Risk Management

HIPAA Audit Checklist

An interactive internal audit tool based on OCR's official HIPAA audit protocol. Review 32 provisions across the Privacy Rule, Security Rule, and Breach Notification Rule. Mark each item, document findings, and generate a printable audit report with corrective action recommendations.

Review each audit item and mark it as Compliant, Finding, or Not Reviewed. Add notes to document evidence and observations.

0 of 0 reviewed items compliant

Audit progress: 0 of 32 items reviewed0%

0

Compliant

0

Findings

0

Not Reviewed

32

Pending

Privacy Rule

10 items

Security Rule

16 items

Breach Rule

6 items

  • Permitted uses and disclosures documented45 CFR §164.502(a)

    Organization has documented all permitted uses and disclosures of PHI consistent with the Privacy Rule.

    Audit guidance: Verify a written policy defines who may access PHI and for what purposes. Must cover treatment, payment, and healthcare operations at minimum.

  • Minimum necessary standard applied45 CFR §164.502(b)

    Uses and disclosures are limited to the minimum necessary to accomplish the intended purpose.

    Audit guidance: Check that role-based access policies exist and are enforced. Review access logs for evidence of over-broad access.

  • Valid authorizations for non-routine disclosures45 CFR §164.508

    Organization obtains valid written authorization before using or disclosing PHI for purposes not otherwise permitted.

    Audit guidance: Review authorization forms for all required elements: description of PHI, purpose, expiration date, right to revoke, signature.

  • Facility directory and disaster disclosures45 CFR §164.510

    Policies for facility directories and disclosures during emergencies or disasters are documented and followed.

    Audit guidance: Confirm patients have the opportunity to opt out of facility directories. Verify disaster disclosure procedures are current.

  • Public interest disclosures compliant45 CFR §164.512

    Disclosures for public health, abuse reporting, judicial proceedings, and law enforcement follow regulatory requirements.

    Audit guidance: Verify staff know which disclosures require authorization vs. those permitted by law. Check for documented procedures.

  • Notice of Privacy Practices distributed45 CFR §164.520

    A compliant NPP is provided to all patients at first encounter and posted in the facility.

    Audit guidance: Verify NPP contains all required elements per HHS guidance. Check date of last revision and posting location.

  • Right of access to PHI honored45 CFR §164.524

    Individuals can inspect and obtain copies of their PHI within 30 days of request.

    Audit guidance: Review access request log for timeliness. OCR has issued over $10M in Right of Access Initiative settlements since 2019.

  • Amendment requests processed45 CFR §164.526

    Organization has a process to receive, evaluate, and respond to patient requests to amend their PHI.

    Audit guidance: Confirm a written procedure exists. Denials must include reason and the patient's right to submit a statement of disagreement.

  • Accounting of disclosures available45 CFR §164.528

    Organization can provide an accounting of disclosures made in the prior 6 years upon request.

    Audit guidance: Check that a disclosure log is maintained. Must include date, recipient, description of PHI disclosed, and purpose.

  • Privacy Officer designated45 CFR §164.530(a)(1)

    A specific individual is designated as the Privacy Officer responsible for policy development and compliance.

    Audit guidance: Verify the Privacy Officer is named, has documented responsibilities, and has received appropriate training.

  • Security management process implemented45 CFR §164.308(a)(1)

    Organization has a documented security management process including risk analysis, risk management, sanction policy, and information system activity review.

    Audit guidance: This is the #1 finding in OCR audits. Verify a comprehensive risk analysis has been completed within the past 12 months.

  • Security Officer designated45 CFR §164.308(a)(2)

    A specific individual is designated as the Security Officer responsible for security policies and safeguards.

    Audit guidance: May be the same person as the Privacy Officer in small practices. Must have documented authority and responsibilities.

  • Workforce security procedures in place45 CFR §164.308(a)(3)

    Authorization and supervision procedures ensure only appropriate workforce members access ePHI.

    Audit guidance: Check for documented hiring, clearance, access authorization, and termination procedures. Verify same-day access revocation for terminated employees.

  • Security awareness and training program45 CFR §164.308(a)(5)

    All workforce members receive security awareness training including password management, phishing, and malware protection.

    Audit guidance: Training must occur at hire and periodically (at least annually). Document attendance, topics covered, and dates.

  • Security incident procedures documented45 CFR §164.308(a)(6)

    Procedures exist to identify, respond to, mitigate, and document security incidents.

