For the InfoSec lead at a covered entity or business associate OCR audit-prep checklist.

When the Office for Civil Rights opens an investigation under the Risk Analysis Initiative, the first document request lands within days, not weeks. This checklist is what to work through before that letter arrives. Each item is a question the investigator is likely to ask, in the order they ask them.

Print this checklist Back to the audit-prep page

How to use this. Walk through each section with a printed copy. Tick the boxes that have evidence on file today, mark the rest as gaps, and date the bottom of the page. The dated page is itself a useful internal artifact — your assessor's first question on the next cycle is often "when did you last self-assess against this?"

1. Most recent risk analysis

HIPAA §164.308(a)(1)(ii)(A). The investigator opens here.

The risk analysis is dated within the last 12 months.Older than 12 months reads as out-of-cycle. If it's older, the gap is one you address on day one of prep.
The scope statement names every system holding ePHI.Most failures live here. "Corporate Active Directory" is not a complete scope statement.
The methodology paragraph survives independent review.If your team would not be willing to defend it in an interview, neither will your assessor.
The risks identified are tied to specific systems, not "general phishing risk."Generic risks read as not-yet-conducted analysis.
Each risk has a corresponding entry in the risk-management plan.

2. Asset inventory underneath the analysis

The single most-cited deficiency in OCR resolution agreements since 2024. If this is wrong, everything above is wrong.

The inventory is dated within the last 90 days.Annual snapshots do not pass the "accurate" test.
The methodology for keeping the inventory current is documented."We update it manually before audits" is the wrong answer.
The inventory covers all VLANs that touch ePHI, not just the corporate Active Directory.
Biomedical devices appear in the inventory.Infusion pumps, telemetry monitors, imaging modalities, pharmacy automation, lab analyzers.
Vendor-managed and vendor-service equipment appears in the inventory.PACS workstations, modality service laptops, pharmacy-automation vendor tunnels.
Acquired-practice sites are reconciled within 90 days of close.M&A integration is where inventories typically go stale.
Contractor laptops on production VLANs are accounted for or explicitly excepted.
The CMMS used by Clinical Engineering is reconciled against the InfoSec inventory at least quarterly.

3. Risk-management plan

HIPAA §164.308(a)(1)(ii)(B). Where the analysis becomes action.

Every identified risk has a corresponding mitigation, acceptance, or transfer decision.
Mitigation owners and target dates are recorded for each open item.
Accepted risks are signed off at the appropriate management level.
The plan was reviewed by senior management within the last 12 months.A signature on a fresh date carries weight.
Open items from the prior cycle have a status update.

4. Evidence of audit controls

HIPAA §164.312(b). "Mechanisms that record and examine activity in information systems that contain or use electronic protected health information."

Identity-change events on the ePHI network are logged with timestamps."New device appeared on port X at time Y" is the kind of record this control wants.
Log retention meets the period defined in your security plan (commonly 6 years for HIPAA).
The log destination is documented (SIEM, syslog server, GRC) and access-controlled.
Audit-log review cadence is documented and someone is actually doing it.

5. Before the auditor walks in

The hour before an interview is when the gaps you didn't address come due.

The team interviewing knows the scope statement of the most recent risk analysis without consulting notes.
The team can produce the inventory artifact in under 10 minutes.
The methodology paragraph is rehearsed.A paste-ready example is on this site at methodology-164-308.html.
The reconciliation evidence with the CMMS is in the same folder as the inventory.
The §164.308(a)(8) periodic evaluation record is current.
A Business Associate Agreement is on file for every business associate that touches ePHI.The investigator may ask for a sample.

6. During the interview

Plain answers; specific examples; "I'll get you that within the day."

Refer to documents, not memory."Let me show you that in the risk analysis on page 14" is the right answer.
If you don't know, say so and commit to a follow-up by a specific date.
Do not speculate about scope or controls outside your area.
Take notes during the interview; share them with counsel after.

One last thing. If your inventory is the gap — and the OCR Risk Analysis Initiative settlements suggest it usually is — the methodology that closes that gap before the next cycle is documented at cybriq.io/healthcare/risk-analysis. The 30-day pilot terms are at cybriq.io/healthcare/pilot; the artifacts the pilot produces are yours regardless of whether you continue with us.

Date completed: ____________________ Reviewed by: ____________________