HIPAA Compliance Audit: What OCR Looks For and How to Prepare

What Is a HIPAA Compliance Audit

A HIPAA compliance audit is a formal evaluation of whether a covered entity or business associate meets the requirements of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

There are two distinct types. The first is an OCR audit — a government-initiated review that can happen to any covered entity without a complaint or breach serving as the trigger. The second is an internal self-audit — a periodic review the practice runs on itself to identify and fix gaps before OCR does.

Most practices only think about audits in the context of OCR enforcement. The more useful frame is internal audits: a disciplined annual review of your documentation, access controls, training records, and vendor agreements. Practices that run internal audits are far better positioned if OCR ever does come calling.

OCR Audits: What They Look For

The Office for Civil Rights launched its formal audit program in 2011 (Phase 1) and expanded it in 2016 (Phase 2), covering both covered entities and business associates. OCR can audit any covered entity regardless of size, specialty, or prior compliance history.

How OCR selects audit targets. The pool of potential audit targets is drawn from OCR’s database of covered entities. Selection considers size, type (provider, health plan, clearinghouse), and geography to create a representative sample. Being selected for an audit does not mean OCR suspects wrongdoing — it may simply be your turn in the rotation.

What a desk audit looks like. OCR sends a formal document request specifying what you must provide and the deadline for submission (typically 10 business days). All responses are submitted through an online audit portal. OCR reviews submissions and issues a preliminary findings letter. You have an opportunity to respond before final findings are issued.

What OCR asks for in desk audits — the standard document request covers five areas:

Security risk assessment. Your most recent documented risk assessment and any risk management plan or remediation actions taken from it. This is the single most reviewed document. The most common audit finding across Phase 1 and Phase 2 was the absence of a documented risk assessment.
Policies and procedures. Written privacy and security policies covering access control, workforce training, breach response, minimum necessary use, and patient rights. Policies must be in writing — verbal or informal practices do not satisfy the requirement.
Training records. Evidence that workforce members received HIPAA training. OCR looks for: training dates, a list of which employees completed training, the topics covered, and — for smaller practices — how new hires are trained before they access PHI.
Business associate agreements. A list of your business associates and copies of signed BAAs. If you cannot produce a BAA for a vendor that handles PHI, that gap is a finding.
Incident documentation. Records of any security incidents or breaches that occurred during the audit period, how they were identified, and how they were handled.

Internal HIPAA Audits: What Small Practices Should Review Annually

An internal audit is not an external requirement — it is a practice discipline. HIPAA does not mandate formal internal audits on a specific schedule. What HIPAA does require is that covered entities regularly review and update their security risk assessment, policies, and training. An annual structured review satisfies those requirements and produces documentation you can use if OCR asks questions.

A practical internal audit for a small practice covers six areas:

1. Security risk assessment. Review and update your risk assessment to reflect any changes in the past year: new staff, new systems, new workflows, new vendors. Document the review date and any changes made. A risk assessment that has not been reviewed in more than a year is a compliance gap.

2. Policies and procedures. Pull your written HIPAA policies and check them against current practice. Have your workflows changed? Did you adopt a new tool that affects how PHI is stored or transmitted? Update policies to match reality. Policies that describe how you used to operate rather than how you currently operate create audit risk.

3. Access controls. Review who has access to which systems — EHR, billing software, email, cloud storage. Confirm that former employees and contractors have had access de-provisioned. Check that access levels match current job roles. Over-provisioned access is a common finding.

4. BAA inventory. List every vendor that handles PHI and verify that a signed, current BAA is on file. If a vendor was added during the year without a BAA, execute one immediately. If a vendor’s terms of service changed, review whether the existing BAA still covers the current arrangement.

5. Training records. Confirm that all current workforce members have completed HIPAA training and that new hires received training before accessing PHI. Document the training format, dates, and participants.

6. Breach and incident review. Review any security incidents from the past year — even minor ones — and confirm they were documented and assessed properly. Confirm your breach notification process is current and that staff know what to report and to whom.

The Documents You Need to Have Ready

If OCR contacts you for an audit or investigation, response time is short. Practices that are audit-ready have these documents organized and retrievable:

Document	What it covers
Security risk assessment	Most recent version, date of last review, risk management actions taken
Privacy and security policies	Written, current, covering all required HIPAA topics
Training records	Dates, participants, topics, format (online, in-person, etc.)
BAA log	Vendor name, services, PHI types, agreement date, expiration
Incident log	All security incidents reviewed, assessment of whether each constituted a breach, notification actions taken
Breach notification records	For any actual breaches: dates, affected individuals, notification method, OCR report if required

These are not complex documents. They do not require outside legal counsel to create. What they require is the discipline to create them and keep them updated.

How to Stay Audit-Ready Without a Compliance Officer

Most small practices cannot justify a full-time HIPAA compliance officer. The compliance responsibility typically falls on the practice administrator or office manager alongside their other duties. The goal is not perfection — it is a documented, consistent compliance program that demonstrates good-faith effort.