    Audit guidance: Review incident response plan for completeness. Check the incident log for evidence of ongoing monitoring and response.

  • Contingency plan established45 CFR §164.308(a)(7)

    Data backup, disaster recovery, and emergency mode operation plans are documented and tested.

    Audit guidance: Verify backup frequency, test restoration procedures annually, and confirm emergency access procedures exist.

  • Business Associate Agreements executed45 CFR §164.308(b)

    Written BAAs are in place with all business associates who create, receive, maintain, or transmit ePHI.

    Audit guidance: Maintain a BA inventory. Check each BAA for required provisions: permitted uses, safeguards, breach reporting, termination.

  • Facility access controls implemented45 CFR §164.310(a)

    Policies and procedures limit physical access to electronic information systems and the facilities housing them.

    Audit guidance: Verify locked server rooms, badge access, visitor logs, and maintenance records. Check for documented facility security plan.

  • Workstation use policies enforced45 CFR §164.310(b)

    Policies specify proper functions, manner of use, and physical attributes of workstations accessing ePHI.

    Audit guidance: Check for screen positioning, clean desk policy, automatic screen locks, and restrictions on personal use.

  • Workstation security measures45 CFR §164.310(c)

    Physical safeguards restrict access to workstations that access ePHI to authorized users.

    Audit guidance: Verify cable locks, privacy screens, restricted areas, and that workstations aren't accessible to unauthorized individuals.

  • Device and media controls45 CFR §164.310(d)

    Procedures govern receipt, removal, backup, storage, reuse, and disposal of hardware and electronic media containing ePHI.

    Audit guidance: Check for media sanitization procedures (NIST 800-88), hardware inventory, and chain-of-custody records for disposed equipment.

  • Access controls for ePHI systems45 CFR §164.312(a)

    Technical policies and procedures allow only authorized persons to access ePHI. Includes unique user IDs, emergency access, automatic logoff, and encryption.

    Audit guidance: Verify unique logins (no shared accounts), role-based access, session timeouts, and MFA for remote access.

  • Audit controls implemented45 CFR §164.312(b)

    Hardware, software, and procedural mechanisms record and examine activity in systems containing ePHI.

    Audit guidance: Check that audit logs capture login attempts, PHI access, modifications, and exports. Verify logs are reviewed regularly.

  • Integrity controls for ePHI45 CFR §164.312(c)

    Policies and procedures protect ePHI from improper alteration or destruction.

    Audit guidance: Verify mechanisms to authenticate ePHI (checksums, digital signatures) and detect unauthorized changes.

  • Person or entity authentication45 CFR §164.312(d)

    Procedures verify that persons seeking access to ePHI are who they claim to be.

    Audit guidance: Check for password policies, MFA implementation, biometric or token-based authentication where applicable.

  • Transmission security45 CFR §164.312(e)

    Technical security measures guard against unauthorized access to ePHI being transmitted over electronic networks.

    Audit guidance: Verify TLS 1.2+ for all web traffic, encrypted email for PHI, VPN for remote access, and no PHI via standard SMS.

  • Breach definition and risk assessment documented45 CFR §164.402

    Organization has a documented process for determining whether an impermissible use or disclosure constitutes a breach requiring notification.

    Audit guidance: Verify the 4-factor risk assessment process is documented: nature and extent of PHI, unauthorized person, whether PHI was actually viewed, mitigation extent.

  • Individual notification procedures in place45 CFR §164.404

    Written procedures ensure affected individuals are notified within 60 days of breach discovery via first-class mail or email (if consented).

    Audit guidance: Check notification letter template for required content: description of breach, PHI types involved, steps to protect, what entity is doing, contact information.

  • Media notification procedures for large breaches45 CFR §164.406

    Procedures for notifying prominent media outlets when a breach affects 500+ residents of a state or jurisdiction.

    Audit guidance: Verify the organization knows the 500-person threshold and has identified local media contacts. Must be within 60 days.

  • HHS Secretary notification procedures45 CFR §164.408

    Procedures for notifying HHS of breaches — immediately for 500+ individuals, annually for smaller breaches.

    Audit guidance: Confirm staff know how to submit via the HHS breach portal. Breaches affecting 500+ must be reported within 60 days; smaller breaches by March 1 of the following year.

  • Breach log maintained45 CFR §164.414

    Organization maintains a log of all breaches, including those affecting fewer than 500 individuals.

