HIPAA Audit Checklist 2026: Prepare Before OCR Comes Calling

Posted: March 11, 2026 to Compliance.

A HIPAA audit is a formal review conducted by the Office for Civil Rights (OCR) to evaluate a covered entity's or business associate's compliance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. In 2026, OCR has expanded its audit program to include desk audits of 200 organizations and on-site audits of 50, focusing specifically on risk analysis, access controls, and encryption practices.

Key Takeaways

OCR issued $6.1 million in HIPAA penalties in 2025, with the average fine for small healthcare practices exceeding $150,000
The most cited violation in 2025 was failure to conduct a thorough risk analysis, appearing in 79% of enforcement actions
A complete HIPAA Security Rule compliance program requires 75 specific implementation specifications across administrative, physical, and technical safeguards
Documentation alone is not enough; OCR auditors verify that documented policies are actually implemented and followed
Preparing for an audit takes most organizations 4 to 8 months of focused effort, making proactive preparation essential

What OCR Is Targeting in 2026

OCR publishes its audit protocol and updates it periodically. Based on the 2025 enforcement data and 2026 audit program announcements, these are the areas receiving the most scrutiny:

Risk Analysis (45 CFR 164.308(a)(1)(ii)(A)): This is the single most important element. OCR has cited failure to conduct an adequate risk analysis in every major enforcement action for the past three years. A risk analysis is not a checkbox; it is a comprehensive, documented evaluation of every threat to every system that stores, processes, or transmits PHI.

Access Controls (45 CFR 164.312(a)(1)): OCR is examining whether organizations implement unique user identification, emergency access procedures, automatic logoff, and encryption/decryption of PHI. Shared logins are an automatic finding.

Encryption (45 CFR 164.312(a)(2)(iv) and (e)(1)): While HIPAA technically lists encryption as "addressable" rather than "required," OCR treats the absence of encryption as a significant vulnerability that demands documented justification. In practice, not encrypting PHI at rest and in transit is indefensible.

Business Associate Agreements (45 CFR 164.308(b)(1)): Every vendor that touches PHI needs a current BAA. OCR checks that BAAs include required provisions and that organizations actually monitor their business associates' compliance.

For a deeper dive into HIPAA security requirements, see our comprehensive HIPAA Security Guide.

The Complete HIPAA Audit Checklist

Administrative Safeguards (45 CFR 164.308)

Administrative safeguards account for more than half of the Security Rule's requirements. These are the policies, procedures, and organizational measures that protect PHI.

Security Management Process

Risk analysis completed and documented within the past 12 months
Risk management plan created based on risk analysis findings, with specific remediation timelines
Sanction policy documented: what happens to workforce members who violate HIPAA policies
Information system activity review: regular review of audit logs, access reports, and security incident tracking

Assigned Security Responsibility

HIPAA Security Officer designated by name with documented responsibilities
Security Officer has authority and resources to implement security measures
Security Officer contact information posted and communicated to all workforce members

Workforce Security

Authorization procedures for granting access to PHI based on job function
Workforce clearance procedures: background checks for employees with PHI access
Termination procedures: access revoked within 24 hours of employment end, documented process for collecting devices and credentials

Information Access Management

Access authorization policy: who approves access to each system containing PHI
Access establishment and modification: documented process for creating, modifying, and revoking user accounts
Access reviewed quarterly to ensure least-privilege alignment

Security Awareness and Training

Security training provided to all workforce members upon hire and annually thereafter
Training covers: password management, phishing recognition, workstation security, incident reporting
Security reminders distributed regularly (monthly or quarterly)
Login monitoring: procedures for detecting and responding to failed login attempts
Password management policy: minimum length (12+ characters), complexity requirements, prohibition on password reuse

Security Incident Procedures

Incident response plan documented and tested within the past 12 months
Incident identification, classification, and escalation procedures defined
Incident documentation requirements specified
Post-incident review process defined

Contingency Plan

Data backup plan: PHI backed up regularly (daily minimum), with documented recovery procedures
Disaster recovery plan: documented process for restoring PHI systems after a failure
Emergency mode operation plan: how to maintain critical functions during an emergency
Testing: contingency plans tested annually with documented results
Criticality analysis: systems ranked by importance to prioritize recovery

Evaluation

Periodic evaluation of security measures conducted at least annually
Evaluation documents whether current security measures meet HIPAA requirements
Findings from evaluation trigger updates to policies and procedures

Business Associate Contracts

BAA inventory: complete list of all business associates with current BAA status
Each BAA includes required HIPAA provisions (breach notification, safeguard requirements, termination clauses)
BAAs reviewed and updated when services change
Business associate compliance monitored (at minimum: annual attestation or evidence of SOC 2/HITRUST)

Physical Safeguards (45 CFR 164.310)

Physical safeguards protect the physical infrastructure and devices that store or process PHI.

