This is engineering guidance, not legal advice. Confirm specifics with qualified counsel.

Why this matters

If you run a telemedicine product, the question is not whether your compliance will ever be examined — it is which of the three doors the examiner uses and whether your evidence exists before the letter arrives. The Office for Civil Rights opened a compliance review for every one of the 732 large breaches reported in 2023, restarted proactive audits in December 2024, and keeps finding the same first gap: in its enforcement actions, a missing or inadequate risk analysis is the most-cited failure. The teams that suffer are rarely the ones with the worst security; they are the ones that cannot show their security inside a ten-business-day window. This article is for the founder, product manager, or hospital IT lead who wants the launch-day evidence binder assembled now — while assembling it is still cheap — and it is the capstone of everything Block 2 of this section has covered so far. A one-page, gated version of the full checklist ships with the article as a PDF.

Ready for what, exactly — the three doors

Start by defining the examiner, because "HIPAA audit" is used loosely and the loose usage causes bad planning. The Health Insurance Portability and Accountability Act (HIPAA) is enforced for privacy and security purposes by the Office for Civil Rights (OCR), an agency inside the US Department of Health and Human Services (HHS). We walked through what HIPAA itself requires — the Privacy Rule, the Security Rule, the Breach Notification Rule, and the protected health information (PHI) they all guard — in HIPAA in plain English for product teams. Refresher in one line: PHI is any health information that can be tied to an identifiable person, and your telemedicine product is full of it.

OCR examines a company through three distinct mechanisms, and each one starts a different clock.

Door one: the complaint investigation. Anyone — a patient, an ex-employee, a competitor — can file a HIPAA complaint with OCR, generally within 180 days of the event. If OCR sees a potential violation, it opens an investigation and sends the organization a notification letter that names the allegation and requests documents: typically your policies, your risk analysis, your training records, and everything related to the incident. Response deadlines are set per letter and are short — two to four weeks is a common range in practice. An investigation looks backward at a specific event, but the document list looks at your whole program, because OCR's first question is always whether the failure was a one-off or a symptom.

Door two: the breach-driven compliance review. Under the Breach Notification Rule, a breach of unsecured PHI affecting 500 or more people must be reported to HHS within 60 days of discovery (45 CFR §164.408), and OCR opens a compliance review of every such report — 732 of them in 2023, per OCR's report to Congress. In other words, a large breach is an audit notice you wrote yourself. Smaller breaches go into an annual log submitted within 60 days of calendar-year end, and they can be investigated too, at OCR's discretion. Since February 2026 the same public portal also takes separate breach reports for substance-use-disorder records under 42 CFR Part 2 — a detail with teeth for behavioral telehealth, where one incident can now require two filings, and which we flagged from the rules side in state and specialty rules.

Door three: the audit program. The HITECH Act of 2009 (section 13411) requires HHS to periodically audit covered entities and business associates for compliance with the HIPAA rules — proactively, with no complaint and no breach required. After a seven-year pause, OCR restarted this program in December 2024: the 2024–2025 audits examine 50 covered entities and business associates against the Security Rule provisions most relevant to hacking and ransomware, above all risk analysis and risk management. The program's mechanics are documented and unforgiving of improvisation: selected entities submit requested documents through OCR's secure portal within ten business days, receive draft findings, get ten business days to comment, and the auditor issues a final report within 30 business days after that. An audit is "only" technical assistance in form — but HHS's own Office of Inspector General (OIG) reviewed the program in November 2024, found that the 2016–2017 round had tested just 8 of 180 requirements and required no fixes afterward, and recommended OCR audit deeper — including physical and technical safeguards — and follow up on corrections. Plan for the audit that OIG asked for, not the one its report criticized. And an audit that surfaces something serious can hand you door one or two on the way out.

Three routes into an OCR examination — complaint, breach report, audit selection — converging on one document request Figure 1. Three doors, one destination: whichever way OCR arrives, what lands on your desk is a document list with a deadline. The binder is the same — so build it once, before any door opens.

