HIPAA Audit Proof Checklist for Small Practices
Most small healthcare practices have some version of HIPAA compliance in place. Policies exist somewhere. Training happened at some point. A risk assessment was probably done.
But when an auditor asks for proof, "somewhere" and "at some point" do not count.
Auditors do not care what you say you do. They care what you can show. That means dated documents, signed records, system logs, and organized files that demonstrate your compliance program is real, active, and specific to your organization.
This is what OCR's audit program is built to evaluate. Not perfection. Evidence.
Here is what small practices need to have ready.
Core Documents Auditors Expect
Every HIPAA audit starts with foundational paperwork. These are the baseline documents auditors will request before looking at anything else.
- Security Risk Assessment (SRA) — a current, dated evaluation of the threats and vulnerabilities to ePHI in your specific environment. Not a generic template. Not a vendor's default output. It must reflect your systems, your workflows, and your people. Required under 45 CFR 164.308(a)(1).
- HIPAA policies and procedures — written documents covering the Privacy Rule, Security Rule, and Breach Notification Rule. They must be tailored to your practice, not copied from a downloaded PDF. Each policy should have a version date and a review history.
- Workforce training records — evidence that every employee who handles PHI has completed HIPAA training. This includes the date of training, the topics covered, and a signed or electronically recorded acknowledgment from each person.
- Business Associate Agreements (BAAs) — signed agreements with every vendor that creates, receives, maintains, or transmits PHI on your behalf. If a BAA is missing, the relationship is a compliance gap regardless of how good the vendor's security is.
These documents must be current. A risk assessment from three years ago with no updates is a red flag, not a proof point. Policies without a review date tell auditors the program is not actively maintained.
Operational Evidence Auditors Look For
Policy documents show intent. Operational evidence shows execution. Auditors want both.
For a small practice, this does not require enterprise-grade tools. It requires consistency. Here is what auditors typically ask to see:
- Access logs — records showing who accessed what systems and when. Most EHR platforms generate these automatically. The key is knowing where those logs live and being able to pull them when asked.
- Periodic access reviews — documentation that someone reviewed user access rights at regular intervals. Even a simple spreadsheet showing quarterly reviews of who has access to your EHR, billing system, and file shares counts.
- Incident and breach records — a log of any security events, privacy complaints, or near-misses. If nothing has ever happened, document that too. A blank incident log with regular review dates is better than no log at all.
- Access change documentation — records showing that access was granted, modified, or revoked when employees joined, changed roles, or left. Terminated employees still showing active accounts is one of the most common audit findings.
A small practice with five staff members can maintain this evidence in a shared folder with simple naming conventions. The format does not matter. The habit does.
Vendor and BAA Proof
Vendor oversight is where many small practices fall short. The BAA gets signed during onboarding and then forgotten.
Auditors expect more than a signed contract in a drawer. They want to see:
- A current list of all vendors with PHI access — including cloud storage, EHR hosting, billing services, IT support, shredding companies, and answering services.
- Signed BAAs for each vendor — with dates, signatures, and terms that match current HIPAA requirements.
- Renewal or review dates — evidence that BAAs are reviewed periodically, not just signed once and filed away.
- Third-party review notes — any documentation of vendor security reviews, questionnaire responses, or due diligence checks you have conducted.
Vendor proof gets overlooked because it feels administrative. But if a vendor causes a breach and you cannot show a valid BAA or any record of oversight, the liability shifts to your practice.
Common Evidence Gaps
These are the gaps that create real audit risk for small practices. They are not obscure technical failures. They are basic documentation problems.
- Missing employee sign-offs — training happened, but nobody signed an acknowledgment form. Without a record, the training did not happen as far as an auditor is concerned.
- Stale policies with no review date — policies were written years ago and never revisited. No version history, no review signature, no evidence that anyone has read them since they were created.
- No training completion logs — the practice runs training sessions but keeps no record of who attended, what was covered, or when it occurred.
- Scattered files and unclear ownership — compliance documents are spread across personal email accounts, random desktop folders, and a filing cabinet nobody opens. There is no single person responsible for knowing where everything is.
- No risk assessment follow-up — the SRA identified gaps, but there is no remediation plan, no assigned owners, and no timeline for fixes. The assessment exists, but nothing came of it.
Each of these gaps is easy to fix. The problem is that nobody fixes them until an audit forces the issue.
A Simple Evidence Folder Structure
You do not need compliance software to organize audit evidence. You need a folder structure that a small team can maintain without confusion.
Here is a recommended layout:
- 01-Risk-Assessment
- Current SRA document
- Remediation plan with owners and dates
- Prior year SRA (for comparison)
- 02-Policies-and-Procedures
- Privacy policies
- Security policies
- Breach notification procedures
- Version history and review log
- 03-Training-Records
- Training materials and agendas
- Employee sign-off sheets (by year)
- Completion certificates
- 04-BAAs-and-Vendors
- Signed BAAs (one per vendor)
- Vendor inventory list with renewal dates
- Due diligence notes
- 05-Access-Management
- User access lists by system
- Quarterly access review records
- Onboarding and termination checklists
- 06-Incident-Records
- Incident log (even if empty, with review dates)
- Breach investigation reports
- Breach notification documentation
- 07-Annual-Reviews
- Annual compliance review summary
- Policy review sign-off
- Risk assessment update notes
Name files with dates. Keep the structure consistent. Assign one person to maintain it. That is the entire system.
FAQs
Do auditors expect every HIPAA policy to be custom-written?
Not necessarily, but policies must reflect your actual operations. A template is a starting point, not a finished product. If your policies describe procedures your practice does not follow, or reference systems you do not use, they will not satisfy an auditor. Review every policy and make it specific to your workflows, your staff roles, and your technology.
How far back do auditors look at training records?
HIPAA requires training within a reasonable period after an employee is hired and whenever there are material changes to policies. Auditors typically want to see at least the most recent training cycle for all current employees, plus evidence that new hires received training during onboarding. Keeping two to three years of records is a practical minimum.
What if our practice has never had a security incident?
That is fine, but document it. Maintain an incident log and record regular reviews even if there is nothing to report. An empty log with quarterly review dates shows the process is active. No log at all suggests nobody is paying attention.
Can we store compliance evidence digitally instead of on paper?
Yes. HIPAA does not require paper records. Digital storage is acceptable as long as the files are accessible, organized, backed up, and protected from unauthorized access. A shared drive with proper access controls and a clear folder structure works for most small practices.
Conclusion
One Guy Consulting helps small healthcare practices organize HIPAA compliance evidence and prepare for audits with confidence. Book a free 30-minute intro to see where your documentation stands.