Facility Access Controls

Facility access policy: who is authorized to enter areas where PHI is stored or processed
Visitor log: maintained for server rooms and records storage areas
Access control mechanisms: badge readers, key cards, or biometric locks on sensitive areas
Maintenance records: documentation of physical security repairs and modifications

Workstation Use

Workstation use policy: rules for PHI access on workstations (screen positioning, clean desk, locking)
Privacy screens on monitors in public-facing areas
Automatic screen lock after 5 minutes of inactivity

Workstation Security

Physical security: workstations physically secured (cable locks for laptops, locked offices)
Workstations in public areas cannot access PHI without additional authentication

Device and Media Controls

Device disposal policy: documented procedures for securely wiping or destroying media containing PHI
Media reuse procedures: PHI removed before media is reassigned
Hardware inventory: complete list of all devices that store or process PHI
Device movement tracking: log of PHI-containing devices moved into, out of, or within the facility

Technical Safeguards (45 CFR 164.312)

Technical safeguards are the technology-based controls that protect PHI in electronic systems.

Access Control

Unique user identification: every user has a unique login (no shared accounts)
Emergency access procedure: documented method for accessing PHI during an emergency when normal procedures fail
Automatic logoff: systems automatically lock after a defined period of inactivity (15 minutes maximum for clinical systems)
Encryption and decryption: PHI encrypted at rest using AES-256 or equivalent

Audit Controls

Audit logging enabled on all systems that store or process PHI
Logs capture: user identity, timestamp, action performed, data accessed
Logs retained for a minimum of 6 years
Logs reviewed regularly (weekly minimum for critical systems)
Logs stored on a separate system from the one being audited

Integrity

Data integrity controls: mechanisms to ensure PHI is not improperly altered or destroyed
Electronic authentication: methods to verify that PHI has not been altered in transit (checksums, digital signatures)

Person or Entity Authentication

Multi-factor authentication implemented for all PHI system access
Authentication mechanisms appropriate to the risk level of the system
Password policies enforced technically (not just documented)

Transmission Security

Encryption in transit: all PHI transmitted over networks uses TLS 1.2 or higher
Unencrypted PHI transmission (fax, unencrypted email) documented with risk justification
VPN or encrypted tunnel required for remote PHI access
Wireless networks use WPA3 or WPA2-Enterprise with RADIUS authentication

Documentation OCR Expects to See

During an audit, OCR requests specific documentation. Having these ready in a single, organized repository saves weeks of scrambling.

Required Documents Checklist

Document	Retention	Last Updated
Risk analysis report	6 years	Within 12 months
Risk management plan	6 years	Within 12 months
Security policies and procedures	6 years	Within 12 months
Business associate agreement inventory	6 years	Quarterly review
Training records (all workforce members)	6 years	After each session
Incident response plan	6 years	Annually
Contingency/disaster recovery plan	6 years	Annually
Audit log review records	6 years	Monthly/weekly
Access authorization records	6 years	Ongoing
Device/media disposal records	6 years	Per event
Penetration test results	6 years	Annually
Vulnerability scan reports	6 years	Quarterly

HIPAA requires 6-year document retention from the date of creation or the date when the policy was last in effect, whichever is later. This is not optional. Missing documentation is treated the same as non-compliance.

The Risk Analysis: Getting It Right

Because risk analysis is the most commonly cited deficiency, it deserves special attention.

What OCR Considers an Adequate Risk Analysis

Scope: Covers every system, application, and process that creates, receives, maintains, or transmits ePHI. This includes EHR systems, email, cloud storage, mobile devices, medical devices, backup systems, and any AI tools processing patient data.
Threat identification: Documents specific threats relevant to your environment, not generic lists copied from the internet. Threats include: ransomware, phishing, insider threats, natural disasters, equipment failure, vendor breaches.
Vulnerability assessment: Identifies specific vulnerabilities in your current controls. This typically requires technical scanning (Nessus, Qualys, or similar) combined with process review.
Risk rating: Each threat-vulnerability pair receives a risk rating based on likelihood and impact. Use a consistent methodology (NIST 800-30 is the standard).
Remediation plan: Every identified risk has a documented response: mitigate, accept, transfer, or avoid. Accepted risks require management sign-off with documented justification.

