What Is a HIPAA Audit? The OCR Audit Program Explained

A HIPAA compliance audit from the Office for Civil Rights is not a routine inspection that every covered entity goes through on a fixed schedule. OCR does operate a formal audit program, but for most small clinics, the first encounter with OCR comes through a different pathway: a complaint from a patient, a breach report filed by the clinic itself, or — less commonly — news coverage of an incident.

Understanding both pathways matters because the documentation OCR requests is essentially the same regardless of how an investigation begins. Clinics that maintain that documentation routinely are in the best position when a request arrives.

The Formal OCR Audit Program

OCR launched its HIPAA audit program following a mandate in the HITECH Act. OCR has conducted multiple rounds of audits, selecting covered entities and business associates across a range of sizes, types, and geographic locations.

The audit program covers both Phase 1 (desk audits) and Phase 2 (on-site audits). Audit targets are selected based on entity type distribution (providers, plans, clearinghouses), size, and geography — not on known violations. Being audit-ready is not optional for covered entities that assume they are too small to be selected.

In published audit reports, OCR found widespread deficiencies across multiple areas. Common findings across small and medium providers included:

• Missing or outdated risk analyses
• Incomplete business associate agreement inventories
• Absent or undocumented security incident response procedures
• Training documentation that lacked evidence of completion

Complaint-Driven Investigations: The More Common Path

The bulk of OCR enforcement activity stems from complaints filed by individuals — patients, family members, or workforce members. OCR receives thousands of complaints each year. It triages them, closes many for lack of jurisdiction or evidence, and opens formal investigations on a smaller subset.

Triggers for complaint-based investigations:

• A patient believes their records were shared without authorization
• A former employee believes they were retaliated against for raising compliance concerns
• A patient received a bill containing another patient’s information
• A clinic denied a patient’s access request without proper justification
• A breach notification was received by a patient who then filed a complaint about the underlying incident

Breach reports as triggers: Any breach affecting 500 or more individuals in a state must be reported to OCR within 60 days under 45 CFR §164.408. These reports are publicly posted on the OCR breach portal. Once a breach is on the portal, it is available to the public, to journalists, and to OCR investigators who may open a compliance review in addition to the breach itself.

Media coverage as a trigger: OCR monitors press coverage of healthcare data incidents. A news story about a clinic’s breach — even one not yet formally reported — can prompt OCR to open a preliminary inquiry.

What OCR Requests in a Desk Audit

Whether OCR initiates contact through the formal audit program or through a complaint investigation, the document request typically covers six core categories:

1. Privacy and security policies and procedures. OCR expects a complete, current set of written policies covering the Security Rule specifications (45 CFR §§164.308–164.316) and the Privacy Rule’s administrative requirements. Policies must reference the applicable regulation sections and be dated with the last review or revision date.

2. Workforce training records. OCR requests documentation showing which employees received training, on what content, and on what dates. Training logs must include employee names, training dates, and attestation or signature. Gaps in the training roster — employees who missed required training — are cited as separate findings.

3. Risk analysis documentation. The risk analysis required under 45 CFR §164.308(a)(1)(ii)(A) must be a thorough, documented assessment of potential risks and vulnerabilities to ePHI. OCR expects to see methodology, identified systems, identified threats, probability and impact assessments, and a risk management response. An undated analysis, an analysis that predates major system changes by several years, or a generic template that has not been customized to the practice will be cited as deficient.

4. Business associate agreement inventory. OCR requests a list of business associates and copies of executed BAAs. Every vendor that creates, receives, maintains, or transmits ePHI on the clinic’s behalf must have a signed BAA containing the required elements under 45 CFR §164.308(b). Missing BAAs — even for long-tenured vendors — are a common finding.

5. Access control logs and audit trail records. OCR may request user access logs showing who accessed patient records, when, and from which workstation. For an investigation involving alleged unauthorized access, these logs are the primary evidence. Audit log configurations that do not capture the required fields, or log retention that is shorter than six years, create evidentiary gaps.

6. Breach response documentation. For investigations triggered by a breach report, OCR requests the breach risk assessment, the determination of whether the incident met the breach definition, notification records (patient letters, media notices, OCR submissions), and timelines confirming the 60-day reporting window was met.

Desk Audit vs. On-Site Audit: What to Expect

Desk audits are conducted remotely. OCR sends a letter through certified mail or a secure portal access request. The covered entity has a defined response window — typically 10 business days to several weeks — to upload responsive documents. OCR reviews the submissions and follows up with questions or requests for additional materials.

On-site audits involve one or more OCR investigators visiting the clinic’s facility. The agenda typically covers document review, staff interviews, and direct observation of physical safeguards — workstation positioning, facility access controls, device handling. On-site audits are more demanding to prepare for and produce findings across a broader scope.

The practical preparation is identical for both: the documentation must exist, be current, be accurate, and be retrievable on short notice.

Investigation Timelines

OCR operates with a significant case backlog. Simple complaint investigations that resolve without a breach finding may close in 6–12 months. Complex cases — large breach investigations, cases involving systemic policy failures, cases with multiple related complaints — can take two to four years. OCR does not publish guaranteed resolution timelines.

During an open investigation, the covered entity may receive multiple rounds of document requests, requests for additional clarification, and preliminary findings letters that invite the covered entity to respond before OCR issues a final determination.

Possible Outcomes

No action / case closed. OCR closes the investigation finding no violation or finding that the covered entity has already corrected the violation. OCR may issue technical assistance (guidance on how to address a potential gap) as part of this closure. No penalty is assessed.

Corrective action plan (CAP). OCR and the covered entity agree to a plan that requires the covered entity to complete specific remediation steps — updating a policy, conducting training, signing missing BAAs — within defined deadlines. OCR monitors completion. A CAP does not include a monetary penalty and is not publicly announced.

Resolution agreement. OCR and the covered entity enter a binding agreement that resolves the investigation. Resolution agreements typically include a monetary settlement and a structured corrective action plan with a compliance monitoring period of one to three years. Large resolution agreements are publicly announced on the HHS website.

Civil monetary penalty. OCR imposes a penalty without a negotiated agreement, typically after the covered entity declines to settle or after a formal hearing process. Civil monetary penalties are assessed on a tiered basis based on the covered entity’s knowledge of the violation, ranging from $100 to $50,000 per violation with annual caps. Willful neglect penalties are the highest tier.

For small practices, the corrective action plan is the most common outcome when OCR finds violations. The goal of OCR’s enforcement program is compliance improvement, not punishment for every finding. That said, willful neglect — knowing that a required safeguard is missing and doing nothing — carries mandatory civil monetary penalties regardless of practice size.

What Preparation Looks Like

The documentation OCR requests in audits and investigations is the same documentation that good compliance programs produce as a matter of routine:

• A current risk analysis, updated when systems or operations change
• A complete BAA inventory with executed agreements
• Training records with completion dates and attestations
• Written policies and procedures referencing applicable regulatory sections
• Access control configurations that generate auditable logs
• A documented incident response procedure and records of its use

Clinics that maintain these records routinely have a response ready when OCR contacts them. Clinics that begin assembling documentation after receiving an OCR letter are responding under time pressure — and their records, if hastily assembled, may lack the credibility that contemporaneous documentation carries.