OCR Audit Preparation — Checklist and Evidence Map for HIPAA Investigations

Receiving a letter from OCR is one of the most stressful events in a healthcare organization's compliance history. The organizations that navigate OCR investigations most successfully share one characteristic: they were prepared before the letter arrived. This guide tells you exactly what OCR looks for, what documentation you need, and how to organize it.

How OCR investigations work

OCR's enforcement process follows a consistent pattern regardless of whether an investigation is triggered by a complaint, a breach report, or an audit selection.

Step 1 — Intake and screening. OCR receives a complaint or breach report and screens it to determine whether it falls within OCR's jurisdiction and whether there is sufficient evidence of a potential violation.

Step 2 — Initial document request. OCR notifies the covered entity of the complaint or investigation and issues an initial request for documentation. This request typically asks for policies, procedures, and evidence of specific compliance activities related to the alleged violation.

Step 3 — Review and follow-up. OCR reviews the submitted documentation against the HIPAA Audit Protocol and applicable regulations. Follow-up requests for additional documentation are common.

Step 4 — Resolution. OCR resolves investigations through one of four outcomes: voluntary compliance (entity demonstrates it is already compliant or has corrected the issue), technical assistance (OCR provides guidance without finding a violation), resolution agreement with or without a financial penalty, or civil money penalty imposed after a finding of non-compliance.

What OCR requests first — the five critical documents

Based on OCR's enforcement history and audit protocol, five categories of documentation are requested in virtually every investigation. These are the foundation of your audit preparation.

1. Current risk analysis

OCR requests your most recent completed risk analysis in nearly every Security Rule investigation. The document must be comprehensive — covering all ePHI locations, all threats and vulnerabilities, all existing controls, and a risk level determination for each identified risk. It must be current — a risk analysis from 2020 in a 2026 investigation will be treated as stale.

What OCR looks for: Is the analysis enterprise-wide? Does it cover all ePHI — including cloud systems, mobile devices, and third-party vendor systems? Is it dated? Does it show methodology? Was it conducted by someone with appropriate expertise?

2. Risk management plan and evidence of implementation

As of 2026 OCR is enforcing not just risk analysis but risk management — what your organization actually did about identified risks. You must be able to show a documented plan with specific remediation actions, responsible parties, target dates, and completion evidence.

What OCR looks for: Is there a documented plan? Are identified risks addressed or are they sitting unacted upon? Is there evidence of implementation — system configuration changes, vendor contracts, training records — not just a plan document?

3. Policies and procedures

OCR requests written policies and procedures covering the Privacy Rule, Security Rule, and Breach Notification Rule. Policies must be implemented — not just written.

What OCR looks for: Are policies current and dated? Do they reflect actual practice? Have they been updated when regulations changed? Are they accessible to workforce members?

4. Workforce training records

OCR requests documentation that all applicable workforce members have received required HIPAA training. Training records must include names, dates, topics covered, and method of delivery.

What OCR looks for: Does training occur at onboarding? Does it occur when policies change? Does it cover the specific topics relevant to each workforce member's role? Are records maintained for all current and recent workforce members?

5. Business associate agreements

OCR requests a current log of all BAAs and copies of executed agreements. Every vendor, contractor, or service provider that handles PHI on your behalf must have a signed, current BAA.

What OCR looks for: Is the BAA log current? Does it cover all business associates — including cloud services, IT vendors, and billing companies? Are BAAs executed before PHI was shared? Do BAAs meet the 2013 Omnibus Rule content requirements?

The OCR Audit Protocol — your roadmap

OCR's Audit Protocol is publicly available on the HHS website and is the definitive reference for what OCR examines. It lists specific audit inquiries organized by Privacy Rule, Security Rule, and Breach Notification Rule provisions.

For each provision the protocol specifies: what OCR asks the organization to demonstrate, what documentation OCR requests, and how OCR evaluates compliance. Every covered entity should download the Audit Protocol and map their existing documentation to each inquiry.

