HIPAA Audit Preparation 2026: The 90-Day Checklist
The 90-day HIPAA audit preparation checklist for mid-size practices — the 7 documents auditors ask for, the 5 findings that recur, and the OCR posture in 2026.
The 2026 HIPAA landscape is not the 2020 HIPAA landscape. OCR renewed its audit and enforcement posture through 2024-2025 and has publicly signaled that vendor accountability, encryption, and demonstrable safeguards are the enforcement priorities in 2026 and beyond. The Notice of Proposed Rulemaking for the updated Security Rule published January 6, 2025 remains proposed as of mid-2026, with HHS signaling a summer 2026 publication target. Once the final rule publishes, covered entities and business associates get roughly 180 days to comply — an implementation window that is short in absolute terms and shorter in practical ones once operational reality intrudes.
This is the deeper read on HIPAA audit preparation for mid-size healthcare practices in 2026 — the 7 documents auditors always ask for, the 90-day preparation cycle that actually produces a defensible posture, the 5 findings that recur across denied claims and audit findings, and the calibration for the impending Security Rule update. It pairs with our 2026 HIPAA Security Rule updates for Florida practices post (the cluster hub), the Miami-Dade medical office compliance checklist, the Orlando healthcare cybersecurity deep dive, and the Florida healthcare cybersecurity threat landscape.
Key Takeaways
- HIPAA audit preparation is 90 days for a healthy practice, 120-150 days for a set-and-forget one. Compressed four-week prep sprints look thorough but don’t survive auditor scrutiny.
- The Security Risk Analysis is the single most important document. It is also the single most commonly cited deficiency in OCR enforcement actions. Get it right and current.
- The 2026 Security Rule NPRM changes are substantial. Mandatory encryption, mandatory MFA, mandatory asset inventories, biannual vulnerability scanning, annual penetration testing, 72-hour system restoration, annual compliance audits, and BA annual verification. Start implementing now regardless of when the final rule publishes.
- Vendor accountability is the 2026 enforcement priority. BAAs need real teeth, subcontractor flow-down obligations, and annual verification. Boilerplate BAAs from 2018 will not pass 2026 audit.
- Hybrid preparation beats pure internal or pure external. Internal teams assemble the binder (the exercise is the point); external advisor evaluates independently.
The 2026 HIPAA Regulatory State — Where Things Actually Stand
Understanding the regulatory context matters because operators keep asking whether the rules everyone is talking about are actually in force.
The current enforceable law. The 2013 HIPAA Omnibus Rule remains the enforcement baseline. Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule — all in force. The “addressable” versus “required” distinction on Security Rule safeguards is still current law until the Final Rule modifies it.
The 2025 NPRM. On January 6, 2025, HHS published a Notice of Proposed Rulemaking proposing the most significant modifications to the HIPAA Security Rule since its 2003 original publication. The comment period closed March 7, 2025. HHS has signaled a summer 2026 target for publication of the Final Rule, though as of mid-2026 the Final Rule has not been published and could still change materially before it does.
Once published. Covered entities and business associates get roughly 180 days to comply with the new substantive requirements. If publication happens in July 2026, the compliance date lands in January 2027.
What operators should assume. Every one of the proposed changes represents where the regulatory floor is heading. Some may be modified in the Final Rule; none are likely to be relaxed. Practices that start the implementation work now will absorb the effort naturally. Practices that wait will scramble in Q4 2026.
The proposed changes worth planning around:
- Mandatory encryption — the “addressable” path out disappears. AES-256 for data at rest, TLS 1.2+ for data in transit, no documentation exemption.
- Mandatory MFA — for all systems accessing ePHI, not just email.
- Mandatory asset inventories and network maps — documented, maintained, current.
- Biannual vulnerability scans, annual penetration tests — with documented remediation of findings.
- 72-hour system restoration — the practice must be able to restore critical systems within 72 hours of an incident, and must test this capability.
- Annual compliance audits — internal or external, but formal and documented.
