OCR Audit Program Guide for Healthcare

One Guy Consulting
HIPAA Compliance Consultant | Certified HIPAA Professional (CHP)
12 min read

The OCR audit program is one of the most powerful enforcement tools available to the Department of Health and Human Services (HHS) Office for Civil Rights. Since its inception, the program has at its core reshaped how healthcare groups approach HIPAA rule-keeping. Rather than waiting for a breach to trigger an review, the OCR audit program proactively examines whether covered groups and business associates keep the policies, steps, and protections required by federal law.

For healthcare groups of every size, understanding the OCR audit process is not optional. An audit notice can arrive at any time, and the window for producing required written records is narrow. groups that prepare in advance greatly reduce their risk of adverse findings, corrective action plans, and the financial penalties that can follow. This guide provides a complete overview of how the OCR audit program operates and what your group must do to be ready.

How the OCR Audit Program Works

The HITECH Act of 2009 mandated that HHS conduct regular audits of covered groups and business associates to assess rule-keeping with the HIPAA Privacy, Security, and Breach notice Rules. The OCR was named as the agency responsible for carrying out this mandate. The audit program operates independently from OCR’s complaint-driven reviews, meaning your group can face an audit even if no breach or complaint has been filed.

OCR developed its audit step through extensive consultation with industry stakeholders, creating a structured method that evaluates specific rule-based rules. The step has evolved over time, reflecting lessons learned from early audit rounds and changes in the threat space facing healthcare groups.

Audit Selection Process

OCR selects audit targets using a combination of factors. The agency maintains a database of covered groups and business associates drawn from multiple sources, including breach reports, prior complaints, and publicly available information. Selection criteria include:

  • group size and type (large health systems, small habits, health plans, clearinghouses, business associates)
  • Geographic diversity to ensure national coverage
  • Prior rule-keeping history including breach reports filed with OCR
  • Random selection to ensure that any group could be audited no matter what of history

When selected, groups receive a notice letter requesting specific written records within a defined timeframe, often 10 business days. Failing to respond or providing incomplete written records is itself a rule-keeping gap that OCR records in its findings.

Audit Protocol Areas

The OCR audit step evaluates rule-keeping across three primary rule-based domains:

  • Privacy Rule rules including Notice of Privacy Practices, patient access rights, minimum needed standard, authorizations, and uses and shares of PHI
  • Security Rule rules including admin protections, physical protections, tech protections, and team-level rules
  • Breach notice Rule rules including breach risk review method, notice steps, and written records of breach decisions

Each step area contains specific audit inquiries tied to person rule-based terms. Auditors assess whether the group has implemented required policies, whether those policies are followed in practice, and whether enough written records exists to show rule-keeping.

Phase 1 and Phase 2 Audits

Phase 1: The Pilot Program

OCR launched Phase 1 of its audit program in 2011-2012 as a pilot effort. During Phase 1, OCR ran 115 on-site audits of covered groups across the country. These complete audits examined rule-keeping with all aspects of the Privacy, Security, and Breach notice Rules.

Key findings from Phase 1 revealed widespread rule-keeping gaps:

  • Security Rule gaps were the most common, especially in risk analysis and risk management
  • Many groups lacked complete and current policies and steps
  • Smaller groups showed greatly more rule-keeping gaps than larger groups
  • Risk analysis was the single most frequently cited gap across all audited groups

Phase 1 findings directly influenced the design of Phase 2, as OCR recognized the need for a more scalable approach that could reach a larger number of groups.

Phase 2: Desk Audits and Expanded Scope

Phase 2 of the OCR audit program introduced a at its core different approach. Rather than running resource-intensive on-site visits for every audit, Phase 2 primarily uses desk audits, which are ran remotely through record review. This model allows OCR to audit far more groups while focusing its on-site resources on the most major rule-keeping concerns.

Phase 2 operates in two stages:

  1. Desk audits check specific, focused areas of rule-keeping by requesting targeted written records from the selected group
  2. On-site audits are ran for a subset of groups, especially those where desk audit findings suggest major rule-keeping concerns

Phase 2 also expanded the scope of the program to include business associates for the first time, reflecting the increasing role that vendors, contractors, and service providers play in handling health data.

Desk Audits vs. On-Site Audits

Understanding Desk Audits

Desk audits are the primary audit tool in the current OCR program. During a desk audit, OCR requests specific written records from the audited group and reviews it remotely. The audit focuses on a limited number of step areas rather than checking every aspect of HIPAA rule-keeping.

