OCR Audit Protocol: What Small Practices Should Expect
5 min read · Last reviewed May 22, 2026
What the protocol is
The HHS Office for Civil Rights publishes the HIPAA Audit Protocol as a comprehensive checklist mapping the audited elements of the Privacy Rule, Security Rule, and Breach Notification Rule to specific regulatory citations and the documents OCR expects to see.
The current published protocol is the artifact OCR has used in prior audit phases (2011-2012 pilot, 2016-2017 desk audits). It remains the operating playbook for OCR's audit and review work. The protocol is organized into sections that mirror the structure of 45 CFR Part 164:
- Subpart C — Security Rule
- Subpart D — Breach Notification Rule
- Subpart E — Privacy Rule
Each protocol element identifies the audit type (established performance criteria), the relevant regulatory citation, and the key activity OCR will inspect.
What HHS has announced about the program restart
OCR has indicated through its HIPAA Audits Program page and Congressional testimony in 2024 that it intends to resume audits, citing both legal authority under section 13411 of the HITECH Act and findings from the Office of Inspector General. The agency has not published a fixed audit-cycle schedule. Practices should treat the protocol as the standing playbook regardless of whether they are formally selected for audit, since complaint-driven investigations and breach reviews use the same framework.
High-frequency audit elements for small practices
Across published Resolution Agreements and audit summaries, the elements that come up most often for small providers:
Security Rule
- Risk Analysis under 164.308(a)(1)(ii)(A)(1)(ii)(A)) — the most-cited deficiency in OCR settlements.
- Risk Management under 164.308(a)(1)(ii)(B)(1)(ii)(B)) — what the practice did with the risk analysis findings.
- Information System Activity Review under 164.308(a)(1)(ii)(D)(1)(ii)(D)) — log review, audit log retention.
- Workforce Security and Information Access Management under 164.308(a)(3) and (a)(4) — joiner-mover-leaver process.
- Security Awareness and Training under 164.308(a)(5)(5)).
- Contingency Plan under 164.308(a)(7)(7)) — data backup, disaster recovery, emergency mode operation, testing and revision.
- Encryption decisions under 164.312(a)(2)(iv) and 164.312(e)(2)(ii).
- Audit controls under 164.312(b)) — log retention and review.
Privacy Rule
- Notice of Privacy Practices under 164.520.
- Right of Access under 164.524 — the OCR Right of Access Initiative has produced dozens of small-practice settlements through 2024.
- Minimum necessary under 164.502(b)).
- Administrative requirements at 164.530.
Breach Notification Rule
- Definition and risk assessment under 164.402.
- Individual, HHS, and media notice under 164.404, 164.406, and 164.408.
- Annual report for breaches under 500 under 164.408(c)).
What "audit" actually looks like for a small practice
A formal audit notice would arrive in writing with a fixed document request and submission deadline (typically 10 business days for initial submission). For most small practices the more common encounter is an investigation opened in response to a complaint or breach report. The protocol is the same playbook in either case.
Common documents OCR requests:
- Current dated risk analysis
- Current dated policies and procedures, with version history
- Training records and sanction policy
- Workforce roster with access roles
- BAA log
- Incident log with the four-factor breach analyses
- Breach notifications sent and submission receipts
- System inventory and data flow descriptions
- Encryption status and key management documentation
- Logs and audit log retention statement
Preparing the binder ahead of time
A practice that maintains a current binder mapped to the audit protocol can respond in days rather than scrambling for weeks. The structure that holds up:
- Index page mapping each binder section to its protocol citation
- A current risk analysis no older than 12 months, with a written re-evaluation cadence
- Each policy versioned, dated, signed by the Security Official
- A workforce training register tied to the policy version
- A BAA log
- A breach log including any "not a breach" four-factor analyses
- Evidence files (configuration screenshots, encryption confirmations, log samples) referenced from the relevant policy
How OCR uses the protocol in enforcement
OCR's published Resolution Agreements typically cite specific protocol-aligned elements as missing or inadequate. Recent themes from the Enforcement Highlights page include:
- Right of access timeliness and fees
- Risk analysis absence or staleness
- Ransomware-driven breach response failures
- Online tracking technologies (per the December 2022 OCR Bulletin on online tracking, partially vacated by a 2024 federal court but with the BAA position retained)
- Business associate breach reporting failures
Each settlement also includes a corrective action plan that typically runs two to three years and requires periodic evidence submissions. Reading three or four recent CAPs makes the protocol's expectations concrete.