The protocol covers 169 specific audit criteria. The highest-frequency findings in OCR investigations cluster around:

• Risk analysis — not conducted, incomplete, or outdated
• Risk management — analysis completed but not acted upon
• Access controls — shared credentials, no unique user IDs, no automatic logoff
• Workforce training — not documented or not conducted
• BAAs — missing, outdated, or not covering all business associates
• Right of access — late response, excessive fees, or denial without justification
• Breach notification — late notification or inadequate four-factor assessment

The evidence binder — your most important compliance asset

The most practical preparation step is building and maintaining an organized evidence binder that maps your compliance documentation to the OCR Audit Protocol. When OCR requests documentation, you should be able to produce it within days — not weeks.

Structure your evidence binder by regulation:

Privacy Rule section:

• Designated privacy officer — appointment letter or documented designation
• Notice of Privacy Practices — current version with effective date
• Authorization forms — current templates
• Patient rights policies — written procedures for each right
• Minimum necessary policies — written procedures with workflow integration evidence
• Workforce training records — complete records for all workforce members
• Sanctions policy — written policy and documentation of any sanctions applied
• Complaint log — record of any privacy complaints received and resolution

Security Rule section:

• Risk analysis — complete document with date, methodology, and findings
• Risk management plan — documented actions with dates and responsible parties
• Risk management evidence — proof of implementation for each action
• Designated security officer — appointment letter or documented designation
• Access control policies — written procedures and technical implementation evidence
• Audit log policy — written procedures and sample audit log reports
• Encryption documentation — what is encrypted, how, and when implemented
• Workstation and device policies — written procedures
• BAA log — current inventory of all business associates with execution dates
• BAA copies — executed agreements for all current business associates
• Workforce training records — security training specific
• Incident response policy — written procedures and any incident logs
• Contingency plan — written plan and evidence of testing
• Evaluation records — most recent security evaluation or audit

Breach Notification Rule section:

• Breach response policy — written procedures
• Breach log — all breaches assessed and their outcomes
• Four-factor assessments — documented assessments for any incidents reviewed
• Notification records — copies of notifications sent for any notifiable breaches
• HHS submission confirmations — portal submission records

Responding to an OCR document request

When OCR issues a document request, your response strategy matters as much as the documents themselves.

Respond within the deadline. OCR document requests include response deadlines. Missing a deadline signals disorganization and non-cooperation. If you need additional time, request an extension promptly and in writing.

Be complete. Submitting incomplete documentation and waiting for OCR to ask follow-up questions wastes time and creates a worse impression than submitting complete documentation initially. Review the request carefully and address every item.

Be accurate. Never submit documentation that overstates your compliance. If a required element is missing, say so and describe what you are doing to address it. OCR treats candor about gaps more favorably than submission of inaccurate documentation.

Engage legal counsel. HIPAA investigations carry significant legal and financial risk. Engage a HIPAA attorney before responding to OCR. Communications directed by legal counsel may be protected by attorney-client privilege.

Cooperate fully. Organizations that cooperate with OCR — respond promptly, answer questions thoroughly, implement corrective measures — consistently receive more favorable treatment than those that resist or delay.

If OCR finds violations

If OCR determines your organization has violated HIPAA, it will communicate its findings and propose a resolution. You have several options:

Voluntary compliance or technical assistance — If OCR finds the issue has been corrected or is relatively minor, it may close the investigation without a penalty. This is the best outcome and is most likely when your documentation demonstrates a genuine compliance program.

Resolution agreement — A negotiated settlement where you agree to pay a financial penalty (often reduced from the maximum) and implement a corrective action plan. OCR monitors CAP compliance for one to three years. Most enforcement actions resolve this way.

Civil money penalty — If informal resolution fails, OCR may impose a CMP. CMPs can be appealed to an administrative law judge and then to federal court.

Proactive preparation timeline

Right now:

• Download the OCR Audit Protocol from HHS.gov
• Conduct a self-assessment against each audit criterion
• Identify gaps between your current documentation and what OCR expects

Within 30 days:

• Update or conduct your risk analysis if it is more than 12 months old
• Update your BAA log and identify any missing agreements
• Confirm your privacy officer and security officer are formally designated in writing

Within 90 days:

• Build your evidence binder organized by Privacy Rule, Security Rule, and Breach Notification Rule
• Conduct workforce training if records are incomplete or outdated
• Review and update your policies and procedures for currency

Ongoing:

• Update your risk analysis when systems, vendors, or operations change materially
• Maintain complete workforce training records for all current employees
• Review and update BAAs annually
• Log all incidents and their four-factor assessment outcomes