Cybersecurity

HIPAA Audit Preparation 2026: The 90-Day Checklist

The 90-day HIPAA audit preparation checklist for mid-size practices — the 7 documents auditors ask for, the 5 findings that recur, and the OCR posture in 2026.

Douglyn 11 min read
Sterile clinical workstation at dusk with an open HIPAA compliance binder showing tabbed sections for SRA, BAAs, Policies, Training, IR, and Encryption, with a subtle checklist-style graphic overlay

The 2026 HIPAA landscape is not the 2020 HIPAA landscape. OCR renewed its audit and enforcement posture through 2024-2025 and has publicly signaled that vendor accountability, encryption, and demonstrable safeguards are the enforcement priorities in 2026 and beyond. The Notice of Proposed Rulemaking for the updated Security Rule published January 6, 2025 remains proposed as of mid-2026, with HHS signaling a summer 2026 publication target. Once the final rule publishes, covered entities and business associates get roughly 180 days to comply — an implementation window that is short in absolute terms and shorter in practical ones once operational reality intrudes.

This is the deeper read on HIPAA audit preparation for mid-size healthcare practices in 2026 — the 7 documents auditors always ask for, the 90-day preparation cycle that actually produces a defensible posture, the 5 findings that recur across denied claims and audit findings, and the calibration for the impending Security Rule update. It pairs with our 2026 HIPAA Security Rule updates for Florida practices post (the cluster hub), the Miami-Dade medical office compliance checklist, the Orlando healthcare cybersecurity deep dive, and the Florida healthcare cybersecurity threat landscape.

Key Takeaways

  • HIPAA audit preparation is 90 days for a healthy practice, 120-150 days for a set-and-forget one. Compressed four-week prep sprints look thorough but don’t survive auditor scrutiny.
  • The Security Risk Analysis is the single most important document. It is also the single most commonly cited deficiency in OCR enforcement actions. Get it right and current.
  • The 2026 Security Rule NPRM changes are substantial. Mandatory encryption, mandatory MFA, mandatory asset inventories, biannual vulnerability scanning, annual penetration testing, 72-hour system restoration, annual compliance audits, and BA annual verification. Start implementing now regardless of when the final rule publishes.
  • Vendor accountability is the 2026 enforcement priority. BAAs need real teeth, subcontractor flow-down obligations, and annual verification. Boilerplate BAAs from 2018 will not pass 2026 audit.
  • Hybrid preparation beats pure internal or pure external. Internal teams assemble the binder (the exercise is the point); external advisor evaluates independently.

The 2026 HIPAA Regulatory State — Where Things Actually Stand

Understanding the regulatory context matters because operators keep asking whether the rules everyone is talking about are actually in force.

The current enforceable law. The 2013 HIPAA Omnibus Rule remains the enforcement baseline. Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule — all in force. The “addressable” versus “required” distinction on Security Rule safeguards is still current law until the Final Rule modifies it.

The 2025 NPRM. On January 6, 2025, HHS published a Notice of Proposed Rulemaking proposing the most significant modifications to the HIPAA Security Rule since its 2003 original publication. The comment period closed March 7, 2025. HHS has signaled a summer 2026 target for publication of the Final Rule, though as of mid-2026 the Final Rule has not been published and could still change materially before it does.

Once published. Covered entities and business associates get roughly 180 days to comply with the new substantive requirements. If publication happens in July 2026, the compliance date lands in January 2027.

What operators should assume. Every one of the proposed changes represents where the regulatory floor is heading. Some may be modified in the Final Rule; none are likely to be relaxed. Practices that start the implementation work now will absorb the effort naturally. Practices that wait will scramble in Q4 2026.

The proposed changes worth planning around:

  • Mandatory encryption — the “addressable” path out disappears. AES-256 for data at rest, TLS 1.2+ for data in transit, no documentation exemption.
  • Mandatory MFA — for all systems accessing ePHI, not just email.
  • Mandatory asset inventories and network maps — documented, maintained, current.
  • Biannual vulnerability scans, annual penetration tests — with documented remediation of findings.
  • 72-hour system restoration — the practice must be able to restore critical systems within 72 hours of an incident, and must test this capability.
  • Annual compliance audits — internal or external, but formal and documented.
  • BA annual verification — business associates must annually verify (in writing, by a subject-matter expert) that they have deployed the required technical safeguards.