Restraint about claims
No vendor or tool can guarantee an audit outcome. The protocol is a documentation checklist; OCR weighs the totality of evidence including the practice's good-faith remediation. The most predictable variable is the quality and currency of the practice's binder.
How D3rx fits
D3rx SRA Binder Studio is structured around the audit-protocol citation tree. Each binder section maps to a protocol element with the underlying HHS, OCR, eCFR, or NIST source linked. It is a point-in-time administrative documentation aid; the practice remains responsible for the substance.
Next steps
See where your practice currently stands with the free 5-question readiness check, or review the full workflow and pricing on the main SRA page.
Where do you stand on your SRA today?
Five quick questions, no signup. You'll see which Security Rule sections your practice already has covered and which ones still need work.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, the Code of Federal Regulations, and NIST.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- HIPAA Audit Protocolhttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html
- 45 CFR Part 164https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164
- HIPAA Audits Program pagehttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html
- 164.308(a)(1)(ii)(A)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308#p-164.308(a
- 164.308(a)(3) and (a)(4)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308
- 164.312(a)(2)(iv) and 164.312(e)(2)(ii)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312
- 164.312(b)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312#p-164.312(b
- 164.520https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.520
- 164.524https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524
- 164.502(b)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.502#p-164.502(b
- 164.530https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530
- 164.402https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.402
- 164.404, 164.406, and 164.408https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D
- 164.408(c)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.408#p-164.408(c
- Enforcement Highlights pagehttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html
- OCR Bulletin on online trackinghttps://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html
Sources verified as of May 22, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
What to Do If You Get an OCR Audit Letter
5 min readAudits and EnforcementHIPAA Settlements and Civil Money Penalties: A Small-Practice Reading List
5 min readFoundationsHIPAA Policies and Procedures: What a Small Practice Actually Needs
5 min readAudits and EnforcementThe HIPAA Breach Notification Rule, Explained
6 min readRelated across the archive
- SRAThe HIPAA Breach Notification Rule, ExplainedThe four-factor risk assessment at 45 CFR 164.402, the 60-day individual notice clock at 164.404, the HHS/media notice paths, and the small-practice annual report under 164.408(c).
- SRAHIPAA Settlements and Civil Money Penalties: A Small-Practice Reading ListHow HHS Office for Civil Rights publishes its enforcement record, the tiered civil money penalty structure at 45 CFR 160.404, and what recent small-practice settlements actually say.
- SRAWhat to Do If You Get an OCR Audit LetterA step-by-step response framework for a small practice that receives an OCR HIPAA audit or investigation letter, drawn from OCR's audit protocol and published Resolution Agreements.
- SRAHIPAA Policies and Procedures: What a Small Practice Actually NeedsWhat 45 CFR 164.316 and 164.530(i) require for HIPAA policies and procedures, the minimum set a small practice should maintain, and how to keep them current without bloat.
- RegulationOCR HIPAA Audit Program (45 CFR 160.310)OCR's authority to conduct compliance audits of covered entities and business associates, and the recurring posture under the Audit Program established by HITECH.
- RegulationHIPAA Resolution Agreements and Corrective Action Plans (45 CFR 160.312)OCR's preferred enforcement disposition: a Resolution Agreement that includes a corrective action plan, payment, and reporting obligations spanning two to three years.
- ComplianceAnnual HIPAA Training Curriculum (What to Cover + How to Document)A 2026 annual HIPAA training curriculum for small healthcare practices — eight required modules under 45 CFR 164.530(b) and 45 CFR 164.308(a)(5), with documentation templates.
- GlossaryCorrective Action Plan (CAP)A documented plan describing steps to address identified compliance deficiencies, the owners, timelines, and monitoring.