HIPAA Gap Assessment: What Auditors Find and How to Fix It

HIPAA audits don’t fail on exotic vulnerabilities. They fail on the same gaps that show up in practice after practice: missing documentation, weak access controls, and encryption that was never fully implemented. If you run a healthcare organization in Texas, the question isn’t whether these gaps exist in your environment. It’s whether you find them before an auditor or a breach does.

The 2026 HIPAA Security Rule overhaul is eliminating the “addressable” designation that let small practices defer security controls. What was optional becomes mandatory, and the compliance window is tight. This post walks through the eight most common findings from HIPAA gap assessments, explains what auditors expect to see, and covers how a managed IT provider handles each one.

Risk Analysis Documentation

This is the single most common HIPAA audit failure. HHS enforcement data shows that missing or incomplete risk analysis is cited in the majority of HIPAA settlements, including several that resulted in seven-figure penalties against small covered entities.

The problem is rarely that a practice has done zero security work. The problem is that the work isn’t documented. You may have configured firewalls, deployed antivirus, and trained your staff, but if there’s no written risk analysis that identifies threats, assesses likelihood and impact, and documents the controls you chose, auditors treat it as if you did nothing.

What auditors expect: A formal, written risk analysis that covers all electronic protected health information (ePHI), identifies threats and vulnerabilities, assesses the likelihood and potential impact of each, and documents the security measures in place. This analysis must be updated whenever your environment changes significantly, and reviewed at least annually.

How to fix it: Start by inventorying every system that stores, processes, or transmits ePHI. That includes your EHR, email, cloud storage, imaging systems, and any devices that access patient records. For each system, identify the threats (ransomware, unauthorized access, theft, accidental disclosure), assess your current controls, and document the residual risk. A managed IT provider maintains this documentation as part of ongoing compliance management, updating it as systems change rather than scrambling to reconstruct it before an audit.

Access Controls

Auditors consistently find practices where every employee has the same level of access to patient records, where shared logins are used across front desk workstations, or where former employees still have active accounts weeks after leaving.

HIPAA’s minimum necessary standard requires that workforce members can only access the ePHI they need for their specific job function. A billing coordinator should not have access to clinical notes. A front desk receptionist should not have admin rights to the EHR.

What auditors expect: Role-based access controls with unique user IDs for every workforce member, automatic session timeouts, and documented procedures for granting, modifying, and revoking access. They also look for evidence that access reviews happen regularly, not just when someone remembers.

How to fix it: Implement role-based access in your EHR, Microsoft 365, and any other systems that touch ePHI. Every user gets a unique login. Shared accounts get eliminated. When someone changes roles or leaves, their access gets modified or revoked the same day, not the following week. Microsoft 365 for healthcare supports Conditional Access policies that enforce MFA, block sign-ins from unmanaged devices, and restrict access by location. A managed IT provider configures these policies and runs quarterly access reviews so nothing drifts.

Audit Logs and Monitoring

If you can’t prove who accessed what and when, you can’t demonstrate compliance with HIPAA’s audit control requirements. Many practices either have logging disabled, don’t review logs, or retain them for only a few days before they’re overwritten.

What auditors expect: Audit logs that capture access to ePHI, including who accessed it, when, and what they did. Logs must be retained for a minimum of six years (the HIPAA documentation retention requirement) and reviewed regularly for unusual activity, such as after-hours access, bulk record exports, or access patterns that don’t match job responsibilities.

How to fix it: Enable audit logging on your EHR, Microsoft 365 tenant, network devices, and any cloud services that store ePHI. Aggregate those logs into a centralized SIEM platform that correlates events across systems and flags anomalies. SIEM monitoring turns raw log data into actionable alerts. Instead of manually reviewing thousands of log entries, you get notified when something unusual happens, such as an employee accessing 200 patient records in an hour or a login from an unfamiliar location. Our SOC monitors these alerts 24/7 so that suspicious access gets investigated immediately rather than discovered months later.

Encryption at Rest and in Transit

Encryption was “addressable” under the old HIPAA Security Rule, which meant practices could document why they chose not to encrypt and substitute an alternative safeguard. The 2026 rule changes make encryption mandatory, eliminating that flexibility.

What auditors expect: ePHI encrypted at rest on all devices (workstations, servers, mobile devices, removable media) and in transit across all communication channels (email, file transfers, remote access connections). AES-256 encryption is the standard expectation.

How to fix it: Enable BitLocker on all Windows workstations and servers, FileVault on Macs, and device encryption on mobile devices through your MDM solution. For email, configure TLS enforcement on all connections and deploy an encrypted email gateway for messages containing ePHI. Microsoft 365’s built-in message encryption can handle this for most practices, but it has to be configured and enforced through transport rules, not left as an option that staff may or may not use. For data at rest in cloud services, verify that your EHR vendor and any cloud storage providers encrypt data with keys that you control or that are managed under a HIPAA-compliant BAA.

