How to Prepare for a HIPAA Audit

The letter arrives without warning. The HHS Office for Civil Rights has received a complaint or identified a potential violation, and your organisation has been selected for a compliance review or investigation. What happens next can determine whether your organisation faces a corrective action plan or a seven-figure penalty.

Here is what OCR investigators actually look for — and how to be ready before the letter ever arrives.

Types of OCR Actions

The OCR handles HIPAA enforcement through several mechanisms:

Complaint Investigations

Triggered by a complaint from a patient, employee, or other individual. OCR reviews the complaint and determines whether an investigation is warranted.

Compliance Reviews

Initiated by OCR itself, often in response to a reported breach or a pattern of complaints. These are broader in scope and more intensive.

Desk Reviews

A preliminary review where OCR requests documents — policies, procedures, risk analyses, training records — without conducting an on-site visit.

On-Site Investigations

OCR investigators visit the organisation to interview staff, inspect facilities, review systems, and assess safeguards firsthand.

What Investigators Request First

When OCR opens an investigation, the initial document request typically includes:

1. Risk Analysis

The very first thing investigators ask for is your security risk analysis. This is the cornerstone of your compliance programme. If you cannot produce a current, comprehensive risk analysis, the investigation starts on a negative note — and it only gets harder from there.

2. Policies and Procedures

All written privacy and security policies, breach notification procedures, sanction policies, and workforce training materials.

3. Business Associate Agreements

Executed BAAs for every vendor, contractor, or subcontractor that accesses PHI on your behalf.

4. Training Records

Documentation showing that all workforce members have received HIPAA training, including dates, content covered, and attendance records.

5. Breach Documentation

Records of any breaches that have occurred, including the risk assessment performed, notifications sent, and corrective actions taken.

6. Audit Logs

System access logs showing who accessed what PHI and when, along with documentation of your log review process.

7. Incident Reports

Any internal reports of potential violations, security incidents, or policy breaches, along with the organisation's response.

How to Prepare Before an Audit

Maintain a Compliance Binder

Keep a master compliance binder — physical or digital — that contains:

• Current risk analysis and remediation plan
• All policies and procedures (dated and versioned)
• Business associate inventory with signed BAAs
• Training records for all workforce members
• Breach incident log with documentation
• Sanction records
• Evidence of ongoing compliance activities

Conduct Self-Audits

Do not wait for OCR. Conduct your own internal audits at least annually:

• Review access controls and remove unnecessary permissions
• Test incident response procedures
• Verify that all BAAs are current and complete
• Assess physical safeguards
• Review audit logs for unusual activity

Designate a Privacy Officer

HIPAA requires the designation of a privacy officer. This person should:

• Be the point of contact for OCR communications
• Maintain compliance documentation
• Coordinate workforce training
• Oversee breach response procedures
• Stay current on regulatory changes

Practise Your Response

When OCR calls, time is critical. Practise your response protocol:

1. Notify the privacy officer immediately
2. Preserve all relevant documents and data
3. Engage legal counsel experienced in HIPAA matters
4. Gather the requested documents within the specified timeframe
5. Prepare staff for potential interviews

Common Findings That Escalate Investigations

Incomplete Risk Analysis

A risk analysis that only covers some systems or fails to address all three safeguard categories is insufficient.

Stale Policies

Policies that have not been updated in years — or do not reflect current operations — signal a compliance programme that is not actively maintained.

Missing BAAs

Even one vendor without a signed BAA is a violation. Investigators will review your complete vendor list.

No Evidence of Training

Verbal assurances that training occurred are not enough. You need attendance records, training materials, and dates.

Failure to Address Previous Findings

If OCR has previously identified deficiencies and they have not been corrected, the penalties escalate dramatically — into the willful neglect tiers.

During the Investigation

Be Cooperative

OCR investigators are professionals doing their job. Cooperative, transparent organisations fare significantly better than those that are evasive or adversarial.

Be Accurate

Never misrepresent your compliance efforts. If a policy is new, say so. If a gap exists, acknowledge it and present your remediation plan.

Be Organised

Provide requested documents promptly and in an organised manner. Making investigators dig for information creates unnecessary friction.

Be Proactive

If you identify deficiencies during the investigation, begin addressing them immediately. Demonstrating good-faith corrective action can influence the outcome.

After the Investigation

If OCR identifies violations, the outcomes range from:

• Technical assistance — OCR provides guidance on correcting deficiencies without penalties
• Corrective action plan — A formal agreement to address specific deficiencies within a defined timeline
• Resolution agreement — A settlement that includes a monetary payment and a corrective action plan
• Civil money penalty — Financial penalties assessed when violations are significant or the entity is uncooperative

The difference between these outcomes often comes down to the quality of your compliance programme before the investigation began.

Further Reading

• HIPAA compliance checklist for 2026
• HIPAA risk assessment guide
• HIPAA violations and penalties