What to Do If You Get an OCR Audit Letter
5 min read · Last reviewed May 22, 2026
Distinguish what kind of letter you have
OCR contacts covered entities in several distinct ways. The first thing to do is figure out which one you received:
- Audit notice under the HIPAA Audit Program. OCR has done two formal audit phases (2011-2012 pilot, 2016-2017 desk audits) and announced an audit program restart in 2024. The HIPAA Audits Program page explains the structure.
- Complaint-driven investigation. A patient, former employee, or third party filed a complaint. OCR opens an investigation under 45 CFR 160.306.
- Compliance review initiated by OCR on its own under 45 CFR 160.308.
- Breach-triggered investigation in response to a Breach Notification Rule report under 45 CFR 164.408.
- State attorney general action under HIPAA's state enforcement authority at 45 CFR 160.504.
The deadline, document requests, and stakes differ across these. Read the letter twice and identify which type it is before responding.
Do these things in the first 48 hours
- Acknowledge receipt with the contact listed on the letter. Do not miss the response window stated. OCR audit letters typically allow 10 business days for initial document submission. Investigation letters vary.
- Pull together the named contact list. OCR will want a Security Official under 164.308(a)(2)(2)) and a Privacy Official under 164.530(a)). If you do not have one assigned, assign one in writing before responding.
- Engage counsel. This is not optional for any letter that names a specific incident. Counsel works the response under privilege and protects the practice's positions.
- Preserve evidence. Do not delete logs, emails, or system data referenced in the letter. Issue a written litigation hold to staff.
- Inventory your current binder. What risk analysis do you have, what date is it, what policies do you have, what training records, what BAAs, what incident logs?
- Identify gaps without panicking. OCR's published Resolution Agreements show that the absence of a current, written risk analysis is the most-cited deficiency. If you do not have one, do not fabricate one. Document the truth and start an immediate remediation.
Read the audit protocol against your binder
OCR publishes the HIPAA Audit Protocol listing every audited element of the Privacy, Security, and Breach Notification rules. It is the playbook. Your response should map your documents to its citations one-for-one.
Sections that come up most often in small-practice audits and investigations:
- 164.308(a)(1)(1)) — Security management process (risk analysis, risk management, sanction policy, information system activity review)
- 164.308(a)(7)(7)) — Contingency plan
- 164.312(a)(2)(iv)(2)(iv)) — Encryption and decryption (addressable)
- 164.312(e)(2)(ii)(2)(ii)) — Encryption of transmissions (addressable)
- 164.404 through 164.410 — Breach Notification Rule sequence
- 164.524 — Patient right of access (a recurring small-practice enforcement focus through OCR's Right of Access Initiative)
What would you do?
A front-desk staffer clicked a link in an email claiming to be from your e-prescribing vendor and entered her username and password on the spoofed page. She tells the office manager 90 minutes later when she realizes the email was fake.
The account had access to the EHR via SSO and to the e-prescribing console.
Operational self-diagnosis tool. Not legal advice, not a credential of any kind, not a substitute for counsel. The practice remains responsible for the decision it actually makes.
What would you do?
A medical assistant resigns on Friday with two weeks' notice. She has EHR access, badge access, a clinic laptop, her own work email, and is in the on-call SMS rotation.
It is Friday at 4:50 PM. Her last day will be in two weeks.
Operational self-diagnosis tool. Not legal advice, not a credential of any kind, not a substitute for counsel. The practice remains responsible for the decision it actually makes.
Tone and content of the response
The response should be precise, dated, and complete:
- Cover letter from counsel or the Privacy Official describing the response structure
- Each requested document tabbed, indexed, and cross-referenced to the audit protocol citation
- A narrative explanation where a specification is addressable and the practice chose an alternative
- A remediation plan with dates for any gap the response cannot fill
- A signed attestation from the Security Official
Do not include marketing language. Do not claim any status the regulation does not grant. The goal is a calm, complete record showing the practice has been doing the work.
What OCR's published outcomes look like
OCR posts every Resolution Agreement at the Enforcement Highlights and Settlements page. A scan of recent settlements shows recurring elements: absent or stale risk analysis, no encryption decision documented, no incident response procedure exercised, no training records, late or absent breach notification. The corrective action plans attached to most settlements run two to three years and require quarterly evidence submissions.
