OCR audits are not always announced far in advance. Some practices receive a notice with as little as ten days to respond. That is not enough time to build a compliance program from scratch.
The practices that pass audits without major findings built their documentation before the call came. Here is how to do the same.
30K+HIPAA investigations in 2023 alone
OCR conducted over 30,000 HIPAA investigations in 2023 alone, with dental practices among the most frequently cited healthcare providers.
Most findings were not the result of a breach. They were the result of missing documentation that practices could not produce on short notice.
What OCR Looks for in a HIPAA Audit
OCR auditors follow a structured protocol and request specific documents. Check each one your practice can produce right now within ten days.
Documents you can produce today0 / 5
All five audit documents are available.
Your practice can respond to an OCR document request within ten days. Confirm that each document is current: the Security Risk Assessment should be dated within the last 12 months, BAAs should cover all current vendors, and training records should include every current staff member.
Document gaps present: your practice cannot fully respond to an audit notice today.
Each unchecked item is something OCR will request. A practice that cannot produce a requested document during an audit timeframe receives an unfavorable finding regardless of its actual security posture. The Six Steps to Audit Readiness below addresses how to close these gaps before a notice arrives.
Your practice cannot respond to an audit notice today.
Most of the documents OCR requests in a HIPAA audit are missing. If a notice arrived tomorrow, your practice would have ten days to produce documentation that does not exist. OCR treats inability to produce documentation as evidence of non-compliance regardless of actual security posture. Building this documentation now closes the gap before an audit triggers it.
Work through these before an audit notice arrives. Check each step your practice has completed.
Steps completed0 / 6
All six steps completed: your practice is audit-ready.
Your compliance documentation is in place. Schedule an annual review date to repeat these steps and keep everything current before the next potential audit cycle. The practices that consistently pass OCR audits treat this as a recurring calendar item, not a one-time project.
Audit readiness steps still remaining.
Each unchecked step represents a gap an OCR auditor will find. The steps that involve your IT provider (Steps 4 and 6) depend on your IT provider's ability to confirm and document technical safeguards. Contact your IT provider to confirm those items before completing this checklist.
Your practice is not prepared for a HIPAA audit notice.
Most of the six readiness steps are incomplete. An OCR document request arriving today would result in non-compliance findings on multiple items. Working through these steps now, before a notice arrives, is the only way to build a defense that works when OCR asks for documentation.
Read the notice carefully and note the exact deadline
OCR will specify exactly what documents they are requesting and the deadline for submission. Do not ignore the notice or request an extension without good reason. Extensions are not guaranteed and a missed deadline worsens your position.
Contact your IT provider immediately
Many of the documents OCR requests are generated by your IT environment, including access logs, encryption records, and backup verification. Your provider needs to know the audit is happening so they can gather and format the technical documentation OCR expects.
Submit only documentation that genuinely predates the audit notice
Do not create documentation after the fact and present it as current. OCR auditors are experienced and documentation inconsistencies are a serious red flag that can escalate the investigation from a routine review to a full compliance audit.
The window is short
A practice with organized documentation can respond completely within ten days. A practice that has to locate, reconstruct, or create documentation under that pressure cannot. The preparation happens before the notice, not after it.
How Your IT Provider Should Be Helping
A dental-specific IT provider should be your first call when an audit notice arrives. They should be able to produce encryption documentation, access control logs, MFA records, and backup verification on short notice because they maintain that documentation as part of their regular service.
What a dental IT provider should produce on request
Encryption configuration records for all servers, workstations, and backup drives
MFA enforcement documentation for all accounts with PHI access
Access control logs showing who accessed patient data and when
Backup verification records confirming data is recoverable with test results
Patch management logs showing systems are maintained and current
Signed Business Associate Agreement for all services provided
If your IT provider cannot produce those records quickly, that is itself a compliance gap. The inability to document technical safeguards is as significant as not having them.
Frequently Asked Questions
OCR selects practices based on reported breaches, patient complaints, and random selection as part of their audit program. Practices that have experienced a breach or received a patient complaint are at higher risk of a formal audit.
An audit is a routine compliance review. An investigation is triggered by a specific complaint or breach report and carries greater enforcement risk. Both require the same documentation. Audit-ready practices handle investigations more easily.
Yes. Practices that cooperate fully, have some documentation in place, and can demonstrate a good-faith effort to comply are often issued a corrective action plan rather than immediate fines. Practices with no documentation at all face the highest financial penalties.
At minimum, annually. Your Security Risk Assessment should be completed once per year and updated whenever significant system changes occur. Treating HIPAA compliance as a once-a-year exercise rather than an ongoing program is one of the most common mistakes dental practices make.
If OCR called your practice today, would you be ready to respond in ten days?
Ekim IT Solutions works exclusively with dental practices. We serve New England and New York with on-site support and dental practices nationwide with remote support. We build the technical safeguards and compliance documentation your practice needs before an audit notice ever arrives.
Ten days is not enough time to build a compliance program. The time to prepare is right now.
Ezra Angelo
