Why a Mini-Audit Beats Waiting for the Annual
Most practices treat the HIPAA Security Risk Assessment as a once-a-year exercise: a long weekend in Q4, a thick PDF, a sigh of relief, and twelve months of drift before the next one. The Security Rule does not actually require that cadence. It requires that risk assessment be “an ongoing process” — language that maps poorly onto a single annual sprint and very well onto a short, repeatable quarterly review.
The point of a quarterly mini-audit is not to replicate the full annual Security Risk Assessment. It is to catch the four or five things that quietly go wrong between assessments: an expired Business Associate Agreement, a former employee still in the EHR, a Windows machine that fell off the patch schedule, a manager whose annual training rolled past due. Each of those, on its own, is a one-finding incident. Together, they are what an OCR review or a cyber-insurance audit will find when it looks past the binder on the shelf.
What 90 Minutes Buys You
The structure below is built for a single working session, run on the first Monday of every quarter by whoever owns compliance at the practice. If you have formally delegated the Compliance Manager role, this is their session. If you have not, this is the work that exposes why the role needs to exist.
Block 1 (15 min): People — who has access that should not?
Pull a list of every active user on every system that touches PHI: EHR, practice management, email, file shares, VPN, RDP gateway, building access. For each, ask one question: “Is this person still employed and still in a role that needs this access?”
The answer is more often “no” than anyone wants to admit. People change roles. Locums leave. Vendors finish a project. The 24-hour offboarding window is the standard, but the mini-audit is where the misses are caught.
Block 2 (15 min): Vendors — whose BAA is current?
Pull your vendor inventory and check three columns: BAA on file, effective date, and expiration date (if any). Flag anything that has expired in the last quarter, anything that will expire in the next quarter, and anything where the “BAA on file” column is blank but the vendor has access to PHI. Email the laggards today. The work of getting a BAA signed takes weeks; the work of identifying that you need one takes ten minutes.
Block 3 (20 min): Endpoints — what changed?
Look at your continuous endpoint inventory. New machines that appeared this quarter: are they domain-joined, encrypted, agent-installed, and assigned to a real person? Machines that disappeared: were they decommissioned, or did the agent die? Critical vulnerabilities that have been open longer than 30 days: why?
If you do not have continuous network security monitoring in place, this block becomes a one-shot scan and your first action item is to fix that.
Block 4 (15 min): Training — who is overdue?
Pull the training compliance report. Anyone past their renewal window gets an assignment today. Anyone within 30 days of renewal gets a calendar nudge. Anyone newly hired this quarter who has not yet completed the initial assignment gets escalated to their manager. Annual training only works if the calendar is enforced, and the calendar only enforces itself if someone actually looks at it.
Block 5 (15 min): Incidents — what happened, and what changed?
Review every incident logged in the last quarter, no matter how minor. For each, the questions are the same: was the response timely, was it documented, did anything in the environment change as a result? A practice that runs its credential leak playbook twice in a quarter and improves it the second time is in much better shape than one that runs it once and writes a memo.
Block 6 (10 min): Document and decide
The deliverable for every mini-audit is a one-page summary: what was reviewed, what was found, what is being done, by whom, and by when. File it with the date. After four quarters you have a continuity of evidence that a single annual SRA cannot match.
What the Mini-Audit Is Not
It is not a substitute for the annual Security Risk Assessment, which still has to happen and still has to be deeper. It is not a security-control audit, which goes much further into configuration testing. It is not a penetration test. It is the operational tempo that makes those bigger exercises shorter, cheaper, and less alarming when they happen, because the surprises have been caught early.
Where Most Practices Get Stuck
The single biggest reason practices skip the mini-audit is that pulling all the data takes longer than the audit itself. If you are exporting CSVs from six different systems, joining them in a spreadsheet, and only then starting to think, the math does not work. The point of an integrated compliance platform is that the data is already joined: users, vendors, endpoints, training, incidents in one view, refreshed continuously. The 90 minutes is then 90 minutes of decisions, not 90 minutes of plumbing.
Related Reading
- A practical guide to the annual HIPAA risk assessment
- Delegating the Compliance Manager role inside your practice
- Continuous network security monitoring in 2026
- The 2026 HIPAA compliance checklist
Call to Action
See how HIPAA Security Suite turns the quarterly mini-audit into a 90-minute review instead of a 90-hour data hunt — users, vendors, endpoints, training, and incidents are already joined.