Audits and Enforcement

OCR Audit Protocol: What Small Practices Should Expect

5 min read · Last reviewed May 22, 2026

What the protocol is

The HHS Office for Civil Rights publishes the HIPAA Audit Protocol as a comprehensive checklist mapping the audited elements of the Privacy Rule, Security Rule, and Breach Notification Rule to specific regulatory citations and the documents OCR expects to see.

The current published protocol is the artifact OCR has used in prior audit phases (2011-2012 pilot, 2016-2017 desk audits). It remains the operating playbook for OCR's audit and review work. The protocol is organized into sections that mirror the structure of 45 CFR Part 164:

  • Subpart C — Security Rule
  • Subpart D — Breach Notification Rule
  • Subpart E — Privacy Rule

Each protocol element identifies the audit type (established performance criteria), the relevant regulatory citation, and the key activity OCR will inspect.

What HHS has announced about the program restart

OCR has indicated through its HIPAA Audits Program page and Congressional testimony in 2024 that it intends to resume audits, citing both legal authority under section 13411 of the HITECH Act and findings from the Office of Inspector General. The agency has not published a fixed audit-cycle schedule. Practices should treat the protocol as the standing playbook regardless of whether they are formally selected for audit, since complaint-driven investigations and breach reviews use the same framework.

High-frequency audit elements for small practices

Across published Resolution Agreements and audit summaries, the elements that come up most often for small providers:

Security Rule

Privacy Rule

Breach Notification Rule

What "audit" actually looks like for a small practice

A formal audit notice would arrive in writing with a fixed document request and submission deadline (typically 10 business days for initial submission). For most small practices the more common encounter is an investigation opened in response to a complaint or breach report. The protocol is the same playbook in either case.

Common documents OCR requests:

  • Current dated risk analysis
  • Current dated policies and procedures, with version history
  • Training records and sanction policy
  • Workforce roster with access roles
  • BAA log
  • Incident log with the four-factor breach analyses
  • Breach notifications sent and submission receipts
  • System inventory and data flow descriptions
  • Encryption status and key management documentation
  • Logs and audit log retention statement

Preparing the binder ahead of time

A practice that maintains a current binder mapped to the audit protocol can respond in days rather than scrambling for weeks. The structure that holds up:

  • Index page mapping each binder section to its protocol citation
  • A current risk analysis no older than 12 months, with a written re-evaluation cadence
  • Each policy versioned, dated, signed by the Security Official
  • A workforce training register tied to the policy version
  • A BAA log
  • A breach log including any "not a breach" four-factor analyses
  • Evidence files (configuration screenshots, encryption confirmations, log samples) referenced from the relevant policy

How OCR uses the protocol in enforcement

OCR's published Resolution Agreements typically cite specific protocol-aligned elements as missing or inadequate. Recent themes from the Enforcement Highlights page include:

  • Right of access timeliness and fees
  • Risk analysis absence or staleness
  • Ransomware-driven breach response failures
  • Online tracking technologies (per the December 2022 OCR Bulletin on online tracking, partially vacated by a 2024 federal court but with the BAA position retained)
  • Business associate breach reporting failures

Each settlement also includes a corrective action plan that typically runs two to three years and requires periodic evidence submissions. Reading three or four recent CAPs makes the protocol's expectations concrete.

Restraint about claims

No vendor or tool can guarantee an audit outcome. The protocol is a documentation checklist; OCR weighs the totality of evidence including the practice's good-faith remediation. The most predictable variable is the quality and currency of the practice's binder.

How D3rx fits

D3rx SRA Binder Studio is structured around the audit-protocol citation tree. Each binder section maps to a protocol element with the underlying HHS, OCR, eCFR, or NIST source linked. It is a point-in-time administrative documentation aid; the practice remains responsible for the substance.

Next steps

See where your practice currently stands with the free 5-question readiness check, or review the full workflow and pricing on the main SRA page.

Where do you stand on your SRA today?

Five quick questions, no signup. You'll see which Security Rule sections your practice already has covered and which ones still need work.

This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, the Code of Federal Regulations, and NIST.

Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

Sources & Citations
  1. HIPAA Audit Protocolhttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html
  2. 45 CFR Part 164https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164
  3. HIPAA Audits Program pagehttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html
  4. 164.308(a)(1)(ii)(A)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308#p-164.308(a
  5. 164.308(a)(3) and (a)(4)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308
  6. 164.312(a)(2)(iv) and 164.312(e)(2)(ii)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312
  7. 164.312(b)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312#p-164.312(b
  8. 164.520https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.520
  9. 164.524https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524
  10. 164.502(b)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.502#p-164.502(b
  11. 164.530https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530
  12. 164.402https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.402
  13. 164.404, 164.406, and 164.408https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D
  14. 164.408(c)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.408#p-164.408(c
  15. Enforcement Highlights pagehttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html
  16. OCR Bulletin on online trackinghttps://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html

Sources verified as of May 22, 2026

Research Aid Notice

This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.

Related Guides