What Does a HIPAA Audit Look Like? A Step-by-Step Walkthrough

Most healthcare providers have never been through a HIPAA audit. They’ve heard the horror stories — six-figure fines, practices shut down, years of corrective action plans — but they have no idea what actually happens when the Office for Civil Rights (OCR) comes knocking.

That uncertainty is the problem. When you don’t know what an audit looks like, you can’t prepare for one. And when you can’t prepare, you panic. Or worse, you assume it won’t happen to you.

This article walks you through the entire HIPAA audit process, step by step, so you know exactly what to expect and what OCR is looking for.

Why Audits Happen

HIPAA audits don’t come out of nowhere. They’re triggered by one of three things:

1. A complaint. A patient, employee, or business associate files a complaint with OCR. This is the most common trigger. OCR received over 36,000 complaints in the last reporting period.
2. A breach report. If your practice reports a breach affecting 500+ individuals, OCR will investigate. Breaches under 500 are logged and may trigger a review during audit cycles.
3. Random selection. OCR conducts periodic audit programs targeting covered entities and business associates. The most recent large-scale program audited over 200 entities.

Here’s what most small practices don’t realize: the complaint doesn’t have to be valid for the audit to be devastating. OCR investigates the complaint, but while they’re looking, they review your entire compliance program. A disgruntled employee complaint about one issue can expose gaps you didn’t know existed.

Step 1: The Notification Letter

The audit begins with a letter — or more commonly now, an email — from OCR. This letter will:

• Identify your practice as the subject of a compliance review
• Reference the complaint, breach report, or audit program that triggered it
• Request an initial set of documentation
• Give you a deadline (typically 10–30 business days)
• Include contact information for the assigned investigator

What this feels like: Terrifying. But the letter itself is straightforward. The question is whether you can produce what they’re asking for.

Step 2: The Document Request

This is where most practices start sweating. OCR will request documentation proving your compliance program exists and is actively maintained. Here’s what they typically ask for:

The Big Six (almost always requested)

1. Security Risk Assessment (SRA) — Your most recent risk analysis, including methodology, identified risks, and risk ratings. This is the single most important document. If you don’t have a current SRA, the audit is essentially over before it starts.

2. Risk Management Plan — How you’re addressing the risks identified in your SRA. Not just “we identified 47 risks” — they want to see what you’re doing about each one, with timelines and responsible parties.

3. Policies and Procedures — Written policies covering all HIPAA Security Rule standards: access controls, audit controls, integrity controls, transmission security, workstation use, device management, and more. These need to be specific to your practice, not generic templates.

4. Training Records — Documentation that all workforce members received HIPAA training, when they received it, what topics were covered, and acknowledgment signatures. Annual training is the minimum expectation.

5. Business Associate Agreements (BAAs) — A current, signed BAA for every vendor that handles PHI on your behalf: EHR provider, billing company, cloud storage, IT support, shredding service, email provider, and more.

6. Breach Notification Documentation — Your breach notification policy, plus records of any breaches that occurred and how they were handled (investigation, notification to individuals, notification to HHS if applicable).

Additional Requests (common)

• Access control documentation (who can access what systems and why)
• Audit log samples from your EHR and other systems
• Encryption status of all devices and storage
• Workforce sanction policy and any enforcement actions taken
• Contingency plan (backup, disaster recovery, emergency mode operations)
• Physical safeguard documentation (facility access controls, workstation security)
• Inventory of all systems that create, receive, maintain, or transmit ePHI

Step 3: OCR Reviews Your Submission

After you submit your documentation, OCR reviews everything. This phase can take weeks to months. During this time, the investigator may:

• Request additional documents or clarification
• Ask follow-up questions about specific policies or procedures
• Identify gaps between what your documents say and what they’d expect to see
• Compare your documentation against the specific complaint or breach that triggered the review

What you should know: OCR investigators are experienced. They’ve seen every shortcut, every template that was never customized, every “last updated” date that was manually changed without actual updates. They know what real compliance programs look like — and what checkbox exercises look like.