The 7 Documents Auditors Always Ask For

When OCR opens an investigation or audit, the initial document request follows a predictable pattern. The seven documents every mid-size practice needs current, complete, and defensible:

  1. Current Security Risk Analysis (SRA). Updated within the last 12 months. Documents where PHI lives, moves, and is stored across EHR, billing, imaging, telehealth, cloud apps, and third-party integrations. Identifies threats, vulnerabilities, and the risk of each combination. Names the specific mitigations for each risk. Signed and dated by the Security Officer.
  2. Written HIPAA policies and procedures. Covering the Privacy Rule, Security Rule, and Breach Notification Rule. Access control, authentication, encryption, device and media controls, transmission security, logging and monitoring, contingency planning, sanctions, and minimum necessary standards. Version-controlled, reviewed annually, signed by leadership.
  3. Business Associate Agreements (BAAs). Current with every vendor that creates, receives, maintains, or transmits PHI on your behalf. Include the required flow-down obligations for subcontractors. Reviewed within the last 12 months against current template language.
  4. Workforce training records. Documentation of training upon hire, when duties change, and periodically thereafter. Tailored by role (clinical, billing, IT, leadership). Attestations signed by each workforce member.
  5. Incident response plan and breach notification procedures. Documented playbook covering the four common incident scenarios (vendor breach, insider event, cyber attack, lost device). Tested at least annually via tabletop exercise. Named on-call roles with contact information.
  6. Technical safeguards evidence. Access logs and audit trails, encryption implementation documentation, MFA configuration screenshots, EDR agent health reports, vulnerability scan results, patch management records. The proof that the safeguards named in your policies are actually deployed.
  7. Risk register / remediation tracking. The documented record of identified risks, planned mitigations, deadlines, owners, and completion evidence. Auditors want to see that identified risks lead to remediation, not that they get identified and forgotten.

Missing any of these means the audit response will lead with a gap, and gaps compound in auditor psychology.

The 90-Day Preparation Checklist

The cycle that actually produces audit-ready posture.

Days 1-30: Inventory + SRA Refresh + BAA Gap Audit

The foundation work. If it’s not done cleanly, everything downstream is on unstable ground.

  • Complete PHI inventory. Where does PHI live in your practice today? Systems of record (EHR, PM, billing, telehealth), systems of storage (cloud drives, backup services, medical imaging archives), systems of transit (email, secure messaging, portals, EDI), physical PHI (paper charts, faxes, physical exam rooms). Every location, categorized by data type and volume.
  • Security Risk Analysis refresh. Update the SRA against the current inventory. New systems added in the last 12 months (telehealth expansions, AI-scribing tools, remote-work systems) create new risks. Document them, assess them, plan mitigations.
  • BAA gap audit. List every vendor that touches PHI. Match against BAA inventory. Flag missing BAAs (both discovered vendors with no BAA in place and BAAs that reference vendors you no longer use). Review current BAAs against 2026 expectations (annual verification language, subcontractor flow-down, incident notification timelines).
  • Named privacy and security officers. If either role is vacant or shared with someone who doesn’t have time for it, address before proceeding.

Days 31-60: Policy Documentation + Workforce Training + IR Runbook

The formalization work.

  • HIPAA policies and procedures review. Version-controlled, dated, signed. Cover all required areas per the Privacy and Security Rules. Update for the 2026 proposed changes (encryption is required, not addressable; MFA is required; asset inventory is required; annual compliance audit is required).
  • Workforce training refresh. Confirm every workforce member has completed training within the last 12 months. New hires trained on hire. Role-based content for clinical vs administrative vs IT vs leadership. Signed attestations.
  • Incident response runbook. Documented procedure for the four common incident scenarios. Named on-call rotation with contact information. Escalation path clear.
  • Notification workflow documented. For the 60-day individual notification, the potentially-imminent 72-hour proposed timeline, and the annual media notification for 500+ affected individuals in a state.

Days 61-90: Controls Testing + Tabletop + Audit Binder Assembly

The proof-of-work stage.

  • Technical safeguards evidence collection. Access logs, encryption implementation, MFA configuration reports, EDR health reports, vulnerability scan results, patch management logs, backup and restoration test results.
  • Tabletop exercise. Real tabletop or simulated real-time. Test the incident response runbook against a realistic scenario (ransomware, insider breach, vendor incident, lost device). Document the exercise, identify gaps, remediate.
  • 72-hour restoration test. Verify the practice can restore critical systems (EHR, PM, billing) within 72 hours of a simulated incident. Document the test, the timeline, the successes, and the gaps.
  • Audit binder assembly. All 7 documents current, organized, cross-referenced. Table of contents. Executive summary. Ready to hand to OCR, an external assessor, a customer counterparty, or your cyber insurance carrier at renewal.

