FOR MEDICAL, DENTAL & BEHAVIORAL HEALTH PRACTICES, AND THE VENDORS WHO SERVE THEM
HIPAA is about to stop accepting promises.
The proposed Security Rule update (expected to finalize in 2026) eliminates the “addressable” loophole and replaces it with hard requirements: demonstrate restoration of critical systems within 72 hours, test backups on a documented schedule, verify your vendors annually in writing. “We have a plan” stops counting. Proving it starts.
What’s changing
| Requirement | TODAY | UNDER THE PROPOSED RULE |
|---|---|---|
| Recovery plan | Required, but flexible (no timeframe) | Written procedures + tested capability to restore critical systems in 72 hours |
| Backup testing | “Addressable” | Documented, recurring testing with results |
| Encryption & MFA | “Addressable” | Mandatory, at rest and in transit |
| Vendor oversight | Signed BAA | Annual written verification of each vendor’s safeguards |
| Audits & scans | Periodic risk analysis | Annual compliance audit, recurring vulnerability scans, annual pen testing |
Based on the HHS Notice of Proposed Rulemaking (Dec 2024). Requirements and timing may change in the final rule; we track it so you don’t have to. This page is information, not legal advice.
“Restore in 72 hours” is an infrastructure requirement wearing a paperwork costume.
You can’t write your way into a 72-hour restore. If your backups have never been timed, if they sit on the same network as your EHR, if no one knows the restore order, then no policy document fixes that. Practices that wait for the final rule to start will be buying emergency infrastructure at deadline prices. Practices that start now will be renewing their insurance with a green checkmark.
The BreachBack HIPAA Readiness Program
- § CONTINGENCY
- Immutable backup architecture + quarterly stopwatch drills with signed evidence → the 72-hour demonstration, on file
- § INCIDENT RESPONSE
- Written, rehearsed IR plan + tabletop with your leadership → the documented procedures, tested
- § ACCOUNTABILITY
- Fractional CSO who signs the attestations and runs your annual risk analysis
- § VENDORS
- We run your business associate verification cycle. And if you are a business associate (billing, EHR support, IT), we make you the vendor who passes
Readiness program from $3,500/mo (Resilience plan) + one-time hardening. Compare: industry estimates put small-practice compliance retrofits done reactively at $20K–$50K.
Free for West Michigan practices through [date].
Frequently asked questions
Is the rule final?
Not yet. It's in the final stage of rulemaking, with finalization widely expected in 2026 and compliance windows of roughly 6–8 months after. We update this page as it moves. The strategic point: every requirement in it is already what cyber insurers and OCR enforcement actions reward today.
We're a tiny practice. Does this really apply to us?
HIPAA has never had a small-practice exemption, and the proposed rule applies to covered entities and business associates alike.
Our EHR is cloud-based, so aren't we covered?
Your EHR vendor backs up their system. Your scheduling, billing exports, documents, email, and local machines are yours, and the recovery obligation is yours.
We already have an IT company.
Keep them. We’re the verification and evidence layer; most IT providers welcome it, and some white-label us.
What does the attestation actually get us?
A signed, dated evidence file: drill results, policies, training logs, vendor verifications. It's what you produce in an OCR audit, an insurance renewal, or a breach investigation to show good-faith compliance.