The OCR Right of Access Initiative settlements (forty-plus published through 2024 per the OCR press release log) are smaller-dollar but more numerous. Many start with a single patient complaint about records not delivered in 30 days.
What you can do now to improve the response
- Get a current, dated, written risk analysis under 164.308(a)(1)(ii)(A)(1)(ii)(A)) on file.
- Document your encryption decisions for data at rest and in transit.
- Document your sanction policy and any sanctions actually imposed.
- Document training and the dates of training delivery.
- Pull your BAA log. Make sure every active vendor has a current agreement.
- Inventory your breach log under 164.408(c)).
Restraint about claims
No vendor or guide can promise an audit outcome. OCR settles cases on the totality of evidence and the practice's good-faith remediation. The most predictable variable is the quality and timeliness of the response. A well-organized, source-grounded binder is a documentation aid; the response itself is a legal exercise that should run through counsel.
How D3rx fits
D3rx SRA Binder Studio assembles the underlying source-grounded documentation a small practice needs to anchor a response. It does not represent the practice in any OCR proceeding and does not replace counsel. It is a point-in-time documentation aid.
Next steps
See where your practice currently stands with the free 5-question readiness check, or review the full workflow and pricing on the main SRA page.
Where do you stand on your SRA today?
Five quick questions, no signup. You'll see which Security Rule sections your practice already has covered and which ones still need work.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, the Code of Federal Regulations, and NIST.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- HIPAA Audits Program pagehttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html
- 45 CFR 160.306https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-C/section-160.306
- 45 CFR 160.308https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-C/section-160.308
- 45 CFR 164.408https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.408
- 45 CFR 160.504https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-E/section-160.504
- 164.308(a)(2)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308#p-164.308(a
- 164.530(a)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(a
- HIPAA Audit Protocolhttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html
- 164.312(a)(2)(iv)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312#p-164.312(a
- 164.312(e)(2)(ii)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312#p-164.312(e
- 164.404 through 164.410https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D
- 164.524https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524
- Enforcement Highlights and Settlements pagehttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html
- OCR press release loghttps://www.hhs.gov/hipaa/newsroom/index.html
- 164.408(c)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.408#p-164.408(c
Sources verified as of May 22, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
OCR Audit Protocol: What Small Practices Should Expect
5 min readAudits and EnforcementHIPAA Settlements and Civil Money Penalties: A Small-Practice Reading List
5 min readAudits and EnforcementThe HIPAA Breach Notification Rule, Explained
6 min readFoundationsHIPAA Policies and Procedures: What a Small Practice Actually Needs
5 min readRelated across the archive
- SRAThe HIPAA Breach Notification Rule, ExplainedThe four-factor risk assessment at 45 CFR 164.402, the 60-day individual notice clock at 164.404, the HHS/media notice paths, and the small-practice annual report under 164.408(c).
- SRAHIPAA Settlements and Civil Money Penalties: A Small-Practice Reading ListHow HHS Office for Civil Rights publishes its enforcement record, the tiered civil money penalty structure at 45 CFR 160.404, and what recent small-practice settlements actually say.
- SRAOCR Audit Protocol: What Small Practices Should ExpectHow the HHS Office for Civil Rights HIPAA Audit Protocol is structured, what OCR has publicly announced about the audit program restart, and how a small practice prepares its binder against the protocol's audited elements.
- SRAHIPAA Policies and Procedures: What a Small Practice Actually NeedsWhat 45 CFR 164.316 and 164.530(i) require for HIPAA policies and procedures, the minimum set a small practice should maintain, and how to keep them current without bloat.
- RegulationOCR HIPAA Audit Program (45 CFR 160.310)OCR's authority to conduct compliance audits of covered entities and business associates, and the recurring posture under the Audit Program established by HITECH.
- RegulationHIPAA Resolution Agreements and Corrective Action Plans (45 CFR 160.312)OCR's preferred enforcement disposition: a Resolution Agreement that includes a corrective action plan, payment, and reporting obligations spanning two to three years.
- ComplianceAnnual HIPAA Training Curriculum (What to Cover + How to Document)A 2026 annual HIPAA training curriculum for small healthcare practices — eight required modules under 45 CFR 164.530(b) and 45 CFR 164.308(a)(5), with documentation templates.
- GlossaryCorrective Action Plan (CAP)A documented plan describing steps to address identified compliance deficiencies, the owners, timelines, and monitoring.