The 5 Findings That Recur

The patterns in denied claims, OCR settlements, and third-party assessment reports:

  1. Stale Security Risk Analysis. The SRA was completed once (often by an outside consultant) and never updated. New systems, new integrations, new risks — all invisible to the analysis.
  2. Missing or weak BAAs. Vendors with no BAA in place. BAAs missing required provisions (subcontractor flow-down, breach notification timing, annual verification). BAAs referencing outdated regulatory language.
  3. Encryption gaps. ePHI stored unencrypted on backup drives, portable devices, or cloud storage. Email transmissions of PHI without encryption. The “addressable” documentation path was invoked without proper compensating controls documentation.
  4. Weak access controls. Shared logins for clinical systems. MFA not enforced on remote access. Role-based access not implemented or not maintained as roles change. Terminated employees with active credentials months after departure.
  5. Untested incident response. IR runbook exists on paper but nobody has read it. On-call rotation not maintained. Tabletop exercise never conducted or dated to 3+ years ago. Notification timelines missed on the last actual incident.

Each is preventable with the 90-day cycle above. Each is what auditors find first when preparation was rushed or absent.

When to Self-Assess vs Hire External

The hybrid model works for most mid-size practices:

  • Internal team assembles the readiness binder. The exercise of assembling documentation forces the practice’s people to know what they have. That knowledge is the actual point.
  • External HIPAA advisor conducts the readiness review. Independence matters. Internal self-assessment tends to miss the gaps that have been present so long they’ve become invisible.
  • Tabletop is facilitated externally at least once. Getting facilitated by someone whose only agenda is testing your response reveals gaps internal facilitators glide past.

Full external engagements ($15K-$50K for a mid-size practice) are appropriate for first-time assessments, post-leadership-change reviews, or the year before an anticipated OCR audit. Ongoing hybrid engagements ($8K-$25K annually) fit most steady-state operations. Pure internal self-assessment is rarely enough.

What BASG Does for South Florida and Regional Healthcare Practices

We conduct HIPAA readiness engagements for mid-size healthcare practices across South Florida, Central Florida, and regional healthcare networks. The deliverables are concrete: the current-state Security Risk Analysis, the policy and procedure document set, the BAA inventory and gap remediation plan, the workforce training refresh, the incident response runbook, the tabletop exercise, and the audit binder ready for OCR document requests, third-party assessments, cyber insurance renewals, and customer vendor due diligence.

Our healthcare IT services and industry compliance engagements are built around this readiness posture — because the audit binder that satisfies OCR is the same binder that satisfies cyber insurance carriers, and the same posture that reduces breach probability in the first place. We combine the cybersecurity services infrastructure work (encryption, MFA, EDR, network segmentation) with the HIPAA-specific documentation and process work that turns technical controls into audit-defensible artifacts.

If your practice hasn’t refreshed its HIPAA posture in the last 18 months, or if the impending Final Rule publication has surfaced the question of readiness, get in touch for a 45-minute readiness scoping call. We’ll walk through the 7-document baseline, identify which of the 5 recurring findings apply to your practice, and propose a 90-day path to a defensible audit binder. The Final Rule enforcement window will close faster than most operators expect. Better to start now than to explain the compressed timeline to an auditor in Q1 2027.

Frequently Asked Questions

Will OCR actually audit our mid-size practice, or is that only large hospital systems?

OCR audits mid-size practices regularly, and the 2026 posture doubles down on it. The historical audit statistics that made operators think mid-size was safe are misleading — most OCR enforcement activity is complaint-driven or breach-triggered, not scheduled proactive audit. Any breach affecting 500+ individuals triggers a mandatory OCR investigation, which functions as a de facto audit; any complaint alleging privacy or security violations can trigger the same. Add the OCR Right of Access Initiative (which specifically targets small and mid-size practices for failure to provide patient access to records) and the actual audit exposure for a mid-size practice is meaningful. Practical guidance: prepare as though you will be audited. The prep work is the same posture that reduces breach probability, keeps cyber insurance carriers underwriting favorably, and passes the vendor due-diligence questionnaires customer counterparties are increasingly sending. The audit is not the destination — the readiness is.

How long does HIPAA audit preparation really take for a mid-size practice?

For a mid-size practice (10-50 providers, 50-250 employees, single or multi-location) with reasonable existing HIPAA infrastructure but no recent audit, expect the full readiness cycle to take 90 days. If HIPAA has been treated as a set-it-and-forget-it program for years (stale SRA, unreviewed BAAs, training records that stopped at onboarding), expect 120-150 days including remediation work. If HIPAA has been actively managed with annual SRA updates and current documentation, expect 45-60 days of assembly work to get audit-binder ready. The compressed timelines operators sometimes attempt (four weeks of frantic preparation before an OCR document request) rarely produce a clean binder — they produce a binder that looks assembled but has gaps auditors find quickly. Give the work the time it needs; the cost of gaps found during audit is dramatically higher than the cost of gaps found during self-assessment.