The comparison that matters for planning:

Complaint investigation Breach compliance review Audit program (2024–2025)
Trigger Anyone files within ~180 days of the event Your own report: 500+ breach within 60 days of discovery (§164.408) OCR selects you (HITECH §13411); no event needed
Probability driver User base size, disgruntled insiders, visible mistakes Your security posture; ransomware epidemic Pool membership: covered entities and business associates
First clock Per letter; commonly 2–4 weeks 60-day notification deadlines, then OCR's review letter 10 business days to submit via OCR's portal
Scope The incident, plus your whole program as context The breach, plus the safeguards that should have prevented it Selected provisions; 2024–25: risk analysis and risk management
Typical output Closure, technical assistance, resolution agreement, or civil money penalty Same, with the breach on the public portal Findings report; industry report; escalation if findings are serious

Table 1. The three examination routes compared. Penalty exposure is the same arithmetic in all three: $145 to $73,011 per violation depending on culpability, capped at $2,190,294 per provision per calendar year (HHS annual inflation adjustment, effective January 28, 2026).

The clock math nobody runs

Here is the arithmetic that makes readiness a launch requirement rather than a someday project. Walk through it once, out loud.

A proper risk analysis — the systematic assessment of threats to all electronic PHI you hold, required by §164.308(a)(1)(ii)(A) — takes a focused team roughly four to eight weeks to produce the first time: inventory the systems, map the data flows, score the risks, document the decisions. Call it 30 working days at the optimistic end.

Audit window: 10 business days. First-time risk analysis: ~30 business days, optimistically. Gap: you are 20 business days short — before OCR has asked a single follow-up question.

The same shortfall repeats for every artifact on the request list. Business Associate Agreements — the contract, called a BAA, that any vendor handling PHI for you must sign, dissected in our BAA article — take days to weeks per vendor to negotiate; you cannot backfill one inside the window, and a backdated one is a federal problem of an entirely different kind. Training records cannot be conjured for training that did not happen. Six years of policy documentation (§164.316(b)(2)(i)) cannot be written in week one. The readiness checklist below is, at bottom, a list of everything that cannot be produced in ten business days — which is exactly why OCR asks for it.

One more number completes the picture: zero. That is how many "HIPAA certificates" the US government issues. No agency certifies products or companies as HIPAA-compliant; vendors selling certification badges are selling decoration. What exists is evidence of an ongoing program — which is cheaper than the badge and is the only thing OCR reads.

What OCR asks for first — the pull list

Across all three doors, the opening document request is remarkably stable, because OCR's audit protocol — the published checklist its auditors and investigators work from — is organized around the same rule provisions every time. The table below is the request list reconstructed from the audit protocol and enforcement practice, mapped to where each item should already live in your evidence binder. Treat it as the table of contents for the binder itself.

# What OCR requests The rule behind it Your evidence artifact Refresh
1 Current risk analysis, and prior versions §164.308(a)(1)(ii)(A) Risk analysis report with system inventory, data-flow map, scored risks, dated sign-off Annual + on change
2 Risk management plan and remediation evidence §164.308(a)(1)(ii)(B) Ranked risk register with owners, deadlines, closed-item log Quarterly
3 Written policies and procedures, with revision history §164.316(a), (b)(2)(iii) Versioned policy set covering each safeguard standard Annual review
4 All Business Associate Agreements §164.502(e), §164.504(e), §164.308(b) BAA inventory: vendor, service, PHI touched, signature date, the agreement itself On vendor change
5 Workforce training materials and completion records §164.308(a)(5); §164.530(b) Curriculum, dated completion list per person, new-hire and refresher logs Annual + new hires
6 Sanctions policy and any applications of it §164.308(a)(1)(ii)(C) Written policy; documented (anonymized) enforcement instances As applied
7 Security incident procedures and the incident log §164.308(a)(6) Incident response plan; incident register including non-breach incidents Per incident
8 Breach risk assessments and notification records §§164.402–408 Four-factor assessment per incident; notice letters; HHS submissions; annual small-breach log Per incident + annual
9 Access management and termination procedures, with proof §164.308(a)(3), (a)(4); §164.312(a)(2)(i) Role-access matrix; provisioning/deprovisioning tickets; quarterly access reviews Quarterly
10 Audit logs and the reviews of them §164.312(b); §164.308(a)(1)(ii)(D) Log samples; written review procedure; dated review notes Ongoing
11 Contingency plan: backups, disaster recovery, emergency mode §164.308(a)(7) Backup configs and restore-test results; DR plan; criticality analysis Tested annually
12 Evaluation reports — periodic program re-checks §164.308(a)(8) Dated evaluation after each environment or regulatory change Annual + on change
13 Notice of Privacy Practices as patients see it §164.520 The notice, plus where it appears in app and on web On material change
14 Asset inventory and network map (expected to formalize under the 2026 update) Proposed in the Security Rule NPRM (RIN 0945-AA22) System list with owners; network diagram with PHI flows marked On change

