OCR HIPAA Audit: How to Prepare Your Practice

A small radiology provider in California had never conducted a HIPAA risk analysis. Not once. When patient data from over 21,000 records was exposed on an unsecured PACS server, OCR investigated and found exactly what you would expect: no risk analysis, no security measures, no breach notification procedures. The penalty: $5,000 plus a two-year corrective action plan with ongoing OCR monitoring.

Five thousand dollars sounds manageable. But the corrective action plan — annual risk assessments, policy development, staff training, quarterly reporting to OCR for two years — costs far more in time and resources than doing it right from the start.

Risk analysis failures appeared in 13 of the last 20 OCR enforcement actions. In the most recent HIPAA audit cycle, 86% of covered entities and 83% of business associates failed the risk analysis component. OCR is not going after exotic violations. They are penalizing practices for the basics — the fundamentals that every practice should have in place but most do not.

What Triggers an OCR Investigation

OCR investigations come from four sources:

Patient or employee complaints. The most common trigger. Anyone can file a complaint with OCR within 180 days of discovering a potential HIPAA violation. A patient who cannot get their medical records within 30 days. An employee who notices PHI left visible in a public area. A former staff member who reports that the practice never changed access credentials after they were terminated.

Breach reports. Breaches affecting 500 or more individuals must be reported to OCR within 60 days and are posted on the "Wall of Shame" (the HHS Breach Portal). These reports trigger near-automatic investigation. Smaller breaches (under 500 individuals) must be reported annually by March 1 of the following year.

The HIPAA Audit Program. OCR's current 2024-2025 audit cycle is reviewing 50 covered entities and business associates on Security Rule provisions related to hacking and ransomware. Selection is proactive, not complaint-driven. You can be audited without any complaint or breach — simply because your name was drawn.

The Risk Analysis Initiative. Launched in fall 2024, this OCR initiative specifically targets practices with inadequate risk analyses. In its first six months, the initiative produced seven enforcement actions. OCR has stated it aims to "increase the number of completed investigations" through this program.

What OCR Looks For

OCR follows the HHS Audit Protocol covering the Privacy Rule, Security Rule, and Breach Notification Rule. Here are the 10 areas that matter most for small practices:

1. Risk analysis. The number one finding in enforcement actions. Your risk analysis must be enterprise-wide, specific to your operations, and current. It must inventory every system that creates, receives, transmits, or maintains ePHI. Generic template forms and IT-only assessments that skip administrative and workforce processes are flagged as deficient. If you have not done a risk assessment in the past 12 months — or ever — this is your biggest exposure.

2. Risk management plan. A risk analysis identifies vulnerabilities. A risk management plan documents what you are doing about them — specific remediation steps with timelines and responsible parties. Finding a risk without a plan to address it is almost as bad as not looking.

3. Policies and procedures. Written, current, and reviewed regularly. Not policies that exist on paper while the practice operates differently. OCR checks whether policies are actually followed — not just whether they exist.

4. Training records. Documentation proving all workforce members received HIPAA training: dates, participants, topics covered, and signed acknowledgments. "We trained everyone but did not write it down" is treated the same as "we did not train anyone."

5. Business Associate Agreements. A current inventory of all vendors who access PHI, with executed, up-to-date BAAs on file. BAAs that are outdated, missing key provisions, or absent entirely are a consistent enforcement finding.

6. Breach notification procedures. A documented process for identifying, investigating, and reporting breaches — including the four-factor risk assessment required by 45 CFR 164.402(2) to determine whether a breach is reportable.

7. Access controls. Role-based access with unique user IDs for every workforce member. No shared passwords. Automatic logoff on inactive workstations. Multi-factor authentication where applicable. Evidence that terminated employees have access revoked promptly — the Guam Memorial Hospital case ($25,000 penalty) specifically cited former employees accessing ePHI after employment ended.

8. Encryption. ePHI encrypted at rest and in transit. The current rule classifies encryption as "addressable" (meaning you can document why you chose not to implement it), but the proposed 2026 HIPAA Security Rule would make it mandatory with no exceptions.

9. Audit logs. Mechanisms to track who accessed ePHI, when, and from where. Without audit logs, you cannot investigate incidents, respond to complaints, or demonstrate compliance to OCR.

10. Incident response plan. Written procedures for responding to security incidents — and evidence that the plan has been tested. Untested contingency plans are a recurring deficiency.

The Investigation Process

If OCR opens an investigation, here is what to expect:

Step 1: Notification. OCR sends an email outlining the facts and potential violations, followed by a document request.

Step 2: Document production. You have 10 to 30 days (typically about two weeks) to produce your policies, risk analysis, training records, BAAs, incident timelines, and evidence of mitigation. This is where preparation pays off — or where its absence becomes obvious.

Step 3: Review. OCR analyzes your submissions against the audit protocol. For desk audits (remote reviews), this phase can take weeks to months.

