What triggers a HIPAA audit?

OCR audits can be triggered by complaints, reported breaches affecting 500+ individuals (which appear on the OCR breach portal), random selection as part of the audit program, or compliance reviews initiated by OCR.

How long must HIPAA documentation be retained?

Per 45 CFR 164.316(b)(2)(i), HIPAA documentation must be retained for 6 years from the date of creation or the date when it last was in effect, whichever is later.

What are the most common HIPAA audit findings?

The most common findings include incomplete or outdated risk assessments, lack of encryption on portable devices, insufficient access controls, missing or incomplete BAAs, inadequate security awareness training documentation, and no formal incident response plan.

How to Prepare for a HIPAA Audit

Regulatory basis: OCR audit authority derives from Section 13411 of the HITECH Act. Documentation requirements are at 45 CFR 164.316. Evaluation requirements are at 45 CFR 164.308(a)(8).

Audit Triggers

The Office for Civil Rights (OCR) initiates audits through several mechanisms:

Complaint-driven investigations: Complaints filed by individuals with OCR
Breach reports: Breaches affecting 500 or more individuals are posted on the OCR breach portal and typically trigger a compliance review
Audit program: OCR conducts periodic audits as part of its audit program (Phase 1 desk audits and Phase 2 on-site comprehensive audits)
Compliance reviews: OCR may initiate reviews based on intelligence from breach reports, media coverage, or referrals from other agencies

Pre-Audit Documentation Checklist

The following documents should be current, complete, and readily accessible. Under 45 CFR 164.316(b)(2)(i), all documentation must be retained for a minimum of six years.

Risk Analysis and Management

Current risk assessment (updated within the past 12 months or after significant changes)
Risk management plan with corrective action items, responsible parties, and completion dates
Previous risk assessments (demonstrating ongoing compliance)

Policies and Procedures

Security policies covering all safeguard categories (administrative, physical, technical)
Privacy policies including Notice of Privacy Practices
Breach notification policies and procedures
Sanction policy for workforce violations
Evidence of policy review and updates (version history, approval records)

Business Associate Management

Inventory of all business associates
Executed BAAs for each business associate
Evidence of due diligence in BA selection
Records of BA compliance monitoring

Training and Awareness

Security awareness training materials
Training attendance records with dates and participant names
Evidence that training is provided to new workforce members within a reasonable timeframe
Records of periodic security reminders

Technical Controls

System access logs and audit trail records
Evidence of access control implementation (user provisioning, role-based access)
Encryption documentation (what is encrypted, what algorithm, key management)
Vulnerability scan results and penetration test reports
Patch management records

Physical Security

Facility security plan
Visitor logs
Equipment inventory (devices that store or access ePHI)
Media disposal and sanitization records
Workstation use policies

Incident Response

Incident response plan
Security incident log (all incidents, not just breaches)
Breach risk assessments conducted for each potential breach
Notification records for confirmed breaches
Post-incident review and corrective action documentation

Contingency Planning

Data backup plan and evidence of regular backups
Disaster recovery plan
Emergency mode operation plan
Testing and revision records for contingency plans

Common Audit Findings

Based on OCR enforcement actions and published resolution agreements, the following are the most frequently cited deficiencies:

Incomplete or outdated risk assessment

164.308(a)(1)(ii)(A)

The most commonly cited deficiency in OCR enforcement. Risk assessments must be thorough, cover all ePHI, and be updated regularly.

Lack of encryption on portable devices

164.312(a)(2)(iv)

While encryption is addressable, OCR expects it on laptops, mobile devices, and portable media unless a documented equivalent measure is in place.

Insufficient access controls

164.312(a)(1)

Failing to implement role-based access, not revoking access upon termination, or sharing login credentials.

Missing or incomplete BAAs

164.314(a)(2)(i)

BAAs must be in place before sharing PHI and must contain all required provisions.

Inadequate training documentation

164.308(a)(5)(i)

Training must be documented with dates, topics covered, and attendance records.

No formal incident response plan

164.308(a)(6)(i)

Must have documented policies and procedures for identifying, responding to, and mitigating security incidents.

Failure to conduct evaluation

164.308(a)(8)

Periodic technical and nontechnical evaluations are required, especially after significant changes.

During the Audit

Designate an Audit Coordinator

Assign a single point of contact to manage communications with auditors. This person should understand the organization's compliance program and know where all documentation resides.

Respond Promptly and Completely

OCR typically sets deadlines for document production. Missing deadlines or providing incomplete responses can escalate the investigation. If a document does not exist, state that clearly rather than delaying the response.

Involve Legal Counsel

Responses to OCR should be reviewed by counsel experienced in HIPAA enforcement. Audit responses may be used in subsequent enforcement proceedings.

Document Corrective Actions

If gaps are identified during the audit, begin corrective action immediately and document the steps taken. Demonstrating good faith efforts to remediate can influence the outcome of enforcement proceedings.

Proactive Compliance

The best audit preparation is continuous compliance. Conduct internal audits annually, update policies and risk assessments regularly, and maintain documentation as an ongoing practice rather than a reactive exercise. Organizations with mature compliance programs -- documented policies, current risk assessments, regular training, and established incident response procedures -- face significantly lower risk of adverse audit findings and enforcement actions.