When you hear “OCR HIPAA Audits,” you may think, “not me.” Yet audits hit groups of every size. In 2024–2025, OCR said audits would review selected Security Rule controls with a focus on hacking and ransomware (OCR Audit Program). These audits cover covered entities and business associates.

“OCR HIPAA Audits” are not pop quizzes. They are document reviews against the Audit Protocol (HHS Audit Protocol). The protocol maps to Security, Privacy, and Breach Notification standards. You must show policies, implementation, and proof. Keep that mindset as you read.

What OCR Actually Asks For (with the matching rule)

1) Policies and procedures for using and safeguarding PHI

OCR asks for current policies and procedures. They must match daily practice and be retained at least six years. See Policies and Documentation at 45 C.F.R. §164.316 (eCFR 164.316).

2) Risk analysis and the follow-on risk management plan

OCR wants an enterprise-wide risk analysis and the plan to fix found risks. Doing an SRA without action fails. See Security Management Process at 45 C.F.R. §164.308(a)(1)(ii)(A)–(B) (eCFR 164.308).

3) Security awareness and training with attendance proof

Provide training content and proof of attendance. See Security Awareness and Training at 45 C.F.R. §164.308(a)(5) (eCFR 164.308).

4) Anti-malware and patching evidence

Show your anti-malware program and patch cadence. See Protection from Malicious Software and Evaluation at 45 C.F.R. §164.308(a)(5)(ii)(B) and §164.308(a)(8) (eCFR 164.308).

5) Data backup process and proof it runs

Backups must exist and be tested under your Contingency Plan. See 45 C.F.R. §164.308(a)(7) (eCFR 164.308).

6) Technical access controls and password policy

Provide access control settings, unique IDs, automatic logoff, and authentication details. See Technical Safeguards at 45 C.F.R. §164.312(a) and §164.312(d) (eCFR 164.312). HHS’ Security Rule summary is also helpful (HHS Security Rule Summary).

What Else OCR Expects to See

Breach assessment and notification procedures. You must assess breaches and notify on time. See Breach Notification Rule at 45 C.F.R. §164.404 and Subpart D (eCFR 164.404, Subpart D index).

System activity review and audit logs. Show who accessed PHI and when. See Audit Controls and Information System Activity Review at 45 C.F.R. §164.312(b) and §164.308(a)(1)(ii)(D) (eCFR 164.312, eCFR 164.308).

Transmission security and integrity controls. Protect data in motion and guard integrity. See 45 C.F.R. §164.312(c)–(e) (eCFR 164.312) and HHS’ Tech Safeguards brief (HHS Tech Safeguards PDF).

Device and media controls. Keep an inventory and have reuse and disposal steps. See Physical Safeguards at 45 C.F.R. §164.310 (eCFR 164.310).

Facility access and workstation security. Limit physical access and define workstation use. See 45 C.F.R. §164.310 (eCFR 164.310).

Business associate oversight. Keep a list of BAs and signed BAAs. See Organizational Requirements at 45 C.F.R. §164.308(b) and §164.314 (eCFR 164.314).

Documentation retention. Keep HIPAA documentation for six years from creation or last effective date. See 45 C.F.R. §164.316(b)(2)(i) (eCFR 164.316).

“Not-Me” Is a Myth: Real OCR Cases

• Anthem (2018, $16M). Record settlement after cyberattacks exposed ~79 million people. See OCR’s page (HHS Anthem settlement).
• Premera Blue Cross (2020, $6.85M). Settlement with a corrective plan after a major breach (HHS Premera settlement).
• Excellus Health Plan (2023, $5.1M). OCR cited gaps in SRA, risk management, and audit review (HHS Excellus settlement).
• PIH Health (2025). Phishing breach settlement and CAP with SRA and re-assessments (HHS press release, Resolution Agreement PDF).
• Montefiore (2024). Resolution required OCR-approved SRA, risk management, and policies (HHS Montefiore CAP).

The pattern repeats. Weak risk analysis, risk management, and audit/evaluation drive findings and settlements.