Table 2. The pull list. Items 1–13 are current obligations; item 14 is proposed but is also simply the substrate a competent risk analysis already requires. The audit protocol's published version dates to July 2018 — older than the 2024–25 audit round — so expect requests to track the NPRM's emphases even before a final rule lands.

Two practical notes on format. OCR's portal intake in the audit program accepts ordinary business documents — PDF, Word, Excel — and the protocol's standing instruction is blunt: if documentation does not exist, the entity must say so in a statement. Absence is an answer, and it is scored as one. Second, the request reads "current and prior versions" in several places deliberately: a risk analysis dated the week after the letter arrived tells the examiner more than a missing one.

The audit evidence binder as fourteen labeled tabs, each mapped to its rule citation Figure 2. The evidence binder. Fourteen tabs, one per request-list row — if a tab is empty today, that row is your to-do list, and the statement-of-absence rule means an examiner will see exactly which tabs were empty.

The readiness checklist — seven phases, in order

What follows is the ordered checklist this article exists to deliver. It is sequenced so that each phase produces the inputs the next one consumes — scope before assessment, assessment before contracts, contracts before controls — which is also roughly the cheapest order to do the work in. Run it before launch; re-run the marked items on the cadence given in Phase 7. The one-page gated PDF compresses all seven phases into a wall chart.

A scoping reminder before item one: HIPAA's duties attach to covered entities — health plans, clearinghouses, most providers — and to business associates, the vendors that handle PHI on a covered entity's behalf. Since the 2013 Omnibus Rule, business associates are directly liable under the Security Rule. A telemedicine platform serving providers is a business associate at minimum; "we're just the software" has not been a defense for over a decade. The product-landscape article maps which role each business model lands in.

Phase 1 — Govern: name the owners, draw the scope

  • Designate a security official and a privacy official, in writing. One named person accountable for the Security Rule program (§164.308(a)(2)) and one for the Privacy Rule program (§164.530(a)) — the same person in a small company is fine; "the team collectively" is not.
  • Inventory every system that creates, receives, stores, or transmits PHI. For a telemedicine build that list is longer than intuition suggests: the patient and clinician apps, the signaling and media servers, the TURN relay, recording storage, transcripts, the chat history, the EHR bridge, the scheduling system, logs, crash reports, analytics, the helpdesk, email and SMS providers. The platform-anatomy article walks the full surface.
  • Draw the data-flow map and the compliance boundary. Which components sit inside the BAA-covered boundary, which sit outside, and what crosses the line — the single diagram from the compliance-architecture pattern that the rest of the checklist keeps referencing. This map is also pull-list item 14, drawn early.
  • Adopt the written policy set (§164.316): one policy per safeguard standard, versioned, dated, with an owner — not a 90-page template with another company's name still in the footer (a real artifact examiners report seeing).

Phase 2 — Assess: the risk analysis that anchors everything

  • Run the risk analysis against the Phase 1 inventory (§164.308(a)(1)(ii)(A)): for each system, what threatens confidentiality, integrity, availability; how likely; how severe; what controls exist. Two free federal tools do the heavy lifting for small teams: HHS's Security Risk Assessment (SRA) Tool — version 3.6.1 as of late 2025, with reviewer sign-off tracking built for exactly this evidence trail — and NIST SP 800-66 Rev. 2 (February 2024), the federal how-to for implementing the Security Rule.
  • Write the risk management plan from the findings (§164.308(a)(1)(ii)(B)): every identified risk gets an owner, a decision — mitigate, accept (documented), or transfer — and a date. Keep the closed-item log; OCR's posture since its Risk Analysis Initiative launched in October 2024 is that listed-but-never-remediated risks are their own finding, with settlements in the $10,000–$350,000 range so far.
  • Date and sign both documents. The signature line is the difference between "we thought about security" and "evidence."

