The HIPAA Audit Preparation Checklist: What OCR Actually Asks For
HIPAA audits aren’t pop quizzes on regulation trivia — they’re document requests. When the HHS Office for Civil Rights (OCR) audits or investigates, it sends a list: your risk analysis, your policies, your training records, your business associate agreements, your breach log. Organizations fail not because they answered a question wrong but because the documents don’t exist, are years out of date, or can’t be produced inside the deadline. This checklist organizes audit preparation around the artifacts OCR requests, in roughly the order it requests them — so preparing doubles as a working compliance program instead of a binder that exists only for inspection day. For the narrative view of how an audit unfolds, pair this with our guide to what to expect in a HIPAA audit.
Where audits come from (and why “we’re too small” is wrong)
The HITECH Act §13411 requires HHS to conduct periodic audits of covered entities and business associates, and OCR’s audit program (the Phase 2 protocol remains the last published framework) selected entities of every size, small practices included. In day-to-day reality the more common trigger is the complaint-driven or breach-driven investigation — and those use the same document requests. Preparing for an audit is preparing for an investigation. Breaches affecting fewer than 500 records are reviewed too: the annual small-breach submission feeds OCR’s radar just as the large-breach notifications do. “We’re too small to be audited” is not a compliance strategy; it is the assumption OCR’s enforcement history most often contradicts.
Tier 1: the documents OCR asks for first
1. A current, organization-wide security risk analysis
What good looks like: scoped to all ePHI — every system, device, and vendor data flow — dated within the last 12 months or after the last material change, with a documented methodology. The common failure is a network vulnerability scan standing in for a risk analysis, or a Security Risk Analysis last touched for an EHR incentive program years ago. A missing or stale risk analysis is the single most-cited deficiency in OCR resolution agreements. See our Security Risk Analysis overview and the full HIPAA risk assessment guide.
2. A risk management plan tied to the SRA
Findings ranked, owners assigned, remediation dated and tracked to closure. Identifying gaps is not enough — OCR expects to see the remediation workflow that actually closes them, with evidence of progress over time.
3. Written policies and procedures, with version history
Privacy, Security, and Breach Notification policies, reviewed on a schedule and versioned so you can show which policy was in force on any given date. An undated policy library cannot answer the question OCR actually asks: what governed your organization when the incident occurred?
4. Workforce training records
Per-person completion records: who, when, on which content, against which policy version — with new-hire timing and annual cadence visible. Retain these for six years. Aggregate “everyone was trained” assertions do not survive a document request.
5. A business associate inventory plus executed BAAs
A living inventory mapping every PHI-touching vendor to a current, executed agreement — not a contracts folder. The full treatment is in our BAA Inventory Checklist. Two settlements show the cost of getting this wrong: Raleigh Orthopaedic Clinic paid $750,000 after handing the x-ray films and PHI of roughly 17,300 patients to a vendor with no business associate agreement in place, and the Center for Children’s Digestive Health paid $31,000 over a paper-records storage vendor that held records for 10,728+ patients with no written BAA.
Tier 2: what they ask for next
6. Access management documentation
Role-based access mappings, a termination checklist with completion evidence, and periodic access-review records that prove the mappings are maintained, not just drafted once.
7. Breach log and incident response records
All incidents — including those assessed as non-breaches, with the risk-assessment rationale recorded — plus small-breach annual submissions and any notifications for breaches affecting 500 or more individuals.
8. Contingency plan with test evidence
A data backup plan, disaster recovery plan, and emergency-mode operation plan under 45 CFR §164.308(a)(7) — plus the restore-test records that prove the backups actually work. An untested backup is a finding waiting to happen.
9. Device and media controls
An asset inventory of everything that touches ePHI, encryption status per device, and sanitization or disposal records for retired media.
10. Notice of Privacy Practices and acknowledgment records
A current Notice of Privacy Practices, posted and distributed, with a documented acknowledgment workflow.
The production test: can you assemble this in 10 business days?
Investigations typically allow a few weeks for document production, but timelines vary by letter — never assume; the request letter governs. If assembling your tier-1 artifacts takes longer than two weeks, that delay is the audit result. Run the drill annually: pull every tier-1 artifact cold, time it, and log the gaps as risk-management items. The pending Security Rule update — still proposed, not final, as of June 2026 — would push even further toward verifiable artifacts such as asset inventories, network maps, and scan results, so building the production muscle now is the cheapest preparation available. Track the proposal in our 2026 HIPAA Security Rule update explainer.
How Medcurity makes audit prep continuous
The Medcurity platform keeps tier-1 artifacts live by default: a guided SRA with dated methodology, findings that flow into a tracked worklist, a policy library with version history, training completion records, and vendor/BAA tracking — production-ready instead of reconstructed under deadline. When the document request arrives, the answer is already assembled. See the platform.
Frequently asked questions
What documents does OCR request in a HIPAA audit?
The core set: your security risk analysis, risk management plan, written policies and procedures, workforce training records, business associate agreements, breach log, and contingency plan with test evidence.
How often should we update our HIPAA risk analysis?
At least annually and after any material change — a new EHR, a new location, a merger, or a major vendor change. A risk analysis older than a year is the most commonly cited audit deficiency.
How long do we have to respond to an OCR document request?
The request letter specifies the deadline — commonly a few weeks. Extensions can be requested in writing before the deadline. Missing it signals non-cooperation and escalates the matter.
Are small practices really audited?
Yes. OCR’s audit selections have included small practices, and complaint- and breach-driven investigations — which use the same document requests — reach organizations of every size.