A typical desk audit process follows these steps:

  1. OCR sends a notice letter identifying the group for audit
  2. The group completes a pre-audit screening questionnaire about its size, operations, and contact information
  3. OCR requests specific written records related to the selected step areas
  4. The group submits written records within the required timeframe
  5. OCR auditors review the items and prepare a draft audit report
  6. The group receives the draft report and has an chance to respond
  7. OCR finalizes the audit report

Desk audits often focus on two to three step areas per audit. Common focus areas include risk analysis written records, policies governing access to PHI, breach notice steps, and Notice of Privacy Practices.

Understanding On-Site Audits

On-site audits are more complete and intrusive. OCR auditors physically visit the group’s facilities to examine rule-keeping in greater depth. On-site audits may include:

  • Interviews with key staff including the Privacy Officer, Security Officer, and other team members
  • Observation of physical protections such as workstation security, facility access controls, and record handling habits
  • Review of tech systems including access controls, audit logs, data scrambling setup, and incident response steps
  • Examination of training records to verify that team members receive required HIPAA training
  • review of business associate management including BAA list and vendor oversight habits

On-site audits are often reserved for groups where desk audit findings show possible systemic rule-keeping failures, or where the nature of the group’s operations warrants more detailed examination.

Common OCR Audit Findings

Most Frequently Cited gaps

Across both Phase 1 and Phase 2 audits, certain rule-keeping failures appear with striking regularity. Understanding these common findings allows groups to prioritize their rule-keeping efforts where they matter most.

Security Rule findings:

  • Incomplete or absent risk analysis remains the number one finding across all audit rounds
  • Inadequate risk management plans that fail to address identified weak spots
  • Missing or outdated policies and steps for Security Rule admin protections
  • Insufficient access controls including failure to implement unique user finding and automatic logoff
  • Lack of data scrambling for ePHI at rest and in transit
  • Incomplete audit logging and failure to regularly review audit logs

Privacy Rule findings:

  • Deficient Notice of Privacy Practices that fail to include all required elements
  • Failure to implement the minimum needed standard when using or disclosing PHI
  • Inadequate patient access steps including failure to provide records within required timeframes
  • Missing or incomplete access rights forms that lack required elements
  • Insufficient team training on Privacy Rule rules

Breach notice Rule findings:

  • Absent or incomplete breach risk review method
  • Failure to record breach decisions including the four-factor risk review
  • Inadequate notice steps and failure to meet notice timeframes
  • Incomplete breach log or failure to keep required written records of breaches affecting fewer than 500 people

groups that address these high-frequency findings before an audit dramatically improve their rule-keeping posture. For a deeper understanding of how penalties escalate from these findings, see our guide on HIPAA penalties and enforcement actions.

Preparing for an OCR Audit

Building a State of Continuous Readiness

The most effective audit preparation strategy is not a last-minute scramble but a continuous rule-keeping program that keeps written records current and habits aligned with policy. Healthcare groups should adopt the following preparation strategies:

Conduct a complete risk analysis annually. This is the single most important rule-keeping action you can undertake. Your risk analysis should identify all systems that create, receive, keep, or transmit ePHI, check threats and weak spots to those systems, assess the likelihood and impact of possible risks, and record the security measures in place to reduce identified risks.

keep a complete policy and step library. Every HIPAA rule-based rule should have a corresponding written policy and step. Policies must be reviewed and updated regularly, and updates must be written down with version history. Staff must be trained on relevant policies and must acknowledge that training in writing.

Implement and record a risk management plan. Your risk management plan should directly address every major risk identified in your risk analysis. For each risk, record the reduction strategy selected, the timeline for setup, the responsible party, and the current status.

set up a robust training program. keep detailed training records that include the date of training, topics covered, trainer identity, attendee names, and acknowledgment signatures. Training should occur at hire, annually, and whenever major policy changes are implemented.

written records rules

OCR auditors rely heavily on written records to assess rule-keeping. Your group must be able to produce the following on short notice:

  • Current risk analysis with supporting method written records
  • Risk management plan with setup status
  • Complete HIPAA policies and steps with revision history
  • team training records including content, dates, and attendance
  • Business Associate Agreements for all vendors handling PHI
  • Breach notice written records including risk reviews and notice records
  • Incident response records writing down security incidents and their resolution
  • System action logs and audit trail reviews
  • Physical safeguard written records including facility security plans
  • Sanction policy and records of any sanctions imposed

keeping a centralized rule-keeping written records storage ensures that your group can respond promptly to audit requests. groups that struggle to locate or produce requested written records face extra scrutiny and adverse findings. For a broader view of what HIPAA requires, review our complete HIPAA rule-keeping guide.

