the "current" half or the "thorough" half. The work that closes this gap is the office manager scheduling an annual half-day with whoever runs IT — and writing the next year's date on the calendar as soon as this year's is finished.
2. Workforce training records can't be produced on request
The training did happen most of the time, but the records are spread across an old LMS, a manila folder on a former office manager's desk, and an email account that got deactivated when somebody moved on — or the training was scheduled during a lunch hour when the biller couldn't step away from her insurance follow-ups, so the people who handle the most PHI in the building weren't in the room. Both shapes are findings under 45 CFR §164.530(b), and both get fixed the same way — by putting training on the same system the practice uses for everything else, with completion timestamps and acknowledgments retained for the six-year window.
3. The BAA list isn't current
A new lab integration went live six months ago and the BAA never made it back from the vendor's legal team, or the BAA was signed in 2019 and the vendor has since updated their template without re-circulating the new version, and now the office manager can't produce a current, complete BAA inventory when somebody finally asks. The Raleigh Orthopaedic Clinic case settled at $750,000 with no breach required because the missing BAA was the violation, and the way the inventory stays current in a busy practice is by giving the office manager a single folder, a single checklist, and a calendared reminder when something is coming up for renewal.
4. Audit logs exist but are never reviewed
The EHR is generating audit logs and the cloud platform is too, but nobody on staff has been calendared to open them, so they sit there compiling on their own. There's no documented review schedule, no record of investigations triggered by log anomalies, and no retention policy that anyone on staff could pull up. 45 CFR §164.312(b) requires audit controls and OCR expects to see them used, which in practice means somebody — usually the office manager or whoever owns IT — has a fifteen-minute slot on a Friday afternoon to scan the log and flag anything that looks unusual.
5. Staff share logins
In one practice I worked in, the front desk shared a single login because the original IT vendor had set up the workstation that way in 2017 and nobody on staff knew how to undo it without paying him for an afternoon they hadn't budgeted. Three people checked patients in under "frontdesk1," took payments under "frontdesk1," and messaged the back operatories under "frontdesk1" — and when a patient called six months later to dispute a charge and ask who had processed it, the office manager genuinely could not say which of the three people had been on the workstation that afternoon because the log showed the shared account and nothing else. Audit logs that can't attribute actions to individuals don't meet the technical safeguard standard under 45 CFR §164.312(b), and the front desk team isn't doing anything wrong — they're working with the workstation that was set up for them five years before any of them got hired, which is a problem that gets fixed in an afternoon with the IT contractor once somebody owns the calendar.
6. Laptops and mobile devices aren't documented as encrypted
Multiple million-dollar settlements (Children's Medical Center at $3.2M, Lifespan at $1.04M, Concentra at $1.7M) trace back to lost unencrypted laptops where the practice's own risk analysis had said encryption was recommended, but the implementation never made it onto somebody's calendar — and when the audit asks for the encryption documentation, there isn't any. The doctor who took the laptop home to finish her charts wasn't doing anything unreasonable; she was trying to get the day's notes done before she fell asleep, and the encryption that would have made a lost bag survivable was a thirty-minute IT task that nobody owned.
7. There is no written breach response plan
When something happens, the 60-day individual notification clock under the Breach Notification Rule starts at discovery. Practices without a written plan often waste 30 days investigating before notifying counsel — and end up out of compliance with the notification rule itself, compounding the underlying incident.
8. There's no record of workforce sanctions
Policy violations require documented enforcement under 45 CFR §164.530(e), and a practice that has never documented a sanction for any HIPAA issue across multiple years of operation is going to draw skeptical questions from OCR — because the agency is going to assume the program is on paper rather than imagine the workforce has perfect compliance history. The fix isn't about being punitive with the front desk team or the hygienists; it's about putting the small conversations on paper when they happen, so the documentation reflects the practice that's actually getting done.
9. Patient access requests don't follow a documented workflow
OCR's Right of Access Initiative has settled 45+ cases since 2019, with penalties typically $20,000–$200,000. The pattern: patient requests records, practice misses the 30-day window or charges fees beyond cost-based recovery, patient complains. Reference: 45 CFR §164.524. The defense: timestamped workflow, defined fee structure, named accountability.
10. Policies and procedures haven't been reviewed in years
HIPAA's administrative safeguards require ongoing review of policies and procedures, which means the binder from 2019 — the one that pre-dates the current EHR and the tracking-pixel bulletin and the new vendors the practice has signed BAAs with since — isn't going to hold up when somebody asks. What does hold up is a document library that has version control, dated reviews that show somebody actually opened the policy on a real Wednesday afternoon, and evidence of revision when operational things change, all of which is procedural work that fits into a slow week if somebody owns the calendar for it.
What this list has in common
Every one of these is documentation work that should already exist in the practice, sitting in a folder or a system or a calendar somewhere, and the reason none of it does is almost always that nobody on staff has been given the calendar slot to build it. The staff at the front desk and the hygienists in the operatory aren't trying to fail an audit; they're trying to get patients seen on a Tuesday afternoon with a schedule that's already running ten minutes behind, and the documentation work waits because there's nothing on the day's list that says "today is the day we open the binder." The practical implication is that the worst time to start gathering documentation is the morning the OCR notice arrives in the mail, and the calendar time to start is whichever slow Wednesday is coming up next — when nobody is in crisis mode and the office manager can actually walk through the list with the front desk lead between hygiene checks.
Where Patient Protect fits
When I walk into a practice now, I still notice the drawer behind the pens, the binder on the high shelf, the training certificate pinned to the bulletin board from years ago — and I notice them with the affection of someone who has been the person at that front desk on a Tuesday afternoon. The staff aren't trying to fail an audit; they're trying to keep the morning from cascading and the afternoon from running over, and the documentation work waits because nothing on the schedule has carved out time for it. Patient Protect is what I would have wanted on my own desk during those years — a layer that watches the audit log nobody has time to open, tracks the BAA nobody has time to chase down the lab vendor for, and nudges the office manager when the training a new hire was supposed to finish in week one has slipped to week three. It is the office manager's spreadsheet, except it keeps itself current and surfaces what is actually open. Plans start at $39/month.
Patient Protect tracks the operational program continuously — risk analyses, BAAs, audit logs, training, encryption, incident response — and surfaces gaps before they become enforcement findings. Plans start at $39/month with a 14-day free trial.

