Audits and Enforcement

What to Do If You Get an OCR Audit Letter

5 min read · Last reviewed May 22, 2026

Distinguish what kind of letter you have

OCR contacts covered entities in several distinct ways. The first thing to do is figure out which one you received:

  • Audit notice under the HIPAA Audit Program. OCR has done two formal audit phases (2011-2012 pilot, 2016-2017 desk audits) and announced an audit program restart in 2024. The HIPAA Audits Program page explains the structure.
  • Complaint-driven investigation. A patient, former employee, or third party filed a complaint. OCR opens an investigation under 45 CFR 160.306.
  • Compliance review initiated by OCR on its own under 45 CFR 160.308.
  • Breach-triggered investigation in response to a Breach Notification Rule report under 45 CFR 164.408.
  • State attorney general action under HIPAA's state enforcement authority at 45 CFR 160.504.

The deadline, document requests, and stakes differ across these. Read the letter twice and identify which type it is before responding.

Do these things in the first 48 hours

  1. Acknowledge receipt with the contact listed on the letter. Do not miss the response window stated. OCR audit letters typically allow 10 business days for initial document submission. Investigation letters vary.
  2. Pull together the named contact list. OCR will want a Security Official under 164.308(a)(2)(2)) and a Privacy Official under 164.530(a)). If you do not have one assigned, assign one in writing before responding.
  3. Engage counsel. This is not optional for any letter that names a specific incident. Counsel works the response under privilege and protects the practice's positions.
  4. Preserve evidence. Do not delete logs, emails, or system data referenced in the letter. Issue a written litigation hold to staff.
  5. Inventory your current binder. What risk analysis do you have, what date is it, what policies do you have, what training records, what BAAs, what incident logs?
  6. Identify gaps without panicking. OCR's published Resolution Agreements show that the absence of a current, written risk analysis is the most-cited deficiency. If you do not have one, do not fabricate one. Document the truth and start an immediate remediation.

Read the audit protocol against your binder

OCR publishes the HIPAA Audit Protocol listing every audited element of the Privacy, Security, and Breach Notification rules. It is the playbook. Your response should map your documents to its citations one-for-one.

Sections that come up most often in small-practice audits and investigations:

Scenario · Security incident

What would you do?

A front-desk staffer clicked a link in an email claiming to be from your e-prescribing vendor and entered her username and password on the spoofed page. She tells the office manager 90 minutes later when she realizes the email was fake.

The account had access to the EHR via SSO and to the e-prescribing console.

Operational self-diagnosis tool. Not legal advice, not a credential of any kind, not a substitute for counsel. The practice remains responsible for the decision it actually makes.

Scenario · HIPAA Security

What would you do?

A medical assistant resigns on Friday with two weeks' notice. She has EHR access, badge access, a clinic laptop, her own work email, and is in the on-call SMS rotation.

It is Friday at 4:50 PM. Her last day will be in two weeks.

Operational self-diagnosis tool. Not legal advice, not a credential of any kind, not a substitute for counsel. The practice remains responsible for the decision it actually makes.

Tone and content of the response

The response should be precise, dated, and complete:

  • Cover letter from counsel or the Privacy Official describing the response structure
  • Each requested document tabbed, indexed, and cross-referenced to the audit protocol citation
  • A narrative explanation where a specification is addressable and the practice chose an alternative
  • A remediation plan with dates for any gap the response cannot fill
  • A signed attestation from the Security Official

Do not include marketing language. Do not claim any status the regulation does not grant. The goal is a calm, complete record showing the practice has been doing the work.

What OCR's published outcomes look like

OCR posts every Resolution Agreement at the Enforcement Highlights and Settlements page. A scan of recent settlements shows recurring elements: absent or stale risk analysis, no encryption decision documented, no incident response procedure exercised, no training records, late or absent breach notification. The corrective action plans attached to most settlements run two to three years and require quarterly evidence submissions.

The OCR Right of Access Initiative settlements (forty-plus published through 2024 per the OCR press release log) are smaller-dollar but more numerous. Many start with a single patient complaint about records not delivered in 30 days.

What you can do now to improve the response

  • Get a current, dated, written risk analysis under 164.308(a)(1)(ii)(A)(1)(ii)(A)) on file.
  • Document your encryption decisions for data at rest and in transit.
  • Document your sanction policy and any sanctions actually imposed.
  • Document training and the dates of training delivery.
  • Pull your BAA log. Make sure every active vendor has a current agreement.
  • Inventory your breach log under 164.408(c)).

Restraint about claims

No vendor or guide can promise an audit outcome. OCR settles cases on the totality of evidence and the practice's good-faith remediation. The most predictable variable is the quality and timeliness of the response. A well-organized, source-grounded binder is a documentation aid; the response itself is a legal exercise that should run through counsel.

How D3rx fits

D3rx SRA Binder Studio assembles the underlying source-grounded documentation a small practice needs to anchor a response. It does not represent the practice in any OCR proceeding and does not replace counsel. It is a point-in-time documentation aid.

Next steps

See where your practice currently stands with the free 5-question readiness check, or review the full workflow and pricing on the main SRA page.

Where do you stand on your SRA today?

Five quick questions, no signup. You'll see which Security Rule sections your practice already has covered and which ones still need work.

This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, the Code of Federal Regulations, and NIST.

Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

Sources & Citations
  1. HIPAA Audits Program pagehttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html
  2. 45 CFR 160.306https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-C/section-160.306
  3. 45 CFR 160.308https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-C/section-160.308
  4. 45 CFR 164.408https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.408
  5. 45 CFR 160.504https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-E/section-160.504
  6. 164.308(a)(2)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308#p-164.308(a
  7. 164.530(a)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(a
  8. HIPAA Audit Protocolhttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html
  9. 164.312(a)(2)(iv)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312#p-164.312(a
  10. 164.312(e)(2)(ii)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312#p-164.312(e
  11. 164.404 through 164.410https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D
  12. 164.524https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524
  13. Enforcement Highlights and Settlements pagehttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html
  14. OCR press release loghttps://www.hhs.gov/hipaa/newsroom/index.html
  15. 164.408(c)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.408#p-164.408(c

Sources verified as of May 22, 2026

Research Aid Notice

This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.

Related Guides