Developing a Corrective Action Plan

When an OCR audit identifies gaps, the group is expected to develop and implement a Corrective Action Plan (CAP). A strong CAP shows good faith and a commitment to rule-keeping, which can influence OCR’s enforcement decisions.

An effective CAP should include:

  • Specific finding of each gap cited in the audit report
  • Root cause analysis explaining why the gap exists
  • Detailed fixes steps with clear, measurable actions
  • Responsible parties assigned to each fixes task
  • setup timeline with realistic but prompt deadlines
  • Verification method explaining how the group will confirm fixes is complete
  • Monitoring terms to prevent recurrence of the gap

groups that proactively develop CAPs and show meaningful progress toward fixes are far more likely to resolve audit findings without escalation to formal enforcement action.

What Happens After an Audit

Audit Reports and Follow-Up

After completing its review, OCR issues a draft audit report to the audited group. The group often has 10 business days to review the draft and submit a written response handling the findings. OCR considers the group’s response when preparing the final audit report.

The final audit report records:

  • The scope of the audit and step areas examined
  • Findings for each step area, including whether the group met, partially met, or did not meet the relevant rules
  • Specific gaps identified with reference to the relevant rule-based term
  • The group’s response to the draft findings

Escalation to Enforcement

While the OCR audit program is described as a rule-keeping improvement tool rather than a punitive tool, audit findings can and do lead to enforcement action. If an audit reveals serious or systemic rule-keeping failures, OCR may:

  • Refer the matter to its enforcement division for formal review
  • Require the group to enter into a Resolution Agreement with a monetary settlement and multi-year CAP
  • In egregious cases, pursue civil monetary penalties through an admin hearing

The relationship between audits and enforcement underscores why proactive preparation is essential. groups that treat audit preparation as an ongoing priority rather than a reactive exercise protect themselves from the most serious consequences of non-rule-keeping. Understanding the full scope of HIPAA enforcement helps groups appreciate the stakes involved.

OCR Audit FAQ

How often does OCR conduct audits?

OCR conducts audits in rounds rather than on a fixed annual schedule. The HITECH Act requires regular audits, and OCR has ran multiple rounds since the program launched in 2011. There is no set frequency for person groups, and any covered group or business associate could be selected in any audit round.

Can business associates be audited?

Yes. Phase 2 of the OCR audit program expanded to include business associates. If your group handles PHI on behalf of a covered group, you are subject to audit. This includes IT service providers, billing companies, cloud hosting providers, and any other vendor that creates, receives, maintains, or transmits PHI.

What is the difference between an OCR audit and an OCR review?

An OCR audit is a proactive, scheduled review of rule-keeping that may be triggered by random selection or risk-based criteria. An OCR review is a reactive process triggered by a complaint, breach report, or media coverage. Investigations tend to be more adversarial and are more likely to result in enforcement action, but audit findings can also be referred for review.

How much time do we have to respond to an audit request?

groups often receive 10 business days to respond to written records requests during a desk audit. Given this tight timeline, keeping organized and accessible rule-keeping written records is key. groups that cannot produce requested items within the allotted time face extra adverse findings.

Does passing an audit guarantee rule-keeping?

No. An audit examines selected step areas at a specific point in time. Passing an audit means that the examined areas met rules at the time of review. Compliance is an ongoing duty that requires continuous effort, regular updates, and vigilant tracking across all HIPAA rules.

OCR Audit Takeaways

The OCR audit program represents a major rule-keeping challenge and chance for healthcare groups. groups that invest in continuous rule-keeping readiness, keep thorough written records, and address known gaps proactively are best positioned to navigate an audit successfully. The cost of preparation is far less than the cost of adverse findings, corrective action plans, and possible enforcement action.

One Guy Consulting helps healthcare groups build and keep audit-ready rule-keeping programs. From running complete risk analyses to developing complete policy libraries and training programs, our team provides the expertise needed to face an OCR audit with confidence. Contact us today to assess your group’s audit readiness and strengthen your HIPAA rule-keeping posture. Document your risk assessment gap analysis

Related: 2025 HIPAA enforcement actions · HIPAA documentation requirements

Keep Reading

All Articles