Step 4: The On-Site Review (If Applicable)

Not every audit includes an on-site visit, but many do — especially for complaint-driven investigations or larger practices. During an on-site review, investigators may:

• Walk the facility looking at physical safeguards: Are screens visible to unauthorized people? Are server rooms locked? Are paper records secured? Can you see patient information from the waiting room?
• Interview staff about their HIPAA training, understanding of policies, and daily practices. They’ll ask front desk staff, clinical staff, and IT personnel different questions.
• Review systems to verify access controls, encryption settings, audit logging, and backup procedures match what your documentation claims.
• Check workstations for automatic logoff, screen locks, unauthorized software, and proper disposal of temporary files.

The interview question every staff member should be able to answer: “What would you do if you suspected a breach?” If your receptionist can’t answer that, your training program has a problem.

Step 5: Findings and Resolution

After the review, OCR issues findings. The outcome falls into one of four categories:

1. No Violation Found

Your compliance program checks out. You get a closure letter. This is rare but possible — and it’s the goal.

2. Technical Assistance

OCR identifies minor issues and provides guidance on how to fix them. No fine, no corrective action plan. This is the best realistic outcome for most practices that have a genuine compliance program with some gaps.

3. Resolution Agreement / Corrective Action Plan

OCR finds significant violations but negotiates a resolution. This typically involves:

• A monetary settlement (often reduced from the maximum fine)
• A corrective action plan (CAP) lasting 1–3 years
• Regular reporting to OCR during the CAP period
• Independent monitoring of your compliance program

What a CAP actually means: For the next 1–3 years, you’re under OCR’s microscope. You’ll submit regular progress reports, undergo additional reviews, and any new violations during this period will be treated far more seriously.

4. Civil Money Penalty

For willful neglect or refusal to cooperate, OCR imposes formal penalties. The penalty tiers range from $141 per violation (for unknowing violations) up to $2,134,831 per violation category per year for willful neglect that isn’t corrected.

How Long Does the Whole Process Take?

From notification to resolution, a HIPAA audit typically takes:

• Documentation submission: 10–30 days after notification
• OCR review period: 2–6 months (sometimes longer)
• On-site review (if applicable): 1–3 days
• Findings and negotiation: 1–6 months
• Corrective action plan (if applicable): 1–3 years

Total timeline from first letter to closure: 6 months to 2+ years. During this entire period, your practice is dealing with the stress, distraction, and legal costs of an open investigation.

The Pattern in Every Major HIPAA Settlement

Look at the last 20 major HIPAA settlements and you’ll see the same failures over and over:

1. No Security Risk Assessment — or one that’s years out of date
2. No written policies — or generic templates that don’t reflect actual practice operations
3. No training documentation — staff may have been trained, but there’s no proof
4. No BAAs with vendors — especially IT providers, billing companies, and cloud services
5. No breach response plan — or a plan that was never tested
6. No access controls — shared logins, no audit logging, terminated employees with active access

These aren’t sophisticated failures. They’re the fundamentals. And they’re exactly what OCR looks for first.

What “Audit-Ready” Actually Means

Being audit-ready doesn’t mean being perfect. It means being able to produce documentation that demonstrates a genuine, ongoing compliance effort. Specifically:

• Current SRA (updated annually, or whenever significant changes occur)
• Written policies specific to your practice (not generic templates)
• Training records for all workforce members (with dates and topics)
• BAAs for all vendors handling PHI
• Access logs showing who accessed what and when
• Incident response documentation showing how you handle and report breaches
• Evidence that you act on your findings — risks identified in the SRA are being addressed, not just listed

The difference between a practice that survives an audit and one that doesn’t isn’t the size of the practice or the budget. It’s whether the compliance program is real or theatrical.

The Question You Should Be Asking

If OCR sent you a notification letter tomorrow, could you produce all of this documentation within 30 days?

If the answer is no — or “I’m not sure” — that’s the gap you need to close. Not eventually. Now. Because audits don’t come with advance warning, and the practices that scramble after receiving the letter are the ones that end up in settlement agreements.