Three practices that make audit readiness manageable at small scale:

Centralize your compliance documentation. Store your risk assessment, policies, training records, BAA log, and incident log in one location — a shared drive folder, a binder, a dedicated tool. When OCR asks for documents, you should not be searching across email threads and desk drawers.

Put audit tasks on a calendar. The annual risk assessment review, BAA renewal checks, and training refresher are not things most practices will do spontaneously. Scheduling them as recurring calendar events is the difference between a practice that stays current and one that drifts.

Use tools that maintain compliance records by default. PHIGuard tracks BAA status, maintains an audit log of all task activity, and stores documentation in a HIPAA-compliant environment. The audit trail is automatic — you do not need to remember to document routine activity because the platform records it.

The practices most at risk in an OCR audit are not the ones with occasional gaps — they are the ones with no documentation at all. A well-maintained paper trail showing consistent effort is OCR’s baseline expectation for a small covered entity.

Like what you're reading?

Try PHIGuard free — no credit card required.

OCR (Office for Civil Rights): The division of the US Department of Health and Human Services responsible for enforcing the HIPAA Privacy and Security Rules. OCR investigates complaints, conducts audits, and can impose civil monetary penalties.

Desk Audit: A HIPAA compliance audit conducted remotely. OCR sends a document request and reviews submitted materials without visiting the covered entity's physical location. Most OCR audits are desk audits.

Corrective Action Plan (CAP): A remediation agreement between OCR and a covered entity or business associate following an audit finding or investigation. The CAP specifies what the organization must fix, how, and by when. OCR monitors compliance with the plan.

Security Risk Assessment: A required HIPAA Security Rule analysis of potential risks to the confidentiality, integrity, and availability of all electronic PHI a covered entity creates, receives, maintains, or transmits. Must be documented and reviewed regularly — at minimum annually.

Q&A

What is a HIPAA compliance audit?

A HIPAA compliance audit is a formal review of whether a covered entity or business associate meets the requirements of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. OCR runs a national audit program that selects covered entities for desk audits — remote document reviews — without requiring a specific complaint or breach trigger. Internal self-audits are a separate practice that covered entities should conduct annually as part of their own compliance program.

Q&A

What documents does OCR request in a HIPAA audit?

OCR desk audits typically request: the most recent security risk assessment and any risk management plans derived from it; written privacy and security policies and procedures; evidence of workforce HIPAA training (dates, attendees, topics covered); a list of business associates and copies of signed BAAs; and breach and security incident response documentation. Practices that maintain these documents in an organized format can respond to a request in days. Those without organized documentation often need weeks.

Q&A

What should a small practice review in an internal HIPAA audit?

An annual internal HIPAA audit for a small practice should cover six areas: (1) update and document the security risk assessment, (2) review and update written privacy and security policies, (3) verify access controls — who has access to which systems and whether former employees have been de-provisioned, (4) confirm all business associates have current signed BAAs, (5) review training records and schedule training for new hires or policy changes, and (6) test the breach identification and notification process.

Want to learn more?

Learn More

How does OCR select which practices to audit?

OCR can audit any covered entity or business associate. In practice, audit targets are selected from a pool of covered entities based on size, type, and geography to create a representative sample. Complaint investigations and post-breach reviews are separate from the audit program and are triggered by specific incidents rather than random selection.

What is the difference between an OCR audit and an OCR investigation?

An OCR audit is a proactive compliance review that OCR initiates — you may be selected even if no complaint or breach has occurred. An OCR investigation is triggered by a specific complaint from a patient or workforce member, or by a breach report. Both can result in corrective action plans and fines, but they have different triggers.

How long does a HIPAA audit take?

Desk audits typically run 30 to 90 days from the initial document request to a preliminary findings letter. On-site audits, which are rare, take longer — often several months including follow-up. The documentation request alone can take two to three weeks to respond to if records are not already organized.

Can a small practice fail a HIPAA audit?

Yes. OCR does not exempt small practices from audit requirements, and the most common audit finding — no documented risk assessment — applies equally to solo practitioners and large group practices. OCR has issued corrective action plans and fines to practices with fewer than five providers.

What does OCR do if they find violations during an audit?

If OCR identifies compliance gaps, they typically issue a corrective action plan requiring the covered entity to remediate specific deficiencies within a defined timeframe. Fines are more common when OCR finds willful neglect or repeated violations. First-time findings of technical noncompliance with no evidence of harm often result in corrective action plans rather than immediate fines.

Keep reading

HIPAA Compliance Checklist for Small Medical Practices

A step-by-step HIPAA compliance checklist for small medical practices. Covers risk assessments, policies, training, tools, and documentation — the practical version.

What Is a HIPAA Covered Entity? Definition, Types, and Obligations

A HIPAA covered entity is a health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically. Learn which practices qualify and what compliance requires.

Best HIPAA Compliance Software for Small Medical Practices (2026)

We compared the top HIPAA compliance tools for small practices. These are the ones that deliver real value — and the ones that are overpriced for what small clinics actually need.