Step 4: On-site visit (if applicable). Complex cases may involve a 3-5 day on-site audit with interviews and facility tours.

Step 5: Draft findings. OCR shares preliminary findings and gives you an opportunity to respond.

Step 6: Resolution. The investigation closes through one of four outcomes: no violation found, technical assistance (OCR coaches you on compliance), a resolution agreement (settlement plus corrective action plan), or a civil money penalty.

Simple investigations can resolve in months. Complex cases routinely take one to three years. OCR has a six-year statute of limitations from the date of the violation.

Recent Penalties That Should Concern Small Practices

OCR does not only go after large health systems. Small practices face enforcement regularly:

• Vision Upright MRI ($5,000 + 2-year CAP): Small radiology provider. Never conducted a risk analysis. 21,000+ records exposed on unsecured PACS.
• Bryan County Ambulance Authority ($90,000 + 3-year CAP): EMS provider. Ransomware attack. No risk analysis. 14,273 patients affected.
• Elgon Information Systems ($80,000 + 3-year CAP): Small business associate. Ransomware. 31,248 patients. No risk analysis.
• Cascade Eye and Skin Centers ($250,000 + 2-year CAP): Eye and skin clinic. Ransomware. 291,000 files. No risk analysis, insufficient monitoring.
• USR Holdings ($337,750 + 2-year monitoring): Business associate. Unauthorized access and deletion of ePHI for 2,903 individuals.
• Lafourche Medical Group ($480,000): Phishing attack. 34,862 patients. No risk analysis, no training program, no system activity monitoring.

The pattern: every case includes risk analysis failure. Every settlement includes a corrective action plan requiring the practice to do what it should have done from the beginning. The penalty is the price of procrastination.

The 2026 HIPAA Security Rule and Audits

The proposed rule (expected final by May 2026) would change audit expectations significantly:

• All requirements become mandatory. The distinction between "required" and "addressable" is eliminated. You cannot document why you chose not to encrypt — you must encrypt.
• Technology asset inventory. You must maintain a complete inventory of every device and system that touches ePHI, updated at least every 12 months.
• Annual compliance verification. Formal compliance audits required every 12 months — not just when OCR comes knocking.
• Annual BA verification. Written confirmation from every business associate that they meet security requirements — every year.
• Mandatory MFA. Multi-factor authentication required for all system access.
• 72-hour system restoration. Critical systems must be restorable within 72 hours with backups no older than 48 hours.

Practices that start preparing now will be compliant when the rule takes effect. Practices that wait will face a compliance scramble with tight deadlines and increased costs.

Your Audit Preparation Checklist

Can you produce each of these documents within two weeks? If not, you have gaps to fill:

1. Risk assessment: Enterprise-wide, specific to your practice, updated within the last 12 months
2. Risk management plan: Documented remediation steps for every identified vulnerability
3. Policies and procedures: Privacy, security, and breach notification — written, current, with revision history
4. Training records: Dates, participants, topics, signed acknowledgments for every workforce member
5. BAA inventory: Every vendor who touches PHI, with executed agreements on file
6. Incident response plan: Written procedures, tested within the last 12 months
7. Access logs: System records showing who accessed ePHI, when, and from where
8. Encryption documentation: Evidence of encryption at rest and in transit
9. Device inventory: List of all devices storing ePHI with disposal procedures
10. Notice of Privacy Practices: Current NPP with all required content, provided to patients

HIPAA requires you to retain compliance documentation for six years. Store it in a dedicated HIPAA compliance folder — physical or digital — that your designated Privacy Officer and Security Officer can access immediately.

What to Do If You Receive an OCR Letter

1. Do not ignore it. Non-response triggers civil money penalties, which are worse than negotiated settlements.
2. Engage HIPAA legal counsel immediately. Attorney-client privilege protects your communications.
3. Assemble your documentation within the stated deadline (10-30 days).
4. Do not fabricate or backdate documents. OCR investigators identify inconsistencies.
5. Cooperate fully. Cooperation is a mitigating factor in penalty calculations.
6. Begin remediation immediately. Demonstrating good-faith efforts to fix gaps can reduce penalties.

The Bottom Line

An OCR audit is not a question of "if" but "when." Complaints, breach reports, the audit program, and the new Risk Analysis Initiative all create pathways to your door. The practices that survive investigations are the ones with documentation proving they did the work — risk assessments, training records, BAAs, and incident response plans.

If you cannot produce the 10 documents on the checklist above within two weeks, start filling those gaps today. The cost of compliance is a fraction of the cost of a settlement — and the corrective action plan that comes with it.

Book a free IT assessment to evaluate your HIPAA compliance posture and identify gaps before OCR does. We will conduct a risk assessment, review your documentation, and build a compliance program that withstands scrutiny. Explore our HIPAA compliance services and managed IT plans, or take our free cybersecurity assessment for a quick baseline score.