HIPAA Audit Checklist: What Auditors Look For (2026)

Your OCR audit is coming. Are you ready?

Most clinics aren't. Here's the complete checklist of what auditors check—and where most practices fail.

The Reality of HIPAA Audits

When an OCR auditor arrives at your practice, they're not just checking boxes. They're looking for proof that you're actually compliant, not just compliant on paper.

The problem: Most clinics have their documentation scattered across 5-10 different places. When the auditor asks for a specific policy or evidence file, they can't find it. That's when fines start.

The solution: Organization. If you can show the auditor everything they need in 5 minutes, you pass. If you can't, you fail.

The 50-Item Audit Checklist

Here's exactly what auditors check, in order of importance:

Administrative Safeguards (Items 1-20)

1. Privacy Policy - Is it documented? Is it signed? Is it current?
2. Security Policy - Does it cover all three safeguard categories?
3. Designated Privacy Officer - Is someone assigned? Is it documented?
4. Designated Security Officer - Is someone assigned? Is it documented?
5. Workforce Security Policy - Do you have hiring and termination procedures?
6. Information Access Management - Who has access to PHI? Is it documented?
7. ⚠️ Security Awareness Training - Most clinics fail here. Do you have training records for ALL staff? Are certificates current?
8. Contingency Plan - What happens if systems go down?
9. Business Associate Agreements (BAAs) - Do you have BAAs for all vendors?
10. Risk Assessment - When was your last risk assessment? Is it documented?
11. Incident Response Plan - What happens if there's a breach?
12. Audit Logs Policy - Are you tracking access to PHI?
13. Workstation Security - Are workstations secured?
14. Device Controls - Are mobile devices encrypted?
15. Media Controls - How do you handle removable media?
16. Access Control - Who can access what? Is it role-based?
17. Audit Controls - Are you logging access to PHI?
18. Integrity Controls - How do you prevent unauthorized alteration?
19. Transmission Security - Is PHI encrypted in transit?
20. Encryption - Is PHI encrypted at rest?

Physical Safeguards (Items 21-30)

21. Facility Access Controls - Who can enter your facility?
22. Workstation Use - Are workstations used appropriately?
23. ⚠️ Device and Media Controls - Most clinics fail here. Are devices encrypted? Are they tracked?
24. Facility Security Plan - Is your facility physically secure?
25. Access Control and Validation Procedures - How do you validate access?
26. Maintenance Records - Are you maintaining security systems?
27. Visitor Access - How do you manage visitors?
28. Workstation Security - Are workstations locked when not in use?
29. Disposal of Media - How do you dispose of PHI?
30. Media Reuse - How do you sanitize media before reuse?

Technical Safeguards (Items 31-40)

31. Access Control - Technical controls for access
32. Audit Controls - Technical logging and monitoring
33. Integrity Controls - Technical controls to prevent alteration
34. Transmission Security - Encryption in transit
35. Encryption - Encryption at rest
36. Authentication - How do users authenticate?
37. Authorization - What can users do once authenticated?
38. Audit Logging - Are you logging all access?
39. ⚠️ Breach Detection - Most clinics fail here. How do you detect breaches?
40. Breach Response - What happens when a breach is detected?

Documentation and Evidence (Items 41-50)

41. ⚠️ Evidence Organization - Most clinics fail here. Can you find evidence quickly?
42. Policy Version Control - Are policies versioned?
43. Training Records - Are training records complete?
44. Attestations - Are policies signed and dated?
45. Risk Assessment Documentation - Is it complete?
46. Breach Notification Records - Are they documented?
47. BAA Records - Are all BAAs on file?
48. Incident Logs - Are incidents logged?
49. Audit Trail - Can you show who did what when?
50. Overall Organization - Can you find everything in 5 minutes?

Where Most Clinics Fail

Based on OCR enforcement data, here are the top failure points:

1. Item #7: Security Awareness Training - 68% of clinics fail here. Missing training records, expired certificates, or incomplete training logs.

2. Item #23: Device and Media Controls - 54% of clinics fail here. Unencrypted devices, missing device inventories, or improper disposal.

3. Item #41: Evidence Organization - 72% of clinics fail here. Documentation is scattered, can't find files quickly, or missing critical evidence.

How to Pass Your Audit

The secret to passing a HIPAA audit isn't having perfect policies. It's being organized.

When an auditor asks for a specific document, you need to find it in seconds, not hours. That's the difference between passing and failing.

Here's what you need:

1. All 9 required policies - Documented, signed, and current
2. Evidence for all 48 evidence fields - Organized and searchable
3. Training records - Complete for all staff
4. Risk assessment - Documented and current
5. BAAs - On file for all vendors
6. Breach response plan - Documented and tested

Download the Complete Checklist

Get the full 50-item checklist with detailed explanations, common failure points, and remediation steps.

Next Steps

1. Download the checklist - Use it to assess your current compliance
2. Identify gaps - See where you're missing documentation
3. Organize your evidence - Get everything in one place
4. Get HIPAA Hub - Automate compliance and never worry about audits again

Remember: The best time to prepare for an audit was yesterday. The second best time is now.

---

This checklist is based on OCR enforcement data and real audit experiences. For personalized compliance guidance, consider using HIPAA Hub.