OCR Audit Prep Services

The Office for Civil Rights (OCR) conducts investigations of health care organizations triggered by a security incident or breach, patient or resident complaint or whistleblowers. To ensure full compliance with the implementation specifications and requirements of the HIPAA Privacy, Security and Breach Notification Rules, OCR has investigated over 26,000 cases where imposed penalties averaged more than $1.57 million.

Every covered entity and business associate is investigation-eligible. The primary objective is to assess the HIPAA-regulated industry’s compliance while focusing on selected specifications of HIPAA Privacy, Security and Breach Notification Rules.

OCR published an audit protocol that encompasses requirements and implementation specifications from HIPAA Privacy, Security and Breach Notification Rules. The protocol includes the following:

  • 89 Privacy requirements
  • 72 Security requirements
  • 19 OCR Breach Reporting requirements

Based on the type of business associate or covered entity selected for investigation, OCR starts by requesting a copy of your policies and procedures under scrutiny.

Implement the proper protocols to ensure OCR compliance and expertly handle OCR investigations. If you don’t think OCR will investigate, ask other organizations about when they were under investigation.

Avoid Costly Fees

If your organization commits a HIPAA violation or breach, you may be subject to hefty fines and settlements. OCR has imposed or settled a penalty in 55 cases, which have resulted in a total amount of more than $78 million. OCR has received more than 184,000 HIPAA complaints and initiated more than 900 compliance reviews.

Typically, the following are the most significant offenders of compliance issues:

  • Health plans
  • Pharmacies
  • General hospitals
  • Outpatient facilities
  • Private physicians and practices

Penalties for civil HIPAA violations can range up to $50,000, though the annual maximum for repeat violations can be much higher.

Our Audit Process

At BlueOrange Compliance, we offer HIPAA compliance audit and security services. A compliance audit will identify issues you should address, and we work during a long-term process to ensure HIPAA compliance for health care providers. We can help your organization prepare for OCR audits, avoid costly fees and save on cybersecurity costs.

We Are Practical , Easy To Understand, And Comprehensive


Every control receives a risk rating from low to very high. We also outline which NIST standard each control fails to comply with and we tailor a mitigation plan for each point of concern.


We conduct a large volume of automated and manual tests to expose potential risks and vulnerabilities. Our penetration testers and information security analysts are some of the most skilled in the industry so you can rest assured with the level of protection BlueOrange provides.


Once we’ve identified gaps in compliance, we create a plan with actionable recommendations. Choose from an annual plan, two-year HIPAA security maintenance or our three-year CSF Sustain and Adapt plan.


Ongoing guidance helps your organization make constant progress toward better HIPAA compliance and data security. We have several options to choose from to tailor the level of guidance and ongoing support to your organization’s needs.

BlueOrange Compliance - Slice Dashboard Analysis Graphic

Our Impact In Numbers

Simplify Network Security For Clients Worldwide


Client Retention Rate


Clients in 47 States


OCR Audit Pass Rate


HIPAA SRAs Performed


What Customers Have to Say

BlueOrange Compliance - Miami Jewish Health Logo

“My biggest day-to day challenge is safeguarding data security, and BlueOrange’s ongoing project lead and insight has helped ensure our success.”

BlueOrange Compliance - Asbury Logo

“BlueOrange consultants apply in-depth expertise to their client’s specific situation, becoming an integral part of your HIPAA privacy breach and security team.”

BlueOrange Compliance - NMC Logo

“The BlueOrange Compliance report card tells me where to focus my time, there’s so much out there, I use the report to figure out where to put my energies.”

Bernardo Larralde

Director of Information Technology

Andrew H. Joseph

Compliance and Privacy Officer

Joel Benware 

Vice President of Information Systems and Compliance

Why Choose Us?

At Blue Orange Compliance, we have never failed an OCR audit. We have a 100% OCR audit pass rate, a 98% client retention rate and a nationwide reach. We are certified assessors, which means you can rest assured that we are among the nation’s best at what we do. We can provide the HIPAA privacy, breach and security solutions your organization needs to avoid costly fees in the event of an audit.

Request a Consultation for OCR Audit Prep 


With a reliable partner at your side, you will have the peace of mind you need. Our team at Blue Orange Compliance will take the mystery out of HIPAA and HITRUST compliance and cybersecurity, plus provide support and audit preparedness. We can simplify HIPAA compliance for your organization via a HIPAA risk assessment and review, then provide you with practical, scalable solutions.

Our cost-effective approach allows us to continually provide maximum guidance and information and requires minimal staff time and engagement. We’ll customize our materials to your organization, and our program will help you develop implementation and training programs needed to prepare for your everyday privacy considerations. Schedule a consultation with Blue Orange Compliance today to experience our practical, comprehensive and affordable privacy and security solutions or learn more about OCR reporting requirements.

Request a Free Consultation

Helpful Resources

OCR Audit Prep Checklist

If your organization is under an audit, you might want to develop a prep checklist to ensure you cover all your bases. On your list, you may want to include these tasks.

  • Perform risk analysis.
  • Account for ePHI storage location.
  • List the evidence of encryption capabilities.
  • Document the security training that has occurred.
  • Make an inventory of relevant contracts and business associates.
  • List known risks and how your organization is dealing with them.
  • Describe how you monitor mobile media and devices, such as thumb drives or CDs.
  • List policies and procedures, along with descriptions about how you implemented these.
  • Document breach reporting policies, along with how your organization has responded to breaches.

You will need to respond fully and promptly to the OCR request. When you receive notification about your selection for an audit, there will be instructions on when and how you should reply. Unresponsiveness can make things worse for your organization if the OCR does uncover findings of non-compliance. The OCR will assess only the data you submit on time.

During the audit process, ensure you record all transactions. You may want to appoint someone to be in charge of all correspondence related to the audit.

Common HIPAA Violations

A HIPAA breach involves the application, use, disclosure or access of unsecured PHI in a way HIPAA does not permit. In a HIPAA breach, the activity poses a considerable risk of harm to the impacted person in reputational or financial damages or another form of loss.

The HIPAA Breach Notification Rule states that if an unsecured PHI breach occurs, covered business associates and entities must notify impacted individuals. The following are some of the common HIPAA violations:

  • Fraud
  • Identity theft
  • Insider threats
  • Drug diversion
  • Lack of training
  • Cybersecurity attacks
  • Theft or loss of devices
  • Breaches in the database
  • Third-party disclosing PHI
  • Lack of safeguards for PHI
  • Improperly disposing of PHI
  • Lack of patient access to PHI
  • Incorrectly handling medical records
  • Lack of ePHI administrative safeguards
  • Disclosure of information by employees
  • Failing to encrypt PHI on mobile devices
  • Employees gaining illegal access to patient files
  • Failing to perform a risk analysis across the organization

Related Products

HIPAA Security Risk Analysis (SRA)

Perform required HIPAA Security Risk analysis

Penetration Testing

Perform required annual penetration test