Phase 3 — Contract: close the BAA chain

  • Build the BAA inventory from the data-flow map: every arrow that leaves your code for a vendor's system is a row — cloud provider, video layer (CPaaS or hosted SFU), TURN provider if separate, recording store, transcription and any AI vendor, EHR integration vendor, email/SMS, logging, crash reporting, analytics, helpdesk. For each: does it touch PHI, is a BAA available, is one signed, on what date, covering which services.
  • Resolve every "no" row in one of exactly two ways: sign the BAA, or re-architect so the vendor never sees PHI — the two honest options the common-mistakes article shows teams skipping. "Encrypted" does not substitute: encryption answers eavesdropping, a BAA answers authorization, and you need both.
  • Chase the chain one level down. Your business associates' subcontractors need BAAs too (§164.308(b) flows the duty downstream). Ask your video vendor who runs their storage and relays.
  • Calendar the renewals. A BAA that lapsed at contract renewal is a "no" row wearing a "yes" costume.

Phase 4 — Build: the safeguards an examiner can see

  • Technical safeguards (§164.312), mapped to the telemedicine stack: unique user IDs for every human and service (required — shared clinic logins fail this on sight); emergency-access procedure; automatic logoff; encryption in transit for every PHI hop — DTLS-SRTP for media, TLS 1.2+ for everything else — and at rest for recordings, transcripts, messages, and backups, per the encryption article; audit controls that record who touched which record when, designed as in the audit-logging article; integrity controls; person-and-entity authentication. Multi-factor authentication is, strictly, not yet a named requirement — the 2026 NPRM proposes making it one — but examiners already read its absence as a risk-analysis gap, so treat it as Phase 4 work, not Phase 7.
  • Physical safeguards (§164.310), the forgotten quarter: facility access for any office holding PHI-touching equipment, workstation security rules for clinician and support machines, and device-and-media controls — including the required disposal and re-use specifications. The OIG's complaint that the 2016–17 audits skipped physical safeguards entirely is a strong hint about where expanded audits will look.
  • Wire the evidence as you build: screenshots of MFA enforcement, encryption configuration exports, a quarterly access-review calendar invite that produces minutes. A control that generates no artifact will not exist in week ten.

Phase 5 — Train: people, with receipts

  • Train every workforce member on your policies — Security Rule training under §164.308(a)(5), Privacy Rule training under §164.530(b) — at onboarding and on a recurring cycle, with role-specific content: clinicians on consent and recording rules from the consent article, engineers on the PHI-handling failure modes, support staff on the no-PHI-in-tickets rule.
  • Keep the receipts: named person, content version, completion date. In enforcement files, "we trained everyone" without records reads as "we did not train anyone."
  • Send periodic security reminders (§164.308(a)(5)(ii)(A)) and log them — a quarterly all-hands note counts if it is dated and kept.
  • Adopt and apply the sanctions policy (§164.308(a)(1)(ii)(C)): written consequences for violations, with documented application. An unused sanctions policy plus a known violation is a contradiction examiners notice.