Tools for Risk Analysis

NIST Cybersecurity Framework Assessment Tool: Free, comprehensive
HHS SRA Tool: Free, specifically designed for small healthcare providers
Qualys/Nessus: Vulnerability scanning ($2,000-$5,000/year for SMBs)
Professional assessment: $5,000-$25,000 depending on organization size

For organizations that want expert guidance through the risk analysis process, our HIPAA risk assessment service provides a turnkey solution.

Timeline: Preparing for an OCR Audit

Months 1-2: Foundation

Designate or confirm HIPAA Security Officer
Conduct (or update) comprehensive risk analysis
Inventory all systems containing ePHI
Inventory all business associates and BAA status

Months 3-4: Policies and Procedures

Draft or update all required policies (use the checklist above)
Ensure policies are specific to your organization, not generic templates
Have legal counsel review BAAs
Deploy technical controls identified in risk analysis

Months 5-6: Training and Testing

Conduct workforce training with sign-off documentation
Test contingency and disaster recovery plans
Run tabletop incident response exercise
Conduct penetration test and vulnerability scans

Months 7-8: Review and Remediation

Review audit logs from the past 6 months
Close any open findings from risk analysis
Conduct internal audit using OCR audit protocol
Prepare document repository for rapid response

Penalties and Enforcement

OCR categorizes violations into four tiers:

Tier	Description	Per Violation	Annual Maximum
1	Did not know and could not have known	$137 - $68,928	$68,928
2	Reasonable cause, not willful neglect	$1,379 - $68,928	$68,928
3	Willful neglect, corrected within 30 days	$13,785 - $68,928	$68,928
4	Willful neglect, not corrected	$68,928	$2,067,813

These amounts were adjusted for inflation in January 2026. Criminal penalties can reach $250,000 and 10 years imprisonment for knowing misuse of PHI.

Get Audit-Ready with Professional Help

Petronella Technology Group has prepared over 200 healthcare organizations for HIPAA compliance since 2002. Our HIPAA compliance service includes a comprehensive risk analysis, policy development, workforce training, technical control implementation, and ongoing monitoring.

We combine HIPAA expertise with cybersecurity assessment capabilities that go beyond checkbox compliance to actually secure your patient data. Our team includes CMMC Registered Practitioners (RP-1372) and certified security professionals with hands-on experience defending healthcare networks.

Call 919-348-4912 or visit petronellatech.com/contact/ to schedule a HIPAA readiness assessment.

About the Author: Craig Petronella is the CEO of Petronella Technology Group, Inc., a Raleigh, NC-based cybersecurity consultancy with 23 years of experience protecting healthcare organizations. A CMMC Registered Practitioner (RP-1372) with over 30 years of IT security experience, Craig has authored multiple books on compliance and cybersecurity and hosts the Petronella Technology Group podcast.

Frequently Asked Questions

How often does OCR audit healthcare organizations?

OCR selects approximately 200 organizations per year for desk audits and 50 for on-site audits. Selection is not purely random; OCR considers complaint history, breach reports, and industry sector. Any organization that reports a breach affecting 500 or more individuals receives mandatory investigation. Smaller breach reports can also trigger audits.

What is the difference between a desk audit and an on-site audit?

A desk audit is conducted remotely. OCR sends a request for documentation, and you have 10 business days to respond. An on-site audit involves OCR auditors physically visiting your facility to review systems, interview staff, and observe practices. On-site audits are more thorough and typically follow a desk audit that reveals potential issues.

Can I use a template for my HIPAA policies?

Templates provide a starting point, but OCR specifically looks for organization-specific details. A policy that says "access is granted based on job function" is insufficient. It must specify which roles access which systems, who approves access, and how access is reviewed. Generic templates without customization have been cited as deficiencies in OCR enforcement actions.

How far back does OCR review during an audit?

OCR can request documentation from the past 6 years, which is the HIPAA retention period. In practice, most audits focus on the past 2 to 3 years but may request older documents to verify that policies have been maintained consistently. Having a complete 6-year archive ready is the safest approach.

Do I need to encrypt everything to pass a HIPAA audit?

Encryption is classified as "addressable" under HIPAA, which means you must either implement it or document why an alternative measure provides equivalent protection. In practical terms, OCR treats unencrypted PHI as a significant vulnerability in nearly every enforcement action. The cost of encryption in 2026 is negligible compared to the risk of a finding. Encrypt everything.

What happens if OCR finds violations during an audit?

OCR typically issues a corrective action plan (CAP) requiring specific remediation steps within defined timelines. Financial penalties apply when organizations demonstrate willful neglect or fail to correct known deficiencies. Most first-time findings result in a CAP without monetary penalties, provided the organization demonstrates good faith and timely remediation.

How much does HIPAA audit preparation cost?

