How to prepare for a HIPAA OCR audit or investigation

OCR investigations open with a document request. Practices that respond quickly and completely with organized records fare substantially better than those that scramble. Here is what OCR asks for and how to have it ready.

By CoreFolio

Published May 20, 2026Verified May 20, 20268-minute read

An OCR investigation does not begin with a penalty. It begins with a letter requesting documentation.

That letter lands, and the practice has 30 days — typically — to produce a comprehensive set of records that may span years of activity. For a practice with organized documentation, this is a stressful but manageable process. For a practice that has never assembled its HIPAA records, 30 days is insufficient time to build the documentation from scratch and respond credibly.

The best time to prepare for an OCR audit is before it happens. What follows is a map of what OCR requests, what your records need to show, and how to organize in advance so that a document request does not become a documentation crisis.

How OCR investigations begin

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) opens investigations through three channels: patient or workforce complaints, breach reports, and proactive compliance reviews (including the ongoing Risk Analysis Initiative). In each case, the covered entity receives a written notification from OCR identifying the nature of the inquiry and the initial document request.

OCR assigns a case number and designates an investigator. From that point, all communications are with that investigator or their supervisor. Designating a single point of contact within your practice for OCR communications is the first action item — this prevents inconsistent representations and ensures that document production is coordinated.

What OCR requests: the standard document inventory

While requests are tailored to the specific allegations or focus area, the following document categories appear in virtually every OCR investigation of a covered health care provider:

1. Risk analysis and risk management plan

What OCR asks for: The most recent risk analysis, all prior risk analyses conducted within the past six years, and the risk management plan.

What it must show:

A current, written assessment (dated within approximately 12 months, or updated after material changes to the environment)
Coverage of all ePHI systems — not only the EHR, but also email, cloud storage, backup systems, portable devices, and third-party platforms
Identified risks rated by likelihood and impact
A documented risk management plan with specific corrective actions, responsible parties, and timelines

The risk analysis is the single most commonly cited finding in resolution agreements. If your practice has one, locate it and confirm it is current before an investigation opens. If it is outdated or nonexistent, completing and dating one before responding to OCR is generally better than responding without one — but note that creating records in response to an investigation does not retroactively satisfy the obligation.

2. Policies and procedures

What OCR asks for: All written HIPAA Security Rule and Privacy Rule policies and procedures, with effective dates, revision history, and approval documentation.

What it must show:

Written policies addressing each of the required safeguard areas: administrative (§ 164.308), physical (§ 164.310), and technical (§ 164.312)
Privacy policies covering permitted uses and disclosures, patient rights, minimum necessary standard, and Notice of Privacy Practices
Incident response and breach notification procedures
Date of last review and any updates

Under 45 CFR § 164.316(b)(1), policies must be in written form and retained for six years. Policies that exist only as informal practices — understood but never written — are not compliant.

3. Workforce training records

What OCR asks for: Documentation of all HIPAA privacy and security training, by employee, with dates and content covered.

What it must show:

A record for each workforce member showing when they received training, what was covered, and that completion was verified
Training records for all current and recently departed staff within the investigation timeframe (typically two to three years)
If training was assigned to new hires, evidence of when training occurred relative to the start date

The requirement under 45 CFR § 164.308(a)(5)(i) is a security awareness and training program for all workforce members. OCR looks for both the program (documented policies describing the training) and the records (showing that each individual completed it).

4. Business associate agreements

What OCR asks for: Copies of all executed BAAs with every business associate, or a list of vendors with PHI access accompanied by the corresponding BAA for each.

What it must show:

A signed BAA with every vendor that creates, receives, maintains, or transmits PHI on your behalf — EHR vendor, billing company, IT support, cloud storage, email provider (if it can access ePHI), answering service, and others
BAAs that are current and not expired
BAAs that include the required elements under 45 CFR § 164.504(e)

Maintaining a vendor inventory with the corresponding BAA status for each vendor is the most efficient way to respond to this request.

5. Access control records

What OCR asks for: Documentation of user access management — who has access to ePHI systems, how access is granted, and how it is revoked at termination.

What it must show:

Unique user credentials for every workforce member (no shared logins)
Documentation of access levels and role-based permissions
Records of terminated employees’ access revocation, with dates
Audit logs showing user access activity

Former employees who still have active EHR or system credentials are among the most common access control findings in small-practice investigations. Maintaining a termination checklist that includes credential revocation as a mandatory step — and keeping records of each termination — directly addresses this.

6. Breach log and incident records

What OCR asks for: All security incident reports and breach notifications for the investigation period, including incidents that were evaluated and determined not to require notification.

What it must show:

A breach log maintained for all incidents — not only those that resulted in external notification
For each incident: date of discovery, nature of the incident, PHI involved, four-factor risk assessment (if conducted), and outcome
Copies of any notification letters sent to individuals or HHS
Confirmation of HHS reporting (for breaches reported in annual log)

An empty breach log is a red flag. It suggests either that no incidents have been documented (which OCR will scrutinize against EHR audit logs and other records) or that incidents occurred but were not logged. Small practices experience incidents regularly — misdirected faxes, emails sent to wrong addresses, devices that go missing briefly. All should be logged, assessed, and documented.