Phase 6 — Drill: incidents, breaches, and the mock request

  • Stand up the incident response procedure (§164.308(a)(6)): how anyone reports a suspected incident, who triages, who decides breach-or-not, who talks to counsel. Keep the incident log — including incidents that turned out not to be breaches; an empty log at a company your size is implausible, and implausible is a finding.
  • Pre-build the breach risk-assessment template around the four factors of §164.402 — what data, who got it, was it actually acquired or viewed, how far was it mitigated — so the 60-day clock (§164.404) starts against a form, not a blank page. The full clock arithmetic is in the incident-response article; the short version is that 60 days from discovery is a deadline, not a target, and notification duties stack: individuals, HHS (immediately for 500+, annual log within 60 days of year-end for smaller), media at 500+ per state.
  • Behavioral health: pre-plan the dual filing. Since February 2026, a breach touching substance-use-disorder records files twice — once as a HIPAA breach, once as a Part 2 breach on the same OCR portal, where both lists are public.
  • Test the contingency plan (§164.308(a)(7)): backups exist and restore — a dated restore test is the artifact; a disaster-recovery plan names systems in criticality order; emergency-mode operation says how consults continue, or stop safely, during an outage.
  • Run the mock data request annually. Hand your own team Table 2 with a ten-business-day deadline and grade the result. Every tab that took longer than a day to fill is a finding you caught for free — this drill is the single highest-yield hour in this article.

Phase 7 — Maintain: the program that survives version 2.0

  • Re-evaluate on schedule and on change (§164.308(a)(8)): annually, and after anything that moves the data-flow map — a new video vendor, an AI-scribe feature, a new state, an acquisition. Each evaluation is a dated document; the trigger list belongs in the policy.
  • Keep all of it six years (§164.316(b)(2)(i)): policies, assessments, training logs, BAAs, incident records — six years from creation or from when the document was last in effect, whichever is later. Note the trap inside the rule: the six-year duty covers your compliance documentation; your operational audit-log retention is a separate decision your risk analysis must justify, as covered in the audit-logging article.
  • Watch the rule horizon, on the record. The HIPAA Security Rule NPRM of January 6, 2025 (90 FR 898, RIN 0945-AA22) — still a proposed rule as of 2026-06-11 — would convert this checklist's "should"s into "must"s: every specification required, MFA and encryption mandatory, a formal asset inventory and network map, vulnerability scanning every six months, annual penetration testing, 72-hour restore objectives, and an annual compliance audit of your own program. The 2026 Security Rule article tracks the delta; a team that built Phases 1–6 above is, not coincidentally, most of the way to the proposed rule already.

Seven readiness phases in sequence with their rule citations, from governance to maintenance Figure 3. The seven phases in their dependency order: each produces the evidence the next consumes, and Phase 7 loops back into Phase 2 on every significant change.

The audit drill: surviving the ten-day window

Now assume the letter arrives — selection into the audit pool, or an investigation notice. The response process is where prepared teams convert their binder into a quiet outcome and unprepared teams convert a document request into a multi-year corrective-action plan. The drill below follows the audit program's published mechanics; investigation letters vary in deadline but not in substance.

Day 0 — receive and verify. Audit and investigation contacts arrive by email, and OCR's own guidance says to check spam folders — non-response does not stop the process; it just removes your voice from it. Verify the sender, log the date, and calendar the deadline in business days, not calendar days.

Day 0–1 — convene the response team. The security official owns the response; counsel reviews everything before submission — this is the moment your engagement letter with a healthcare attorney earns its fee; one engineer is assigned to pull artifacts; one writer assembles. Decide a file-naming convention in the first hour (item-04_baa-inventory_2026-06.pdf beats final_v2_REAL.pdf in front of an auditor).

Day 1–5 — pull, against the binder. If Phase 6's mock drill happened, this is retrieval, not creation. Answer exactly what is asked: complete, responsive, and not one speculative document more — volunteered material expands scope, and counsel will say so in stronger words.

Day 5–8 — review for the three classic self-inflicted wounds: screenshots with PHI visible in a corner (redact — you are demonstrating privacy practices, not breaching them in the submission); documents whose dates contradict the narrative (explain proactively, never adjust — adjusting dates converts a compliance gap into a federal-honesty problem); and the missing-item statement, written plainly per the protocol's instruction, ideally with the remediation already scheduled and dated.

Day 8–10 — submit through the portal, in accepted formats, and archive an exact copy of the submission set. The matter may continue for months; you must know precisely what they have.

After — track the comment window. In the audit program you will see draft findings and have ten business days to respond in writing; your comments attach to the final report. Use them for factual corrections and completed remediations — not argument. If findings escalate toward a resolution agreement, that is a negotiation, and it is counsel's stage, not engineering's.