Self-directed preparation using free tools (HHS SRA Tool, NIST frameworks) and this checklist can cost as little as staff time. Professional HIPAA readiness assessments range from $5,000 to $30,000 depending on organization size and complexity. The investment is modest compared to the average $150,000 penalty for small practice violations.

{
  "@context": "https://schema.org",
  "@type": "FAQPage",
  "mainEntity": [
    {
      "@type": "Question",
      "name": "How often does OCR audit healthcare organizations?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "OCR selects approximately 200 organizations per year for desk audits and 50 for on-site audits. Selection considers complaint history, breach reports, and industry sector. Any organization that reports a breach affecting 500 or more individuals receives mandatory investigation."
      }
    },
    {
      "@type": "Question",
      "name": "What is the difference between a desk audit and an on-site audit?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "A desk audit is conducted remotely with a 10 business day documentation request. An on-site audit involves OCR auditors physically visiting your facility to review systems, interview staff, and observe practices."
      }
    },
    {
      "@type": "Question",
      "name": "Can I use a template for my HIPAA policies?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Templates provide a starting point, but OCR specifically looks for organization-specific details. Generic templates without customization have been cited as deficiencies in OCR enforcement actions."
      }
    },
    {
      "@type": "Question",
      "name": "How far back does OCR review during an audit?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "OCR can request documentation from the past 6 years. In practice, most audits focus on the past 2 to 3 years but may request older documents. Having a complete 6-year archive ready is the safest approach."
      }
    },
    {
      "@type": "Question",
      "name": "Do I need to encrypt everything to pass a HIPAA audit?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Encryption is addressable under HIPAA, meaning you must implement it or document equivalent protection. In practice, OCR treats unencrypted PHI as a significant vulnerability. The cost of encryption in 2026 is negligible compared to the risk."
      }
    },
    {
      "@type": "Question",
      "name": "What happens if OCR finds violations during an audit?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "OCR typically issues a corrective action plan requiring specific remediation. Financial penalties apply for willful neglect or failure to correct known deficiencies. Most first-time findings result in a CAP without monetary penalties if the organization demonstrates good faith."
      }
    },
    {
      "@type": "Question",
      "name": "How much does HIPAA audit preparation cost?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Self-directed preparation using free tools and this checklist costs staff time only. Professional assessments range from $5,000 to $30,000 depending on organization size. This is modest compared to average $150,000 penalties for small practice violations."
      }
    }
  ]
}

Need help implementing these strategies? Our cybersecurity experts can assess your environment and build a tailored plan.

Get Free Assessment

Explore Our Services

Cybersecurity AI Services Compliance HIPAA CMMC Managed IT

About the Author

Craig Petronella

CEO, Founder & AI Architect, Petronella Technology Group

Craig Petronella founded Petronella Technology Group in 2002 and has spent more than 30 years working at the intersection of cybersecurity, AI, compliance, and digital forensics. He holds the CMMC Registered Practitioner credential (RP-1372) issued by the Cyber AB, is an NC Licensed Digital Forensics Examiner (License #604180-DFE), and completed MIT Professional Education programs in AI, Blockchain, and Cybersecurity. Craig also holds CompTIA Security+, CCNA, and Hyperledger certifications.

He is an Amazon #1 Best-Selling Author of 15+ books on cybersecurity and compliance, host of the Encrypted Ambition podcast (95+ episodes on Apple Podcasts, Spotify, and Amazon), and a cybersecurity keynote speaker with 200+ engagements at conferences, law firms, and corporate boardrooms. Craig serves as Contributing Editor for Cybersecurity at NC Triangle Attorney at Law Magazine and is a guest lecturer at NCCU School of Law. He has served as a digital forensics expert witness in federal and state court cases involving cybercrime, cryptocurrency fraud, SIM-swap attacks, and data breaches.

Under his leadership, Petronella Technology Group has served 2,500+ clients, maintained a zero-breach record among compliant clients, earned a BBB A+ rating every year since 2003, and been featured as a cybersecurity authority on CBS, ABC, NBC, FOX, and WRAL. The company leverages SOC 2 Type II certified platforms and specializes in AI implementation, managed cybersecurity, CMMC/HIPAA/SOC 2 compliance, and digital forensics for businesses across the United States.

CMMC-RP NC Licensed DFE MIT Certified CompTIA Security+ Expert Witness 15+ Books

Related Service

Achieve Compliance with Expert Guidance

CMMC, HIPAA, NIST, PCI-DSS — we have 80% of documentation pre-written to accelerate your timeline.

Learn About Compliance Services

Free cybersecurity consultation available Schedule Now