Business Associate Agreements

Every vendor that handles ePHI on your behalf, from your EHR vendor to your IT provider to your shredding company, must have a signed Business Associate Agreement. Auditors don’t just check whether BAAs exist. They verify that every vendor relationship involving ePHI is covered, that BAAs are current, and that they include the required provisions.

What auditors expect: A complete inventory of business associates with signed, current BAAs for each one. BAAs must include breach notification obligations, requirements for returning or destroying ePHI at contract termination, and provisions allowing the covered entity to terminate the agreement if the business associate violates HIPAA.

How to fix it: Build and maintain a vendor inventory that flags every relationship involving ePHI. Review each BAA annually to confirm it’s current and covers the actual scope of services being provided, not just what was originally contracted. If a vendor refuses to sign a BAA, that’s a compliance risk that needs to be documented and addressed, either by finding a compliant alternative or by restructuring the relationship to remove ePHI access. A managed IT provider can help identify which vendor relationships require BAAs, because practices commonly miss less obvious ones like cloud backup providers, phone system vendors, and IT support companies with remote access to systems.

Employee Training Records

HIPAA requires security awareness training for all workforce members, but the audit failure isn’t usually about whether training happened. It’s about whether you can prove it happened. Practices that conduct informal training, verbal reminders during staff meetings, or one-time orientations without documentation fail this control consistently.

What auditors expect: Documented training records showing that every workforce member received HIPAA security awareness training, when they received it, and what topics were covered. Training must be provided to new hires and reinforced periodically, with additional training when policies change or after security incidents.

How to fix it: Implement a formal security awareness training program with tracked completion. Automated training platforms deliver phishing simulations, policy quizzes, and role-specific HIPAA content, then log completion dates and scores for each employee. Those records become audit evidence. Annual refresher training is the minimum. Practices in higher-risk environments (those handling substance abuse records, mental health records, or genetic information) should train more frequently.

Incident Response Procedures

Many practices have no written incident response plan. Others have a plan that was created years ago, never tested, and doesn’t reflect their current environment. Auditors look for both: the documented plan and evidence that it’s been tested.

What auditors expect: A written incident response plan that covers breach identification, containment, notification (to HHS, affected individuals, and in some cases media), documentation, and post-incident review. The plan must name specific individuals responsible for each step, including after-hours contacts.

How to fix it: Write an incident response plan that reflects your actual environment and team, not a generic template pulled from the internet. Identify who on your staff makes the call to activate the plan, who contacts patients, who handles regulatory notifications, and who coordinates with your IT provider and legal counsel. Then test it. A tabletop exercise where your team walks through a simulated breach scenario exposes gaps in the plan without the consequences of a real incident. Our team runs these exercises for healthcare clients and updates the plan based on what each exercise reveals. Read our disaster recovery testing guide for more on how to structure and schedule these tests.

Backup and Disaster Recovery Testing

Having backups is not the same as having a tested recovery capability. Auditors look for evidence that you can restore ePHI from backups within a timeframe that supports your continuity of operations, and that you’ve actually tested the restoration process.

What auditors expect: Documented backup procedures, offsite or cloud-based backup copies, and evidence of regular recovery testing. The backup system must protect ePHI with encryption, and the recovery time must support your organization’s continuity requirements.

How to fix it: Implement a backup and disaster recovery solution that encrypts backups, stores copies offsite or in a HIPAA-compliant cloud environment, and supports rapid recovery. Then test it at least quarterly. A test means actually restoring data from backup and verifying that it’s complete and usable, not just confirming that the backup job completed successfully. Document every test: what was restored, how long it took, and whether any issues were identified. If your last backup test revealed problems, the fix and retest should also be documented.

Self-Assessment Checklist

Before your next audit, work through each of these with your IT provider or compliance officer:

• Risk analysis: Do you have a current, written risk analysis covering all systems that handle ePHI? Has it been updated in the past 12 months?
• Access controls: Does every user have a unique login? Are permissions based on job role? Are access reviews conducted at least quarterly?
• Audit logging: Are access logs enabled on your EHR, email, and file storage? Are they retained for at least six years? Is someone reviewing them?
• Encryption: Are all workstations, servers, and mobile devices encrypted at rest? Is email containing ePHI encrypted in transit?
• Business associate agreements: Do you have a complete vendor inventory? Is every vendor with ePHI access covered by a current BAA?
• Training records: Can you produce training completion records for every current employee? Is training delivered at least annually?
• Incident response plan: Is your plan written, current, and tested? Can you name the people responsible for each step?
• Backup and recovery: Are backups encrypted and stored offsite? Have you tested a full restore in the past 90 days?

If you answered “no” or “I’m not sure” to any of these, those are the gaps an auditor will find. Addressing them now, before an audit notification or a breach forces the issue, is significantly less expensive and disruptive than responding after the fact.

The controls above also overlap heavily with what cyber insurance carriers now require for renewal. Closing HIPAA gaps simultaneously strengthens your insurance posture, and carriers are increasingly asking for the same documentation that HIPAA auditors request.