What's the difference between an OCR audit and a third-party HIPAA assessment?

OCR audits are conducted by the Department of Health and Human Services Office for Civil Rights. They are the enforcement authority. An OCR audit or investigation can result in corrective action plans, resolution agreements, monetary settlements, or in serious cases civil monetary penalties. OCR requests documents on a specific timeline (typically 10-20 business days) and evaluates them against the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule requirements. Third-party HIPAA assessments are performed by outside firms (specialized HIPAA consultancies, cybersecurity firms with healthcare practices, or the healthcare-vertical arms of Big Four accounting firms). They are not enforcement actions — they are readiness reviews you commission yourself. The output is a report identifying gaps against the same regulatory requirements OCR uses, plus recommendations for remediation. Most mid-size practices should have a third-party assessment done at least once, and ideally on a 2-3 year cycle. The independence of the assessor matters — an internal self-assessment (even a rigorous one) tends to miss the gaps you've grown blind to. Use the third-party report to drive the remediation work that makes the OCR audit path uneventful.

Should we prepare for the 2026 HIPAA Security Rule Final Rule before it's actually published?

Yes, and the reason is math. HHS has signaled a summer 2026 publication target for the updated Security Rule. Once published, covered entities and business associates get roughly 180 days to comply with the new substantive requirements. If publication happens in July 2026 as expected, the enforcement window starts in January 2027 — six months of implementation time. The proposed changes are substantial: mandatory encryption at rest (AES-256) and in transit (TLS 1.2+) with no addressable-safeguard path out, mandatory multi-factor authentication for all systems accessing ePHI, mandatory technology asset inventories and network diagrams, mandatory vulnerability scanning every six months, mandatory penetration testing annually, mandatory 72-hour system restoration capability after incidents, mandatory annual compliance audits, and business associates required to annually verify (in writing) that they have deployed the required technical safeguards. Practices that start the implementation work now can absorb the effort as part of their normal operational cadence. Practices that wait until the final rule publishes will be scrambling in Q4 2026. Even if the final rule is delayed or modified (both possible), every one of the proposed changes represents best-practice cybersecurity posture. There is no scenario where doing this work now is wasted.

Should we self-assess or hire an external HIPAA advisor?

Hybrid. The mechanical work of assembling documentation, updating the Security Risk Analysis, reviewing BAAs, and refreshing training records is best done internally — it forces the practice's people to know what they have, which is the actual point of the exercise. The evaluation of that work against regulatory requirements is best done by someone independent. Three practical structures: (1) Internal team assembles the readiness binder; external HIPAA advisor reviews it for gaps and flags remediation priorities. Common for practices with a strong compliance officer. (2) Internal team drives the SRA and policy work; external advisor conducts the tabletop exercise and reviews the incident response runbook. Common for practices with a strong IT function but light compliance staffing. (3) External advisor drives the full assessment while internal team supports; used typically for the first HIPAA assessment or after a leadership change. Full external engagements for a mid-size practice typically cost $15,000-$50,000; hybrid engagements $8,000-$25,000. Neither is optional if you want a defensible audit posture — the only question is where the internal-external line lives.

What does HIPAA audit preparation actually cost for a mid-size practice?

For a typical mid-size practice, expect $15,000-$60,000 in year-one preparation costs. The breakdown: external HIPAA advisor fees ($8,000-$25,000 for the readiness assessment + remediation planning), internal staff time (0.25-0.5 FTE equivalent across the 90-day period, typically pulled from the compliance officer / privacy officer role plus IT lead plus practice manager), technology remediation ($3,000-$20,000 depending on what gaps exist — encryption tooling, MFA deployment, EDR upgrades, BAA-tracking software), workforce training refresh ($1,500-$5,000 for a mid-size headcount), tabletop exercise ($2,000-$8,000 if externally facilitated). Year two ongoing costs drop to $8,000-$20,000 for the annual SRA update, quarterly BAA review, workforce training refresh, and a mid-cycle tabletop. Compare to the actuarial cost of an OCR resolution agreement (typically $50K-$500K+ for mid-size settlements, plus corrective action plan costs that often exceed the settlement itself) and the ROI of readiness work is straightforward. Compare to cyber insurance carrier renewal expectations (which increasingly track HIPAA readiness) and the readiness work often pays back through flat or reduced premiums alone.
Tags: hipaa audit preparation hipaa audit checklist 2026 hipaa risk analysis 2026 hipaa audit mid-size practice hipaa compliance 2026 ocr audit healthcare cybersecurity

Let's Build Your Technology Strategy

Ready to transform your IT from a cost center into a competitive advantage? Talk to our team.