- BA annual verification — business associates must annually verify (in writing, by a subject-matter expert) that they have deployed the required technical safeguards.
The 7 Documents Auditors Always Ask For
When OCR opens an investigation or audit, the initial document request follows a predictable pattern. The seven documents every mid-size practice needs current, complete, and defensible:
- Current Security Risk Analysis (SRA). Updated within the last 12 months. Documents where PHI lives, moves, and is stored across EHR, billing, imaging, telehealth, cloud apps, and third-party integrations. Identifies threats, vulnerabilities, and the risk of each combination. Names the specific mitigations for each risk. Signed and dated by the Security Officer.
- Written HIPAA policies and procedures. Covering the Privacy Rule, Security Rule, and Breach Notification Rule. Access control, authentication, encryption, device and media controls, transmission security, logging and monitoring, contingency planning, sanctions, and minimum necessary standards. Version-controlled, reviewed annually, signed by leadership.
- Business Associate Agreements (BAAs). Current with every vendor that creates, receives, maintains, or transmits PHI on your behalf. Include the required flow-down obligations for subcontractors. Reviewed within the last 12 months against current template language.
- Workforce training records. Documentation of training upon hire, when duties change, and periodically thereafter. Tailored by role (clinical, billing, IT, leadership). Attestations signed by each workforce member.
- Incident response plan and breach notification procedures. Documented playbook covering the four common incident scenarios (vendor breach, insider event, cyber attack, lost device). Tested at least annually via tabletop exercise. Named on-call roles with contact information.
- Technical safeguards evidence. Access logs and audit trails, encryption implementation documentation, MFA configuration screenshots, EDR agent health reports, vulnerability scan results, patch management records. The proof that the safeguards named in your policies are actually deployed.
- Risk register / remediation tracking. The documented record of identified risks, planned mitigations, deadlines, owners, and completion evidence. Auditors want to see that identified risks lead to remediation, not that they get identified and forgotten.
Missing any of these means the audit response will lead with a gap, and gaps compound in auditor psychology.
The 90-Day Preparation Checklist
The cycle that actually produces audit-ready posture.
Days 1-30: Inventory + SRA Refresh + BAA Gap Audit
The foundation work. If it’s not done cleanly, everything downstream is on unstable ground.
- Complete PHI inventory. Where does PHI live in your practice today? Systems of record (EHR, PM, billing, telehealth), systems of storage (cloud drives, backup services, medical imaging archives), systems of transit (email, secure messaging, portals, EDI), physical PHI (paper charts, faxes, physical exam rooms). Every location, categorized by data type and volume.
- Security Risk Analysis refresh. Update the SRA against the current inventory. New systems added in the last 12 months (telehealth expansions, AI-scribing tools, remote-work systems) create new risks. Document them, assess them, plan mitigations.
- BAA gap audit. List every vendor that touches PHI. Match against BAA inventory. Flag missing BAAs (both discovered vendors with no BAA in place and BAAs that reference vendors you no longer use). Review current BAAs against 2026 expectations (annual verification language, subcontractor flow-down, incident notification timelines).
- Named privacy and security officers. If either role is vacant or shared with someone who doesn’t have time for it, address before proceeding.
Days 31-60: Policy Documentation + Workforce Training + IR Runbook
The formalization work.
- HIPAA policies and procedures review. Version-controlled, dated, signed. Cover all required areas per the Privacy and Security Rules. Update for the 2026 proposed changes (encryption is required, not addressable; MFA is required; asset inventory is required; annual compliance audit is required).
- Workforce training refresh. Confirm every workforce member has completed training within the last 12 months. New hires trained on hire. Role-based content for clinical vs administrative vs IT vs leadership. Signed attestations.
- Incident response runbook. Documented procedure for the four common incident scenarios. Named on-call rotation with contact information. Escalation path clear.
- Notification workflow documented. For the 60-day individual notification, the potentially-imminent 72-hour proposed timeline, and the annual media notification for 500+ affected individuals in a state.
Days 61-90: Controls Testing + Tabletop + Audit Binder Assembly
The proof-of-work stage.