Audit-response timeline from selection email through portal submission to final report, with the parallel breach clock Figure 4. The response clocks, end to end: ten business days to submit, ten to comment on draft findings, thirty for the final report — against the separate, unforgiving 60-calendar-day breach-notification clock.

Common mistakes — the audit-prep edition

The gap analysis masquerading as a risk analysis. A checklist of controls ("MFA: yes; encryption: yes") is a gap analysis. The rule requires a risk analysis: threats and vulnerabilities to specific systems, with likelihood, impact, and resulting decisions. OCR rejects the substitution often enough that its risk-analysis guidance addresses it by name — and it is the most common substantive finding in the Risk Analysis Initiative's settlements.

Template policies, unedited. Bought policy packs with another organization's name in clause 7, referencing job titles you do not have and systems you do not run. An examiner who spots one stops believing the rest of the binder.

The empty incident log. "We have never had a security incident" at production scale means "we have never noticed one." Log the phishing attempt, the lost phone with MDM wipe, the misdirected email and its §164.402 assessment concluding low probability of compromise — that trail is what credibility looks like.

Training that happened but left no trace — and its twin, the BAA that everyone remembers signing but no one can produce. If it has no artifact, it did not happen.

Logs nobody reviews. §164.308(a)(1)(ii)(D) requires regular review of system activity, and §164.312(b) requires the mechanism; collecting logs while never reading them satisfies the second and fails the first — the exact pattern behind a $5.5 million settlement when twelve months of unauthorized access went unread.

Treating "audit" as a hospital problem. Half the 2016–17 audit pool's business-associate segment failed risk analysis; the 2024–25 round explicitly includes business associates. A telemedicine platform is in the pool.

Where Fora Soft fits in

Fora Soft has built video software since 2005 — telemedicine platforms among 239+ shipped projects across conferencing, streaming, surveillance, e-learning, and OTT — and audit-readiness is a design input in our healthcare builds, not a post-launch scramble. The Phase 1 data-flow map and Phase 3 BAA inventory come out of our architecture stage by default, because we draw the compliance boundary before we draw the first sprint board; encryption, unique-identity, and audit-logging controls ship with their evidence artifacts attached. When a team arrives with an existing product, the readiness checklist above is how we audit it: fourteen binder tabs, checked against the codebase and the contracts, returned as a remediation plan with owners and dates. The result our clients care about is simple — when the letter arrives, the answer is retrieval, not archaeology.

What to read next

If you want the basics-level view of healthcare app compliance before this deep dive, start with our compliance guide for healthcare apps.

