OCR Audit Readiness Checklist

A helpful guide to check your patient privacy compliance risk.

If the OCR requested documentation tomorrow, would you be ready?

Use this checklist to pressure-test your readiness before an audit begins. Download the PDF or check your risk below.

Continue reading below, or fill out this form for a downloadable PDF.

OCR Readiness Checklist Download Form

"*" indicates required fields

Company

This field is for validation purposes and should be left unchanged.

First Last

Email*

Consent*

By checking this box, I agree to receive marketing communications and understand I can opt out at any time.*

CAPTCHA

OCR Audit Readiness Checklist

See how prepared your organization is to respond to an OCR audit.

Use this checklist to assess whether your HIPAA documentation, safeguards, privacy workflows, access monitoring, vendor oversight, and breach response processes are ready to support a timely OCR audit response.

How to use this checklist

For each item, ask:

Do we have this in place?
Can we prove it with documentation?
Do we know where that evidence is located?
Can we produce it quickly if OCR asks?

If a process exists but cannot be documented, score it as partial at best.

Scoring guide

Fully implemented and documented

The process is in place, followed consistently, and evidence can be produced quickly.

Partially implemented or inconsistently documented

The process exists, but documentation is incomplete, outdated, hard to locate, or inconsistently followed.

Not in place or cannot be proven

The process is missing, undocumented, or cannot be demonstrated with evidence.

N/A

Not applicable or addressable with justification

Use when an item does not apply. For this checklist, N/A responses are treated as fully addressed for scoring purposes.

Check your risk and email your results.

Documentation and Evidence Readiness

Can you quickly provide what the OCR may ask for?

Current HIPAA policies and procedures are approved, updated, and easy to locate.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Privacy Officer and Security Officer formally designated and documented.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Escalation path documented for complaints, complex requests, and suspected breaches.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

The most recent HIPAA risk analysis is complete and available.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Notice of Privacy Practices is current and accessible to patients.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Training records include dates, workforce coverage, and content covered.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Incident and breach records include timelines, findings, outcomes, and corrective actions.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

HIPAA documentation is organized and stored in a central location or clear evidence library.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Documented records retention schedule is aligned with HIPAA and state requirements.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Administrative Safeguards

Can you show ongoing risk management and accountability?

Risk assessments are reviewed at least annually and after major changes.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Systems that create, receive, maintain, or transmit PHI are included in the risk analysis.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Identified risks are prioritized by likelihood, impact, and urgency.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Remediation plans include owners, deadlines, and completion evidence.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Workforce members complete HIPAA training at onboarding and on a recurring schedule.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Role-based training exists for high-risk teams, privileged users, and staff handling PHI.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Privacy policies are documented, communicated, and applied consistently.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Privacy violations and corrective actions are documented.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Access changes for terminations, transfers, and role changes are reviewed promptly and reflected in system permissions.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Documented records retention schedule is aligned with HIPAA and state requirements.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Physical Safeguards

Would a walkthrough support what your policies say?

Facility access controls are in place for areas where PHI or systems containing ePHI may be accessed.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Doors, badge access, visitor controls, and restricted areas are monitored or reviewed.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Workstations are positioned and used in ways that reduce unauthorized viewing of PHI.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Devices that access or store PHI are physically secured when not in use.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Printed PHI is stored, handled, and disposed of securely.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Locked shred bins, recycle bins, or secure disposal processes are available and used properly.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Media disposal, device reuse, and hardware movement are documented where applicable.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Physical safeguards are periodically reviewed through walkthroughs or internal audits.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Technical Safeguards

Can you prove PHI access is controlled, monitored, and protected?

Unique user IDs are used to identify and track system activity.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Access controls align with workforce roles and minimum necessary access.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Privileged access is limited, approved, and reviewed periodically.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Backup, disaster recovery, and emergency access procedures are tested, and validated.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

MFA is implemented where appropriate, or a documented rationale or alternative safeguard exists.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Encryption is implemented for ePHI where appropriate, or a documented rationale or alternative safeguard exists.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Audit logs are collected across the EHR and other systems that access PHI.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Logs are actively reviewed on a defined schedule, not simply stored.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Integrity controls help protect ePHI from improper alteration or destruction.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Authentication controls verify that users accessing ePHI are who they claim to be.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Technical controls are periodically reviewed or tested for effectiveness.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Privacy Operations in Practice

Do daily workflows match your written policies?

Patient Right of Access requests are tracked from receipt to completion.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Access requests are completed within required timelines, or extensions are documented when allowed.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Denials, delays, fees, formats, and identity verification steps are documented when applicable.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Amendment, restriction, and confidential communication requests are documented and managed consistently.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Uses, disclosures, authorizations, and revocations are documented where required.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Disclosures are logged and accounted for where required.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Minimum necessary requirements are reflected in workflows, access decisions, and role design.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Privacy complaints are documented, investigated, and resolved.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Staff know how to report suspected inappropriate access, privacy incidents, or breaches.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Privacy processes are periodically reviewed to confirm they are being followed in practice.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Access Monitoring and Investigations

Can you prove suspicious PHI access is reviewed and resolved?

PHI access monitoring occurs on a defined schedule.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Monitoring includes the EHR and other systems where PHI may be accessed.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

High-risk access is monitored, including employee self-access, VIP access, coworker or family access, terminated user access, and break-glass use.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Alerts, reports, or review criteria are documented and consistently used.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Investigations are documented from trigger to outcome, including findings and mitigation.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Repeat issues, patterns, and follow-up actions are tracked.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Investigation evidence is retained in a centralized, organized location.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Leadership can review trends, outstanding investigations, and recurring risks.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Vendors and Business Associates

Can you account for third parties with PHI access?

A vendor inventory identifies which vendors access PHI or ePHI.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Every vendor required has a Business Associate Agreement that is signed and current.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Vendor security documentation is reviewed and on file (for example, SOC 2 or HITRUST reports where applicable).

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Vendor access levels, systems, and internal owners are documented.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Vendor incident and breach notification responsibilities are documented.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

High-risk vendors are periodically reviewed.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Vendor access is removed or updated when relationships, services, or contracts change.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Incident Response and Breach Readiness

Can you demonstrate fast, consistent response?

Incident response plans are documented and accessible to the response team.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Incidents are tracked with discovery dates, investigation steps, and final determinations.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Breach risk assessments are documented and applied consistently.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Reporting and notification timelines are tracked and met.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Internal escalation paths are clear for privacy, security, compliance, legal, IT, and leadership.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Lessons learned and corrective actions are documented after incidents and fed back into policies, training, and workflows.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Response processes are tested through tabletop exercises or periodic review.

2 - Fully implemented and documented

1 - Partially implemented or inconsistently documented

0 - Not in place or cannot be proven

N/A

Results

This field is hidden when viewing the form

Score

Percentage %

Low Risk

Your organization appears to have strong OCR audit readiness.

Medium Risk

Your organization has several areas in place, but some gaps may need attention.

High Risk

Your organization may have significant audit readiness gaps that should be prioritized.

Email Address

Provide your email to download the full report.

Disclaimer: This checklist is intended as an audit readiness tool, not legal advice. It should be customized based on your organization’s size, systems, workflows, risk profile, and applicable HIPAA obligations. Audit readiness depends not only on having policies in place, but also being able to prove those policies are followed in practice.