7. The Notice of Privacy Practices

What OCR asks for: Current and prior versions of the Notice of Privacy Practices (NPP), evidence that it is posted, and a process for providing it to patients.

What it must show:

An NPP that contains all required elements under 45 CFR § 164.520
Evidence of posting in the office and on the website (if one exists)
A documented process for providing the NPP to patients at their first service delivery

How to organize your records before an investigation

The goal is a HIPAA documentation file that can respond to a standard OCR request within the 30-day window without an emergency mobilization.

Maintain a HIPAA binder or digital folder with the following sections:

Current risk analysis (with date)
Risk management plan (with action items and completion dates)
All policies and procedures (with effective dates and revision log)
Workforce training records (by employee, by year)
Business associate agreements (indexed by vendor)
Vendor inventory (name, function, BAA status, BAA date)
Breach log
Security incident log
Current NPP and distribution records

Review annually. The Security Rule requires periodic evaluation under 45 CFR § 164.308(a)(8). Treating the annual evaluation as an opportunity to confirm your documentation is current and complete is the most practical way to stay ready.

Assign clear ownership. The Security Official is responsible for maintaining the security documentation. The Privacy Official is responsible for the privacy-side records. For a small practice where these roles overlap, the single designated individual is responsible for both.

If OCR contacts you

Respond promptly and through the designated point of contact
Request an extension before the deadline if you genuinely need more time to compile records — extensions are available
Do not produce documents you have not reviewed
Do not represent that records exist if they do not
Consult legal counsel experienced in OCR investigations if the scope is large, the allegations are serious, or the missing documentation is significant

OCR’s goal is compliance, not penalties. Practices that demonstrate genuine engagement, organized records, and a commitment to remediation consistently achieve better outcomes than those that are adversarial or disorganized — regardless of whether the underlying violation was serious.

Sources: 45 CFR § 164.308(a)(1)(ii)(A) (risk analysis); 45 CFR § 164.308(a)(5)(i) (workforce training); 45 CFR § 164.308(a)(6) (incident response); 45 CFR § 164.308(a)(8) (periodic evaluation); 45 CFR § 164.316(b) (policies, procedures, documentation retention); 45 CFR § 164.504(e) (BAA required elements); 45 CFR § 164.520 (Notice of Privacy Practices); 45 CFR § 160.308 (OCR compliance reviews); HHS OCR Audit Program, hhs.gov/hipaa/for-professionals/compliance-enforcement/audit; OCR resolution agreements, hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements. Last verified May 20, 2026.

FAQ

Common questions

What documents does OCR typically request in a HIPAA investigation?

OCR's standard document request covers: the risk analysis and risk management plan, all policies and procedures, workforce training records, business associate agreements with all vendors, access control documentation, audit logs, breach logs and incident reports, and any corrective actions taken in response to prior findings. The request scope varies by investigation type but always starts with the risk analysis.

How much time does a practice have to respond to an OCR document request?

OCR's initial investigation letter typically sets a 30-day response deadline for the initial document production. Extensions are available but must be requested in advance of the deadline. OCR expects a complete, organized response — not a partial production with promises of more to follow.

What happens if a practice cannot produce a risk analysis?

Failure to produce a current risk analysis is among the most consequential gaps in an OCR investigation. The risk analysis requirement is found at 45 CFR § 164.308(a)(1)(ii)(A) and is cited in nearly every resolution agreement. A practice without a documented risk analysis will almost certainly face a corrective action plan requiring one be completed within 60–90 days — plus potential financial settlement.

Does OCR conduct on-site visits during investigations of small practices?

Sometimes. OCR investigations of small practices are often conducted entirely through document production and written correspondence. Site visits are more common in investigations involving allegations of systemic physical safeguard failures, ongoing patient access denials, or large breach investigations. However, OCR retains the authority to conduct site visits and interviews at any point.

Keep learning

Enforcement
What triggers an OCR HIPAA audit or investigation
OCR investigates covered entities through three channels: patient complaints, breach reports, and proactive enforcement initiatives. Here is how each channel works, what OCR does next, and how to reduce your practice's risk profile.
May 20, 20267-minute read
Enforcement
HIPAA settlement patterns: what OCR finds when it investigates small practices
OCR has published more than 100 resolution agreements over the past decade. The findings in those agreements follow a consistent pattern. Here is what investigators actually find — and what it means for your practice.
May 7, 20265-minute read
How-to
HIPAA administrative safeguards: the complete checklist for small practices
Administrative safeguards under 45 CFR § 164.308 are the most commonly cited standard in OCR enforcement actions. Here is every requirement, what 'addressable' actually means, and what a small practice must have documented.
May 20, 20268-minute read