OCR HIPAA Audit Protocol Requirements and Evidence Examples: What Regulators Expect

Overview of OCR HIPAA Audit Protocol

The Office for Civil Rights (OCR) uses a standardized HIPAA Audit Protocol to assess HIPAA Privacy Rule Compliance, HIPAA Security Rule Standards, and Breach Notification Rule Criteria. If you are selected, auditors evaluate how your written policies align with day-to-day operations and whether you can prove consistent implementation during the audit period.

The protocol applies to covered entities and business associates. Reviews may be desk-based or on-site and are time-bound, meaning OCR will ask for dated evidence from a defined period. Regulators expect three things: (1) policies and procedures that meet the rules, (2) evidence that staff follow them, and (3) management oversight with corrective action where gaps exist.

• What regulators expect you to provide quickly: an inventory of systems with ePHI, a recent enterprise-wide risk analysis, your risk management plan, Business Associate Agreements, training records, and an incident/breach log.
• How they evaluate: by mapping your evidence to protocol inquiries, sampling records (e.g., access requests, terminations, incidents), and verifying that leadership reviews and updates controls.

Key Audit Areas and Modules

OCR’s modules mirror the three HIPAA rules and focus on control design plus operational proof:

• Privacy Rule modules: Notice of Privacy Practices, uses and disclosures, minimum necessary, authorizations, patient rights (access within required timeframes, amendments, restrictions), and complaint handling.
• Security Rule modules: administrative safeguards (risk analysis and risk management, training, sanctions, workforce security), physical safeguards (facility access, workstation security, device and media controls), and technical safeguards (access control, audit controls, integrity, authentication, and transmission security).
• Breach Notification Rule modules: incident identification and risk-of-compromise assessment, notification to individuals, media (for large breaches), and HHS reporting, plus documentation of decisions.

Documentation Requirements and Evidence Examples

OCR looks for current, approved documents and corroborating artifacts that show implementation. Maintain Six-Year Documentation Retention for required records from creation or last effective date.

• Policies and Procedures Review: finalized, dated policies for Privacy, Security, and Breach; revision history; approval signatures; distribution logs; attestations that staff received updates.
• Risk Assessment Documentation: an enterprise-wide risk analysis identifying assets with ePHI, threats, vulnerabilities, likelihood/impact ratings, and a risk register tied to a funded risk management plan with owners and deadlines.
• Business Associate Agreements: executed BAAs for all vendors handling PHI, including downstream subcontractors; inventory of services, data flows, and due diligence results.
• Training and sanctions: role-based training curriculum, completion rosters, test scores or acknowledgments, sanction policy, and a log of applied sanctions.
• Access management: onboarding/termination checklists, least-privilege matrices, periodic access reviews, unique user IDs, MFA adoption records, and sample tickets proving timely removals.
• Audit and monitoring: system audit logs, SIEM summaries, alert runbooks, sample investigations, and metrics reported to leadership.
• Technology configuration: encryption settings, TLS configurations, VPN and MDM baselines, endpoint hardening standards, patch and vulnerability scan reports, and change management records.
• Contingency planning: data backup procedures, recovery time objectives, restore test results, disaster recovery and emergency mode operations plans, and lessons-learned reports from exercises.
• Privacy operations: Notice of Privacy Practices, access request logs with response letters, minimum necessary justifications, authorization forms, accounting of disclosures, and complaint logs with resolutions.
• Incident/breach files: investigation notes, the four-factor risk assessment, mitigation steps, notification letters, proof of mailing or delivery, HHS submission confirmations, and legal hold records.

Administrative Safeguards Compliance

OCR validates that your administrative safeguards are risk-based, documented, and working in practice—not just on paper. Expect targeted questions on how leadership oversees HIPAA Security Rule Standards and tracks remediation to closure.

• Security management process: current risk analysis, prioritized risk treatment plan, acceptance/transfer decisions, and periodic reassessment when technology or operations change.
• Assigned security responsibility and governance: named security official, chartered privacy and security committees, dashboards to executives, and records of decisions.
• Workforce security and information access management: background checks as appropriate, defined roles, least-privilege workflows, break-glass controls for emergencies, and regular entitlement reviews.
• Security awareness and training: new-hire and periodic refreshers, phishing simulations, secure handling of PHI, reporting channels for suspected incidents, and documentation of completion.
• Security incident procedures: triage playbooks, on-call roster, severity definitions, evidence preservation steps, and post-incident reviews that feed the risk program.
• Contingency plan: data backup, disaster recovery, and emergency mode plans with restore tests and communication trees; evidence that critical functions can continue during outages.
• Business Associate Agreements: inventory, screening and onboarding, contractual security expectations, and oversight of performance and incidents.
• Evaluation: periodic technical and nontechnical evaluations to verify ongoing compliance and effectiveness; documented results and action items.

Where the rule marks a specification as addressable, OCR still expects a documented analysis and either implementation or a justified, equivalent alternative—with risks and residual controls clearly recorded.

Technical and Physical Safeguards Review

Auditors test whether technical and physical controls align with risks and are operating consistently. They look for clear standards plus system evidence that the standards are enforced.