Call to action

References

  1. 45 CFR §164.308 — Administrative safeguards: risk analysis (a)(1)(ii)(A), risk management (a)(1)(ii)(B), sanctions (a)(1)(ii)(C), activity review (a)(1)(ii)(D), security official (a)(2), workforce security (a)(3), access management (a)(4), training (a)(5), incident procedures (a)(6), contingency plan (a)(7), evaluation (a)(8), BAAs (b). eCFR, read 2026-06-11. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308 Tier 1.
  2. 45 CFR §164.316 — Policies and procedures and documentation requirements; six-year retention (b)(2)(i); periodic review (b)(2)(iii). eCFR, read 2026-06-11. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.316 Tier 1.
  3. 45 CFR §164.312 — Technical safeguards: access control incl. unique user identification (a)(2)(i); audit controls (b); integrity (c); authentication (d); transmission security (e). eCFR, read 2026-06-11. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312 Tier 1.
  4. 45 CFR §164.310 — Physical safeguards: facility access (a); workstation use and security (b), (c); device and media controls incl. required disposal and media re-use (d). eCFR, read 2026-06-11. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.310 Tier 1.
  5. 45 CFR §§164.400–414 — Breach Notification Rule: breach definition and four-factor assessment (§164.402); 60-day individual notice (§164.404); media notice (§164.406); HHS notice incl. annual sub-500 log (§164.408). eCFR, read 2026-06-11. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D Tier 1.
  6. 45 CFR §164.530 — Privacy Rule administrative requirements: privacy official (a); training (b); sanctions (e); documentation (j). §164.520 — Notice of Privacy Practices. eCFR, read 2026-06-11. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530 Tier 1.
  7. HHS OCR — OCR's HIPAA Audit Program: HITECH mandate; 2024–2025 audits of 50 CEs/BAs on Security Rule provisions relevant to hacking/ransomware; 2016–2017 round of 166 CEs + 41 BAs; industry report forthcoming. Page reviewed December 31, 2024; read 2026-06-11. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html Tier 1.
  8. HHS OCR — HIPAA Audit Program Protocol (updated July 2018): provision-by-provision audit inquiries; 10-business-day portal submission; PDF/Word/Excel formats; statement required where documentation is absent; 10-business-day draft-findings comment window; final report 30 business days after. Read 2026-06-11. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html Tier 1.
  9. HHS OIG — "The Office for Civil Rights Should Enhance Its HIPAA Audit Program…" (OEI-09-21-00250, November 2024): 2016–17 audits assessed 8 of 180 requirements, no physical/technical safeguards; recommendations to broaden scope and verify remediation; OCR concurred in part. https://oig.hhs.gov/reports/all/2024/the-office-for-civil-rights-should-enhance-its-hipaa-audit-program-to-enforce-hipaa-requirements-and-improve-the-protection-of-electronic-protected-health-information/ Tier 1 (oversight report).
  10. HHS — HIPAA Security Rule NPRM, 90 FR 898 (January 6, 2025), RIN 0945-AA22 — proposed: all specifications required, mandatory MFA and encryption, asset inventory and network map, six-month vulnerability scans, annual penetration test, 72-hour restoration, annual compliance audit. Status: proposed as of 2026-06-11. https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information Tier 1.
  11. HHS — Annual Civil Monetary Penalties Inflation Adjustment (effective January 28, 2026): $145–$73,011 per violation; $2,190,294 per-provision annual cap. https://www.federalregister.gov/documents/2026/01/28/2026-01688/annual-civil-monetary-penalties-inflation-adjustment Tier 1.
  12. ASTP/ONC & HHS OCR — Security Risk Assessment (SRA) Tool, v3.6 (September 2025; v3.6.1 certificate refresh): reviewer sign-off tracking, NIST-aligned risk scale, Excel workbook edition. https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool Tier 1.
  13. NIST SP 800-66 Rev. 2 — Implementing the HIPAA Security Rule: A Cybersecurity Resource Guide (February 2024). https://csrc.nist.gov/pubs/sp/800/66/r2/final Tier 1.
  14. HHS OCR — Annual Report to Congress on HIPAA Compliance (2023 reporting year): 732 compliance reviews opened for 500+ breaches; risk analysis the most frequent finding in settled cases. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/reports-congress/index.html Tier 1.
  15. HHS OCR — breach portal update accepting separate 42 CFR Part 2 breach reports, with public listing; individual Part 2 complaints from February 16, 2026; summarized in Alston & Bird Health Care Advisory, February 19, 2026. https://ocrportal.hhs.gov/ocr/breach/breach_frontpage.jsf · https://www.alston.com/en/insights/publications/2026/02/ocr-data-breach-reporting-portal Tier 1 (portal) / Tier 5 (advisory).
  16. HHS OCR — Risk Analysis Initiative (launched October 2024); enforcement actions citing §164.308(a)(1)(ii)(A), settlements $10,000–$350,000 as of mid-2026; Memorial Healthcare System, $5.5M (February 2017), for unreviewed system activity. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html Tier 2 — re-verify counts at publication.
  17. HIPAA Journal / Secureframe / Medcurity — "HIPAA audit checklist" competitor guides (reference only): generic healthcare scope, no telemedicine vendor chain, no pull-list-to-binder mapping, sparse primary citations — superseded by rule text and the audit protocol throughout. https://www.hipaajournal.com/hipaa-audit-checklist/ Tier 7.

Where lower-tier sources disagreed with rule text, the rule won. Two notable overrides: vendor checklists describing log retention as "HIPAA requires six years of logs" conflate §164.316's documentation-retention duty with operational log retention (the latter is a risk-analysis decision); and "HIPAA-certified" product claims are described here as marketing, since no federal certification exists — both per the primary sources above.