HIPAA Compliance Checker: Scan Your Policies for Free

On March 5, 2026, HHS's Office for Civil Rights announced a settlement with MMG Fusion, a Maryland software company that provides practice management software to dental offices. OCR found that MMG impermissibly exposed the protected health information of roughly 15 million individuals. The settlement came with a corrective action plan requiring OCR monitoring for three years.

Three weeks earlier, on February 19, OCR settled with Top of the World Ranch Treatment Center in Illinois for $103,000. A phishing attack in 2023 had compromised patient records. The enforcement wasn't primarily about the phishing attack — it was about the organization's failure to conduct a required risk analysis before the breach happened.

That pattern is consistent across almost every HIPAA enforcement case. The breach or disclosure triggers the investigation. The settlement comes because the organization can't show it had done the documented compliance work the regulation requires. The actual vulnerability — phishing, misconfigured software, unsecured records — is often secondary to the paperwork failure.

If you're a covered entity or business associate under HIPAA — a healthcare provider, health plan, healthcare clearinghouse, or any vendor that handles protected health information on their behalf — this is what you're up against. The question isn't whether OCR will eventually look at your documentation. It's whether your documentation will hold up when they do.

A HIPAA compliance checker gives you an answer to that question before OCR does.

What HIPAA actually requires in writing

HIPAA has two main rules that generate documentation requirements: the Privacy Rule and the Security Rule. The Privacy Rule covers how PHI can be used and disclosed. The Security Rule covers how electronic PHI (ePHI) must be protected.

Both rules require specific written policies and procedures. Not just having the controls in place — having them documented in a way that demonstrates the organization assessed its risks and made deliberate decisions about how to address them.

Here's what OCR actually asks for when they audit you:

• Risk analysis: A documented assessment of risks and vulnerabilities to ePHI. This is required under 45 CFR §164.308(a)(1). It's the most commonly cited deficiency in enforcement actions.
• Risk management plan: How you're actually addressing the risks the analysis identified. As of 2026, OCR is explicitly auditing this separately from the risk analysis itself.
• Notice of Privacy Practices: The patient-facing document that explains how your organization uses and discloses PHI. Required under 45 CFR §164.520. Must be updated when your practices change — and again, February 2026 brought new requirements for Part 2 (substance use disorder records) that required updates to NPPs.
• Workforce training records: Documentation that employees who handle PHI have received HIPAA training.
• Business Associate Agreements: Written contracts with every vendor that handles PHI on your behalf. Missing or outdated BAAs are a consistent finding in OCR settlements.
• Breach notification procedures: Documented process for identifying, evaluating, and reporting breaches — including the specific timelines (60 days to notify individuals; 60 days to notify HHS for breaches affecting 500+ individuals in a state).
• Access controls and minimum necessary policies: Who is authorized to access what PHI, and documentation showing you've implemented the minimum necessary standard.
• Audit log review policies: Procedures for regularly reviewing audit logs of systems that contain ePHI.

That's a lot of documentation. The practical problem for most organizations — especially smaller healthcare providers and the business associates serving them — is that these policies exist in various states of completeness. Some were written years ago and haven't been reviewed since. Some are templates downloaded from the internet with placeholders still in them. Some cover one regulation but miss requirements from another.

This is exactly what a compliance checker is built to find.

What a HIPAA compliance checker actually does

At its core, a HIPAA compliance checker takes your policy documents and measures them against the regulatory requirements. It's not checking whether your technical controls are correctly configured — that's a vulnerability scanner or a penetration test. It's checking whether your written documentation covers what HIPAA requires it to cover.

Specifically, a good HIPAA checker should flag:

• Missing required elements — Your Notice of Privacy Practices doesn't include the complaint process. Your breach notification policy doesn't specify the 60-day timeline. Your risk management plan doesn't document who owns remediation.
• Vague language that won't satisfy auditors — "We protect PHI using industry-standard safeguards" tells OCR nothing. What safeguards? Who's responsible? When were they last reviewed?
• Outdated references — Policies that reference superseded requirements, old contact information, or systems that no longer exist.
• Gaps between your stated practices and what HIPAA requires — Your access control policy says you'll review user permissions "periodically." HIPAA's Security Rule requires that you actually define what "periodically" means and document those reviews.

The output is a gap list — the specific items in each policy that need attention before an auditor would consider them complete.

The areas where HIPAA documentation most commonly fails

What the 2026 HIPAA Security Rule update means for your documentation

The proposed HIPAA Security Rule overhaul is expected to finalize in mid-2026 with compliance deadlines following in 2027. The biggest change: the elimination of the "addressable" implementation specification category.

Under the current rule, some security controls are "required" (mandatory for everyone) and some are "addressable" (required unless you document an equivalent alternative). Encryption of ePHI at rest is currently addressable — meaning you can decline to implement it if you document a reasonable equivalent. Multi-factor authentication is addressable. Annual vulnerability scanning is addressable.

The proposed update makes all of these required. If it's finalized as proposed, organizations that have been relying on documented alternatives to encryption or MFA will need to implement those controls — not just document why they haven't.

For documentation purposes: now is a good time to audit whether your current security policies are built around the "required" controls or around documented alternatives. A compliance checker can tell you which approach your policies reflect and flag the specific gaps that the proposed rule would require you to close.

How to run a HIPAA policy scan with PolicyAudit

PolicyAudit was built to answer one specific question: does this document meet the requirements of this regulation? For HIPAA, that means scanning your uploaded policy documents against the Privacy Rule and Security Rule requirements and flagging gaps.

Here's what to upload first:

1. Your Notice of Privacy Practices — This gets checked against §164.520 to verify all required elements are present and current.
2. Your Security Risk Analysis — Checked for the structural elements OCR requires: threats, vulnerabilities, likelihood assessment, impact assessment, and current risk levels.
3. A Business Associate Agreement template — Checked against §164.504(e) for required provisions.

The free tier covers up to three document scans. For most organizations starting from zero, those three documents cover the areas most likely to come up first in an OCR audit.

The scan output gives you a gap report — specific missing elements, vague language flagged for review, and references to the regulatory sections each gap applies to. That report becomes your remediation checklist.

PolicyAudit isn't a substitute for legal counsel on complex HIPAA questions. If you're navigating the Part 2 SUD records update, handling reproductive health PHI under the new privacy protections, or setting up a formal HIPAA compliance program from scratch, work with a qualified healthcare attorney or compliance consultant. The scanner handles the documentation gap analysis — the judgment calls about novel situations still require human expertise.

After the scan: what to do with the results

A gap report is only useful if you act on it. Here's how to prioritize:

Fix the risk analysis first. Every OCR enforcement trend points here. An incomplete or missing risk analysis is the single most common enforcement finding. If PolicyAudit flags gaps in your risk analysis — missing likelihood assessments, absent risk levels, no documentation of existing safeguards — address those before anything else.

Update the Notice of Privacy Practices second. This is the document patients and regulators are most likely to actually read. Missing required elements here are visible and frequently cited.

Audit your BAA inventory third. This takes time because it requires matching your vendor list against your contracts, but a missing BAA with a major vendor is a serious exposure that's easy to miss when you're not looking at it systematically.

Document your remediation. After fixing each gap, keep a record of what changed and when. If OCR ever does audit you, showing that you identified gaps and corrected them demonstrates a functioning compliance program — which is significantly better than showing either that you found gaps and ignored them, or that you had no idea the gaps existed.

Frequently asked questions