    Audit guidance: Review the breach log for completeness. Each entry should include date, individuals affected, description, remediation steps, and notification status.

  • Business associate breach reporting45 CFR §164.410

    BAAs require business associates to report breaches to the covered entity without unreasonable delay (no later than 60 days).

    Audit guidance: Check BAAs for breach notification language. Verify BAs know their reporting obligations and the CE has a process to receive BA breach reports.

What Is a HIPAA Audit?

A HIPAA audit is a systematic examination of a healthcare organization's compliance with the Privacy Rule, Security Rule, and Breach Notification Rule. The Office for Civil Rights (OCR) conducts external audits under its HIPAA Audit Program, but organizations should also perform internal audits regularly to identify and correct gaps before OCR comes knocking.

Unlike the broader HIPAA compliance checklist, an audit checklist follows the structure of OCR's official audit protocol — examining specific regulatory provisions, evaluating evidence of compliance, and documenting findings with corrective action recommendations.

OCR Audit Protocol Structure

This tool mirrors the structure of OCR's official HIPAA audit protocol, organized into three major areas. Each audit item maps to a specific CFR provision with guidance on what evidence to collect.

Privacy Rule (10 items)

Uses and disclosures of PHI, individual rights, Notice of Privacy Practices, Privacy Officer designation.

Security Rule (16 items)

Administrative, physical, and technical safeguards for electronic PHI. Risk analysis, access controls, encryption, audit logs.

Breach Notification Rule (6 items)

Breach determination, individual and HHS notification procedures, breach logging, BA reporting requirements.

How to Use This Audit Checklist

  1. 1Enter your organization name and auditor details for the report header
  2. 2Work through each section — Privacy Rule, Security Rule, then Breach Notification
  3. 3Mark each item as Compliant (evidence verified), Finding (gap identified), or Not Reviewed
  4. 4Add notes to document evidence reviewed, observations, and corrective actions needed
  5. 5Click "Generate Report" to view identified gaps with recommended corrective actions
  6. 6Print or copy the report for your compliance documentation files

For a deeper security-focused analysis, use our HIPAA Risk Assessment Template which scores risks using the NIST SP 800-30 methodology. To track remediation timelines, our Compliance Work Plan helps organize corrective actions by month.

Most Common OCR Audit Findings

Based on OCR's published enforcement data and settlement agreements, these are the areas where healthcare organizations most frequently fall short:

1

Incomplete or missing risk analysis

45 CFR §164.308(a)(1)

The single most-cited deficiency in OCR enforcement actions. Many practices have never conducted one, or their analysis doesn't cover all ePHI systems.

2

Lack of access management

45 CFR §164.312(a)

Shared logins, over-broad access to PHI, and failure to revoke access when employees leave.

3

Missing or outdated BAAs

45 CFR §164.308(b)

Organizations fail to identify all business associates or let agreements expire without renewal.

4

Insufficient audit logging

45 CFR §164.312(b)

Systems lack audit trails, or logs are never reviewed for suspicious access patterns.

5

Denial of patient access to records

45 CFR §164.524

OCR has issued over $10M in settlements through its Right of Access Initiative since 2019.

For a complete list of enforcement examples, see our guide on most common HIPAA violations.

How Often Should You Conduct a HIPAA Audit?

At least annually

OCR expects organizations to conduct a thorough internal audit at least once per year, with documentation retained for six years.

After significant changes

New EHR system, office relocation, merger, new business associate relationships, or adoption of new technology all trigger re-evaluation.

Before regulatory deadlines

The proposed 2026 Security Rule update will require more frequent assessments. Start auditing now to identify gaps before new requirements take effect.

Enforcement reality: In the 2024-2025 audit cycle, OCR specifically focused on Security Rule provisions related to hacking and ransomware attacks. Penalties range from $145 to $73,011 per violation, with an annual maximum of $2,190,294 per violation category (2026 figures).

Related Tools & Guides

HIPAA Risk Assessment Template

Guided security risk analysis based on NIST SP 800-30 with risk scoring and remediation priorities.

HIPAA Compliance Checklist

Interactive compliance checklist covering Privacy Rule, Security Rule, and Breach Notification requirements.

Compliance Work Plan Template

Build a month-by-month compliance calendar with training, audit, and review deadlines.

Most Common HIPAA Violations

The 10 most frequent HIPAA violations with real enforcement examples and prevention strategies.

HIPAA Breach Notification Guide

Complete guide to breach determination, notification timelines, and reporting requirements.