The Office for Civil Rights expanded its HIPAA audit program in 2025, moving from reactive enforcement (investigating after a complaint or breach) to proactive desk audits of organizations that have not previously been audited. Home health agencies — as covered entities transmitting ePHI in standard electronic transactions — are in scope for both types of review.
The distinction between a successful audit outcome and a damaging one is rarely about the sophistication of your security technology. It is almost always about documentation. OCR investigators cannot see your firewall configuration or verify that your EDR is running. They can read your risk analysis, review your training records, and confirm whether your incident response plan exists and is current.
This guide walks through exactly how to prepare — not for the ideal of perfect security, but for the reality of what OCR investigators actually assess.
Understanding the Two Types of OCR Review
Desk audit: A remote review in which OCR requests specific documentation by a defined deadline. You have 10 days to respond with the requested materials. The audit focuses on whether you have the foundational compliance documentation HIPAA requires.
Investigation: Triggered by a complaint from a patient or former employee, or by a breach notification you filed. More extensive than a desk audit. Investigators may request interviews with staff and access to system logs, not just documentation.
In both cases, the documents OCR requests first are the same. Having them ready, current, and accurate is the preparation that matters.
Phase 1: The Documentation Audit (Do This Now)
Before any contact from OCR, conduct your own internal documentation audit. Locate, review, and update each of the following:
HIPAA Risk Analysis
The single most important document. OCR requests this first in every audit type. A compliant risk analysis:
- Identifies all systems, devices, and processes that store, process, or transmit ePHI
- Identifies threats and vulnerabilities to each
- Assesses the likelihood and potential impact of each risk
- Describes existing controls and residual risk levels
- Is dated within the past 12 months (or since a significant change to your environment)
Common failure: Agencies have a risk analysis from 2021 that hasn't been updated. If your environment has changed — new EHR, new devices, new staff, new locations — the risk analysis is stale. OCR considers a stale risk analysis as evidence of inadequate risk management.
Written Information Security Program (WISP) or Security Policies
Your documented security policies covering: access control, workforce training, incident response, device management, email use, backup and recovery, and sanctions for violations. These policies must reflect your actual practices — not aspirational standards you haven't implemented.
Common failure: Policies downloaded from the internet and never customized to the agency's actual environment. OCR investigators ask whether staff know the policies exist and follow them.
Business Associate Agreements
A complete list of every vendor, contractor, or business associate with access to ePHI — and confirmation that a current, signed BAA is on file for each. This includes your EHR vendor, billing company, cloud backup provider, IT support vendor, and cybersecurity provider.
Common failure: BAAs signed years ago with vendors who have significantly changed their service terms, or missing BAAs with newer vendors added since the original compliance review.
Workforce Training Records
Documentation that every workforce member with access to ePHI has completed HIPAA security awareness training within the past 12 months. Records must include: individual names, training date, training content, and completion confirmation.
Common failure: Training records showing completion rates below 100% — or records that exist for some staff but not for field nurses and aides who rarely come to the office.
Incident Response Plan
A written plan that specifies who to contact, what to do, and what to document when a security incident occurs. Must include the HIPAA 72-hour workforce incident notification procedure introduced in the 2026 update.
Common failure: No written plan exists, or the plan has not been reviewed since a major staff change and lists former employees as the incident response contacts.
Phase 2: Evidence of Technical Controls
After reviewing documentation, OCR investigators increasingly request evidence that technical controls are actually implemented — not just described in policies.
MFA Implementation Evidence
Screenshots or system configuration exports from your identity platform confirming that MFA is enforced for all accounts with ePHI access. For Microsoft 365, this is a Conditional Access policy configuration report. For Google Workspace, this is the 2-step verification enforcement setting.
Encryption Verification
Documentation confirming encryption is enabled on all endpoints. For Windows devices, this is a BitLocker status report. For Mac, a FileVault configuration confirmation. For mobile devices, MDM compliance reports showing encryption status.
Vulnerability Scan Results
Automated vulnerability scan results from within the past six months, required by the 2026 HIPAA update. Remediation plan for any identified findings. Prior scan results for comparison (demonstrating ongoing program, not one-time scanning).
Penetration Test Report
Annual penetration test results from a qualified party, required by the 2026 HIPAA update. Findings summary and remediation actions taken.
Audit Log Configuration
Confirmation that audit logging is enabled on your EHR and email platforms, with retention configured for at least six years.
Phase 3: Staff Preparation
OCR desk audits are document-driven. Investigations may include staff interviews. Prepare the following:
Who is the HIPAA Security Officer? This person should be able to describe the security program, explain the risk analysis process, and locate any requested document within minutes. If the answer to "who is your HIPAA Security Officer" is a pause followed by "I think it might be our IT person?" — that is a problem.
Can staff describe the incident reporting process? OCR investigators sometimes ask clinical or administrative staff: "What would you do if you received a suspicious email?" The answer should be: "Report it to [specific person] using [specific method]." Not: "I don't know."
Are your training records complete and accessible? The HIPAA Security Officer should be able to produce a training completion report for the past 12 months within five minutes of being asked.
The 90-Day Audit Preparation Timeline
Days 1–30: Document audit and gap identification. Locate every required document. Identify what is missing, outdated, or inaccurate. Prioritize the risk analysis — if it is more than 12 months old or doesn't reflect current systems, update it immediately.
Days 31–60: Documentation completion. Complete or update all missing documents. Confirm BAAs are in place for all vendors. Run and document a vulnerability scan. Update training records for any staff who have not completed annual training.
Days 61–90: Control verification and staff readiness. Confirm technical controls are implemented as described in your policies. Brief the HIPAA Security Officer on how to respond to an OCR request. Conduct a tabletop exercise of the incident response plan.
ShieldForce keeps your home health agency audit-ready year-round.
Our managed service includes all HIPAA documentation — risk analysis, security policies, training records, vulnerability scan results — maintained and ready for OCR review.
Explore Home Healthcare Cybersecurity →
Start with a free HIPAA audit readiness assessment.