• Access control: unique user IDs, MFA for remote/privileged access, automatic logoff, and emergency access procedures; periodic reviews to remove stale or excessive rights.
• Audit controls: logging on systems that create, receive, maintain, or transmit ePHI; centralized monitoring; defined retention; and documented investigations of notable events.
• Integrity and authentication: hashing or integrity checks, change detection for critical systems, digital signatures where appropriate, and strong authentication tied to HR status.
• Transmission security: encryption in transit (e.g., secure email gateways, TLS for APIs), network segmentation, and protections for telehealth and remote work.
• Encryption at rest and endpoint protection: full-disk encryption on laptops and portable media, key management procedures, mobile device management, and remote wipe capability.
• Facility access controls: visitor management, access badges, camera coverage for sensitive areas, and documented responses to environmental alarms.
• Workstation security: placement to reduce viewing by unauthorized persons, screen privacy measures, and standard builds locked against unauthorized software.
• Device and media controls: inventory of hardware containing ePHI, chain-of-custody logs, secure reuse and disposal procedures, and certificates of destruction.

Breach Notification Rule Expectations

OCR expects you to apply the Breach Notification Rule Criteria consistently and document every decision. For impermissible uses or disclosures of unsecured PHI, you must perform a four-factor risk assessment (nature and extent of PHI, the unauthorized person, whether PHI was actually acquired or viewed, and mitigation) and keep that record.

Timelines matter. Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. For breaches affecting 500 or more individuals, notify HHS within 60 days of discovery and provide any required media notice for the affected state or jurisdiction. For breaches affecting fewer than 500 individuals, record them and report to HHS within 60 days after the end of the calendar year for the year in which they were discovered.

Evidence examples include an incident response plan, investigation notes, the completed risk assessment template, copies of notification letters or emails, proof of delivery or returned mail handling, call center scripts, mitigation offers, and submission confirmations. Maintain logs of all incidents—even those assessed as not breaches—and keep all breach-related documentation for at least six years.

Preparing for OCR HIPAA Audits

Preparation is an ongoing program, not a scramble after receiving an OCR letter. Build and maintain an evidence library mapped to the OCR HIPAA Audit Protocol requirements and evidence examples so you can respond quickly and completely.

• Run a proactive gap assessment against Privacy, Security, and Breach modules; turn findings into a prioritized remediation plan with owners and dates.
• Centralize artifacts: policies, procedures, Risk Assessment Documentation, risk treatment plans, BAAs, training rosters, logs, reports, and sample case files.
• Prove operations: keep dated samples (e.g., access requests, terminations, restore tests, incident investigations) that show consistent execution over time.
• Harden vendor management: maintain a current inventory of Business Associate Agreements, due diligence results, and incident notification procedures.
• Strengthen privacy operations: track access requests and deadlines, verify Notices of Privacy Practices distribution, and enforce minimum necessary.
• Exercise the plan: conduct tabletop and recovery tests, simulate record requests, and practice time-bound production.
• Sustain compliance: perform periodic evaluations, update policies after changes, and enforce Six-Year Documentation Retention.

Bottom line: regulators expect written policies that match your operations, risk-driven controls that are implemented and monitored, and complete, timely documentation. If you maintain clear governance, current analyses, decisive remediation, and thorough records, you will be ready when OCR calls.

FAQs

What documentation is required for an OCR HIPAA audit?

Expect to provide finalized policies and procedures with revision history; your most recent enterprise-wide risk analysis and risk management plan; Business Associate Agreements and a current vendor inventory; workforce training records and sanction logs; access management evidence (provisioning, termination, reviews); system audit logs and monitoring reports; contingency plans with restore test results; privacy operations records (e.g., access requests, authorizations, complaints); and an incident/breach log with associated risk assessments and notifications. Maintain all required HIPAA documentation for at least six years.

How does OCR evaluate Security Rule compliance?

OCR maps your controls to administrative, physical, and technical safeguard standards and then verifies operation through dated artifacts and samples. They look for an enterprise-wide risk analysis, a prioritized risk treatment plan, ongoing evaluations, workforce training, least-privilege access, logging and monitoring, encryption, contingency planning, and vendor oversight. Addressable specifications must be implemented or justified with a documented equivalent alternative and risk rationale.

What evidence supports Breach Notification Rule adherence?

Provide incident response procedures, investigation timelines, the four-factor risk assessment for each impermissible use or disclosure, mitigation steps, notification letters and proof of delivery, call center logs, media notices where required, and HHS submission confirmations. Keep decisions for non-breach determinations with supporting analysis and retain all breach-related records for six years.

How can entities prepare for an OCR HIPAA audit?

Maintain a living evidence library mapped to the OCR protocol, run periodic self-assessments, remediate findings with documented ownership and deadlines, and test your response through tabletop exercises and mock record requests. Keep BAAs current, track privacy requests and timelines, ensure encryption and logging are enforced, and preserve all required records under Six-Year Documentation Retention so you can produce complete, timely evidence on demand.