- Technical safeguards evidence collection. Access logs, encryption implementation, MFA configuration reports, EDR health reports, vulnerability scan results, patch management logs, backup and restoration test results.
- Tabletop exercise. Real tabletop or simulated real-time. Test the incident response runbook against a realistic scenario (ransomware, insider breach, vendor incident, lost device). Document the exercise, identify gaps, remediate.
- 72-hour restoration test. Verify the practice can restore critical systems (EHR, PM, billing) within 72 hours of a simulated incident. Document the test, the timeline, the successes, and the gaps.
- Audit binder assembly. All 7 documents current, organized, cross-referenced. Table of contents. Executive summary. Ready to hand to OCR, an external assessor, a customer counterparty, or your cyber insurance carrier at renewal.
The 5 Findings That Recur
The patterns in denied claims, OCR settlements, and third-party assessment reports:
- Stale Security Risk Analysis. The SRA was completed once (often by an outside consultant) and never updated. New systems, new integrations, new risks — all invisible to the analysis.
- Missing or weak BAAs. Vendors with no BAA in place. BAAs missing required provisions (subcontractor flow-down, breach notification timing, annual verification). BAAs referencing outdated regulatory language.
- Encryption gaps. ePHI stored unencrypted on backup drives, portable devices, or cloud storage. Email transmissions of PHI without encryption. The “addressable” documentation path was invoked without proper compensating controls documentation.
- Weak access controls. Shared logins for clinical systems. MFA not enforced on remote access. Role-based access not implemented or not maintained as roles change. Terminated employees with active credentials months after departure.
- Untested incident response. IR runbook exists on paper but nobody has read it. On-call rotation not maintained. Tabletop exercise never conducted or dated to 3+ years ago. Notification timelines missed on the last actual incident.
Each is preventable with the 90-day cycle above. Each is what auditors find first when preparation was rushed or absent.
When to Self-Assess vs Hire External
The hybrid model works for most mid-size practices:
- Internal team assembles the readiness binder. The exercise of assembling documentation forces the practice’s people to know what they have. That knowledge is the actual point.
- External HIPAA advisor conducts the readiness review. Independence matters. Internal self-assessment tends to miss the gaps that have been present so long they’ve become invisible.
- Tabletop is facilitated externally at least once. Getting facilitated by someone whose only agenda is testing your response reveals gaps internal facilitators glide past.
Full external engagements ($15K-$50K for a mid-size practice) are appropriate for first-time assessments, post-leadership-change reviews, or the year before an anticipated OCR audit. Ongoing hybrid engagements ($8K-$25K annually) fit most steady-state operations. Pure internal self-assessment is rarely enough.
What BASG Does for South Florida and Regional Healthcare Practices
We conduct HIPAA readiness engagements for mid-size healthcare practices across South Florida, Central Florida, and regional healthcare networks. The deliverables are concrete: the current-state Security Risk Analysis, the policy and procedure document set, the BAA inventory and gap remediation plan, the workforce training refresh, the incident response runbook, the tabletop exercise, and the audit binder ready for OCR document requests, third-party assessments, cyber insurance renewals, and customer vendor due diligence.
Our healthcare IT services and industry compliance engagements are built around this readiness posture — because the audit binder that satisfies OCR is the same binder that satisfies cyber insurance carriers, and the same posture that reduces breach probability in the first place. We combine the cybersecurity services infrastructure work (encryption, MFA, EDR, network segmentation) with the HIPAA-specific documentation and process work that turns technical controls into audit-defensible artifacts.
If your practice hasn’t refreshed its HIPAA posture in the last 18 months, or if the impending Final Rule publication has surfaced the question of readiness, get in touch for a 45-minute readiness scoping call. We’ll walk through the 7-document baseline, identify which of the 5 recurring findings apply to your practice, and propose a 90-day path to a defensible audit binder. The Final Rule enforcement window will close faster than most operators expect. Better to start now than to explain the compressed timeline to an auditor in Q1 2027.