Map OCR’s Common Requests to the Rule

• Policies and Procedures: §164.316(a), (b) (eCFR 164.316). Keep them current and reachable.
• Risk Analysis / Risk Management: §164.308(a)(1)(ii)(A)–(B) (eCFR 164.308). Do it and act on it.
• Training: §164.308(a)(5) (eCFR 164.308). Train and keep proof.
• Incident Response / Breach: §164.308(a)(6) and §164.404–§164.410 (eCFR 164.308, eCFR 164.404). Know steps and clocks.
• Audit Controls & Reviews: §164.312(b) and §164.308(a)(1)(ii)(D) (eCFR 164.312, eCFR 164.308). Log and review.
• Access Controls & Authentication: §164.312(a), (d) (eCFR 164.312). Limit and verify access.
• Integrity & Transmission Security: §164.312(c)–(e) (eCFR 164.312). Protect data in motion and at rest.
• Contingency / Backups: §164.308(a)(7) (eCFR 164.308). Back up and test.
• Physical Safeguards & Media: §164.310 (eCFR 164.310). Control facilities, workstations, and media.
• Business Associates: §164.308(b) and §164.314 (eCFR 164.314). Keep BAAs and monitor vendors.
• Documentation Retention: §164.316(b)(2)(i) (eCFR 164.316). Retain for six years.

The Six Questions OCR Is Really Answering

1. Did you analyze risk before the incident and update it?
2. Did you manage the risks you found?
3. Do your written policies match practice today?
4. Did you train your workforce and keep proof?
5. Can you show who accessed which PHI and when?
6. Can you prove backups, patches, and malware defenses run on time?

Those are the pressure points behind every document request. The Audit Protocol reflects them (HHS Audit Protocol).

Friendly help (without the sales pitch)

Getting audit-ready takes time. EPI Compliance and Taino Consultants help teams set up clear policies, complete SRAs, close gaps with practical work plans, and keep tidy proof trails. They provide training content and simple registers for assets, vendors, and logs—so you can show evidence fast.

Self-Check: If You Can’t Show Proof, You’re Not Compliant

HIPAA requires keeping documentation for six years. An auditor can ask for any of it (eCFR 164.316).

Any “No” means you have a gap that fails HIPAA. “Yes” must have documents, logs, and artifacts.

Quick answers to the “big six” audit items

Policies and Procedures: Keep them current, signed, and shared with staff. Update after changes (§164.316).
SRA + Risk Management: Do a full SRA and show the plan that closes each risk (§164.308(a)(1)(ii)(A)–(B)).
Training: Keep attendance, quiz results, agendas, and reminders (§164.308(a)(5)).
Anti-Malware and Patching: Keep AV dashboards, patch reports, and playbooks (§164.308(a)(5)(ii)(B), §164.308(a)(8)).
Backups: Keep schedules, test results, and recovery logs (§164.308(a)(7)).
Audit Trails: Keep system logs, access reviews, and exception handling notes (§164.312(b), §164.308(a)(1)(ii)(D)).

Why this matters: real consequences

OCR’s public cases show fines and strict corrective action plans when risk analysis, risk management, audit logging, and vendor oversight fall short. See the Anthem record settlement (HHS), Premera (HHS), Excellus (HHS), PIH Health (HHS), and Montefiore (HHS). OCR also keeps a running list of resolution agreements you can review (HHS Enforcement Archive).

Summary

OCR HIPAA Audits measure proof, not promises. Start with a current SRA. Then drive a risk management plan. Keep policies, training, backups, patches, and logs ready to show. Keep all HIPAA documentation for at least six years. If you hit a “No,” fix it and record the fix.

Five questions to ask your team today

1. When was our last risk analysis, and what risks were closed?
2. Can we pull audit logs showing who accessed PHI last week?
3. Do we have proof of annual training for every worker?
4. Are backups tested and documented?
5. Are BAAs current for every vendor that sees PHI?

If any answer lacks proof, treat it as not compliant and close the gap now.